Hole In One Contest
Enter Contest
Legal

Privacy Policy.

Last updated May 20, 2026 · privacy-v1-2026-05

This Privacy Policy describes how Hole In One Contest Inc. (“HIO”, “we”, “us”) collects, uses, shares, retains, and protects information when you use our websites, mobile apps, on-course camera stations, and contest services. This policy is binding under PIPEDA, the CCPA/CPRA, the GDPR (where applicable), and the privacy laws of the U.S. states and Canadian provinces where we operate. For biometric data we also maintain a separate Biometric Privacy Policy that overrides this document for that specific data category.

1. What we collect

We collect the minimum information needed to operate the contest and pay winners.

  • Account information: your phone number, display name, date of birth (to confirm you are 16 or older), and email if you choose to provide one.
  • Biometric data: face photos and a mathematical embedding used to match your shot to your paid entry. Covered separately by our Biometric Privacy Policy.
  • Contest activity: courses you played, holes you entered, shot videos, AI shot metrics (ball speed, carry, distance-to-pin), and contest outcomes.
  • Payment information: payment card details are tokenized by Stripe; we receive a transaction reference and the last four digits only.
  • Device + network: IP address, browser/device user agent, OS version, language, time zone, and pages you visited on our site. Used for security, fraud detection, and aggregated analytics.
  • Cookies + local storage: short-lived session tokens stored in your browser's local storage. We do not use third-party advertising cookies.

2. How we use it

  • Run the contest: verify entries, match shots to players, and pay winners.
  • Deliver your shot videos and the four-clip cinematic edit to your account.
  • Send transactional SMS for OTP login, booking confirmations, ace notifications, and payout receipts. We do not send marketing SMS.
  • Detect fraud, abuse, and disputes (for example, a face that doesn't match the booked player triggers a manual review before payout).
  • Improve the product through aggregate, de-identified analytics on shot quality, course performance, and AI model accuracy.
  • Comply with legal obligations including tax reporting for prize payouts.

3. How we share it

We do not sell your personal information. We share with a small set of named processors only when needed to operate the service, all bound by contracts that limit them to acting on our instructions.

  • Stripe — payment processing and payout transfers.
  • Twilio — OTP SMS delivery for sign-in and transactional alerts.
  • AWS — cloud hosting, video storage (S3), database (Aurora), face matching (Rekognition), and CDN.
  • Insurance partner — verified ace records and payout authorization for jackpot prizes.
  • Course operators — aggregate revenue reports and a roster of paid entries for their course. Operators never see your raw face data.
  • Law enforcement / legal process — only when compelled by a valid subpoena, court order, or other lawful demand, and only the records covered by that demand.

4. How long we keep it

  • Account information: while your account is active, plus seven years after you close it to satisfy tax and dispute retention obligations.
  • Shot videos and AI metrics: indefinitely in your account unless you delete them. Anonymized aggregates are retained longer for model training.
  • Payment and payout records: seven years (tax and audit retention).
  • Biometric data: governed by the Biometric Privacy Policy; deleted within 30 days of account closure or earlier on request.
  • Device and network logs: 90 days, then aggregated and de-identified.

5. Your rights

You can ask us to:

  • Show you a copy of everything we hold about you.
  • Correct anything that's inaccurate.
  • Delete your account and personal information (subject to legal-hold exceptions).
  • Export your data in a portable format (JSON download).
  • Object to or restrict specific processing activities.
  • Withdraw consent at any time without affecting prior lawful processing.

Email privacy@hiocontest.com from the address on your account. We respond within 30 days. We never charge a fee for these requests.

6. How we protect it

  • All data in transit is encrypted with TLS 1.2 or higher.
  • All data at rest is encrypted with AES-256 server-side or KMS-managed keys.
  • Access to production data is logged, two-factor-authenticated, and limited to a short list of named engineers with active incident-response responsibilities.
  • Face embeddings are stored separately from identifying information; an attacker getting one cannot link to the other without both keys.
  • We notify affected users and the relevant regulators of any confirmed personal-data breach within 72 hours of detection.

7. Children

You must be at least 16 to use our service. We do not knowingly collect data from anyone under 16. If you believe a child has used our service, contact privacy@hiocontest.com and we will delete the account.

8. International transfers

We are headquartered in Toronto, Canada. Some of our processors (notably AWS, Stripe, and Twilio) operate globally and may transfer your data to the United States or the European Union. Where required by GDPR, those transfers are protected by Standard Contractual Clauses and supplementary measures.

9. Changes to this policy

We update this policy when our practices change. If we make a material change we will email the address on your account at least 30 days before the change takes effect and will keep prior versions accessible at /legal/privacy?v=<version>.

10. Contact

Email privacy@hiocontest.com for any privacy question or request. For a general inquiry use our About Us page.

Hole In One Contest Inc. · Toronto, Ontario, Canada

Terms of Service →Biometric Privacy →