Privacy Policy

How we handle your data — globally, transparently, and on your terms.

Effective: April 29, 2026 · Last updated: April 29, 2026

Quick summary. We collect data to make TheLAB work for you: account info, swing videos you upload, GPS positions while playing, and usage analytics. We don't sell your data. You can delete your account anytime. Different jurisdictions get different protections — see your region below.

1. Who we are

TheLAB is operated by LAB-B, a sole proprietorship under German law:

LAB-B (Sebastian Burges)
Wettmarser Weg 14
59846 Sundern, Germany
Email: info@customgolflab.de

For privacy matters specifically, contact info@customgolflab.de with subject line "Privacy".

2. Data we collect

2.1 Account data

Email address, first name, last name (required for sign-up)
Optional: home club, handicap, gender (used for fitting and tee-default selection)
Authentication data (encrypted password / OTP tokens)

2.2 Swing & performance data

Video recordings of your golf swings that you upload
Pose-tracking data extracted from those videos (joint positions, club tracking, frame timestamps)
Computed metrics (LAB Score, swing-phase markers, club path, tempo)
AI-generated coaching summaries and drill recommendations

2.3 On-course data

GPS coordinates during a round (latitude, longitude, timestamp)
Shots recorded (club used, lie, distance, putts)
Course identifier and weather conditions
Heart rate (only if you opt-in via Apple Watch)

2.4 Device & usage data

App version, OS version, device model
Crash logs (anonymized)
Usage analytics (which screens you visit, basic interactions — used to improve the product)
IP address (server-side, not linked to account in analytics)

3. Why we collect it

We use your data only for the following purposes:

Service provision: running your account, processing your swings, computing metrics, syncing across devices
AI analysis: third-party AI providers process your swing data to generate insights and coaching
AI improvement (opt-in only): if you grant explicit consent, we may use anonymized swing videos to train our own models. You can withdraw this anytime.
Communication: beta updates, occasional product updates (only if you sign up for them)
Security & fraud prevention: detecting abuse, rate-limiting, account recovery
Legal compliance: tax records, responding to lawful requests

4. Legal bases (EU/EEA & UK)

Under GDPR Art. 6, our lawful bases are:

Performance of a contract (Art. 6(1)(b)): account, swing analysis, on-course features
Consent (Art. 6(1)(a)): newsletter, AI training opt-in, optional analytics
Legitimate interest (Art. 6(1)(f)): security, fraud prevention, basic product analytics
Legal obligation (Art. 6(1)(c)): tax records, responding to lawful requests

5. Third-party processors

To run TheLAB we share specific data with these processors. Each is bound by data processing agreements (DPAs) with us. None of them sell your data.

Provider	Purpose	Location
Supabase Inc.	Database, authentication, storage	USA / EU
Hetzner Online GmbH	Hosting (LP, web app, GPU compute)	Germany
Amazon Web Services (AWS)	GPU servers for AI swing analysis	EU (Frankfurt)
Google LLC (Gemini API)	AI text generation for coaching	USA
Anthropic PBC (Claude API)	AI text generation for coaching	USA
Resend Inc.	Transactional email delivery	USA
Third-party global course data provider	Course geometry data	USA / global
Apple Inc.	App distribution, push notifications	USA
Google LLC (Play Store)	Android app distribution	USA

5.1 International data transfers

Some processors are based in the United States. Where applicable, we rely on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or equivalent safeguards. Apple, Google, Anthropic, and Resend are all certified or contractually bound under these frameworks.

6. Data retention

Account data: kept while your account is active. Deleted within 30 days after account deletion.
Swing videos: kept until you delete them, or if you mark a swing as favorite — kept indefinitely.
Round data: kept for the lifetime of your account so you can review history.
Backups: Supabase backups (daily, 7-day retention), Hetzner backups (weekly, 30-day retention).
Analytics: anonymized after 90 days.

7. Your rights

7.1 If you are in the EU/EEA or UK (GDPR / UK GDPR)

You have the right to:

Access your personal data (Art. 15)
Rectify inaccurate data (Art. 16)
Erase your data ("right to be forgotten", Art. 17)
Restrict processing (Art. 18)
Receive your data in a portable format (Art. 20)
Object to processing based on legitimate interests (Art. 21)
Withdraw consent at any time, where processing is based on consent
Lodge a complaint with a supervisory authority — for Germany: LDI NRW or your local data protection authority. For the UK: ICO.

To exercise these rights, email info@customgolflab.de with subject "Data Subject Request". We respond within 30 days.

7.2 If you are in California, USA (CCPA / CPRA)

You have the right to:

Know what personal information we collect, use, disclose, and sell (we don't sell)
Delete your personal information
Correct inaccurate personal information
Opt-out of sale or sharing of your personal information — we do not sell or share your personal information for cross-context behavioral advertising.
Limit use of sensitive personal information (we collect health-related data only with explicit opt-in)
Non-discrimination — we won't deny service or charge differently if you exercise these rights

Categories of personal information collected (CCPA terms): identifiers, customer records, commercial information, internet activity, geolocation, biometric/inference data (swing analysis), professional information (golf-related). All used only for the purposes listed in section 3.

To exercise rights: email info@customgolflab.de with subject "California Privacy Request". We respond within 45 days.

7.3 Other US states

If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other states with comprehensive privacy laws, you have rights similar to the CCPA. Use the same process to exercise them.

7.4 Other regions

If your jurisdiction grants additional rights (e.g., Canada PIPEDA, Brazil LGPD, Australia Privacy Act), email us and we'll honor the applicable rights.

8. Children's privacy

TheLAB is not directed at children under 13 (USA) or 16 (EU/EEA). We do not knowingly collect personal information from children below those ages. If you believe a minor has signed up, contact us and we will delete the account.

9. Cookies & tracking

The TheLAB app uses essential storage (account session, preferences). The website uses minimal first-party analytics. We do not use third-party advertising cookies, do not participate in cross-site tracking, and do not allow third parties to set tracking cookies on our domains.

10. Security

We use industry-standard measures: TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, password hashing (bcrypt), regular security reviews. No system is 100% secure — if a breach affects you, we will notify you and the relevant authorities within the legally required timeframe.

11. Changes to this policy

We will update this policy when our practices change. Material changes will be communicated by email and on the app. The "Last updated" date at the top reflects the current version.

12. Contact

Privacy questions, data subject requests, complaints:

Email: info@customgolflab.de
Subject lines: "Privacy" / "Data Subject Request" / "California Privacy Request"
Response time: typically within 7 days, legally up to 30/45 days