Privacy Policy

Mapraow Labs Pte. Ltd.

This privacy policy explains how Mapraow Labs Pte. Ltd. ("Cardie," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use the Cardie mobile application ("the App"). This policy is written in English as the authoritative version. Translations are provided for convenience; in case of any conflict, this English version governs.

If you are located in China or Thailand, additional terms apply to you. Please see our regional addenda at the end of this policy.

1. Who We Are

Mapraow Labs Pte. Ltd. is a company incorporated in Singapore. We operate the Cardie mobile application, which allows golfers to scan physical scorecards, track rounds, maintain a handicap, and participate in competitions.

Contact: privacy@cardie.golf

2. What Data We Collect

2.1 Account Information

When you sign in using Apple Sign In or Google Sign In, we receive your name and email address from the identity provider. We do not collect or store passwords — authentication is handled entirely by Apple or Google.

2.2 Scorecard Photos

When you scan a scorecard, the photo is uploaded to our servers for processing. The image is used to extract scores and is retained as evidence supporting your round history and handicap calculation.

2.3 Golf Data

Hole-by-hole scores, putts, fairway hits, round summaries, handicap index, and competition results. This data is generated from scorecard scans and any manual edits you make.

2.4 Location Data (Optional)

If you grant permission, we collect your device location when you scan a scorecard. This is used to identify the golf course and retrieve weather conditions for your round summary. Location data is not collected in the background — only at the moment of a scan and only if you have enabled this feature. You can use Cardie fully without sharing your location; you will simply be asked to select your course manually instead.

2.5 Device Information

We collect basic device information including device model, operating system version, app version, and language setting. This is used for app functionality, debugging, and ensuring compatibility.

2.6 Usage Analytics (Optional)

If you consent, we collect anonymized usage data through PostHog (our analytics provider) to understand how the App is used and to improve the experience. This includes which screens you visit, which features you use, and general interaction patterns. No analytics data is collected unless you opt in.

2.7 Subscription Information

If you subscribe to Cardie Premium, your subscription status is managed through RevenueCat, which communicates with Apple App Store or Google Play. We receive your subscription status (active, expired, trial) but we do not receive or store your payment card details, bank information, or billing address. All payment processing is handled by Apple or Google.

3. Why We Collect Your Data

We process your personal data on the following legal bases:

Performance of contract — Account information, scorecard photos, and golf data are necessary to provide the core service: scanning scorecards, maintaining your round history, and calculating your handicap.

Consent — Location data and usage analytics are only collected with your explicit, opt-in consent. You can withdraw consent at any time in the App's privacy settings without affecting your ability to use the core service.

Legitimate interest — Device information is collected to maintain app functionality, fix bugs, and ensure security. We have assessed that this interest does not override your rights, given the limited and non-sensitive nature of this data.

4. How We Use Your Data

We use your data for the following purposes:

Extracting scores from scorecard photos using automated image recognition
Building and maintaining your round history, statistics, and handicap index
Generating shareable round summaries
Operating competitions and tournaments
Identifying your golf course and retrieving weather data (if location is enabled)
Managing your subscription
Improving the App based on aggregate usage patterns (if analytics is enabled)
Communicating service updates and important account notifications
Maintaining the security and integrity of the service

We do not use your data for advertising, profiling for marketing purposes, or selling to third parties.

5. Who We Share Your Data With

We share your data only with the service providers necessary to operate the App:

Supabase Pte. Ltd. (Singapore) — Backend infrastructure, database, user authentication, and file storage. Supabase hosts your account data, golf data, and scorecard photos.

Amazon Web Services (AWS) (Singapore region) — Storage of scorecard images used for improving our scorecard recognition accuracy. Images stored here are used for training and quality assurance of our recognition system.

PostHog (self-hosted, Singapore) — Usage analytics, only if you have opted in. PostHog processes anonymized usage data to help us understand how the App is used.

RevenueCat, Inc. (United States) — Subscription management. RevenueCat receives your anonymous user identifier and subscription status from Apple or Google to manage your premium subscription.

LLM Vision Providers (currently Anthropic, Google, and OpenAI; United States) — Scorecard image processing. When you scan a scorecard, the image is sent to a large language model provider via API for text and score extraction. The image is processed and not retained by the provider beyond the processing request. We use each provider's API, which is contractually prohibited from using your data for model training. We may change providers; this policy will be updated to reflect current providers.

Apple Inc. / Google LLC — Authentication (Sign In) and payment processing (In-App Purchases). These providers handle your sign-in credentials and payment information directly. We do not receive your payment details.

We do not sell your personal data. We do not share your data with advertisers. We will disclose data to law enforcement only when required by a valid legal order.

6. Where Your Data Is Stored

Your data is stored and processed in Singapore. Our backend infrastructure (Supabase), production file storage (Supabase Storage), training data storage (AWS S3), and analytics (PostHog) are all hosted in Singapore.

RevenueCat processes subscription data in the United States. This transfer is covered by contractual safeguards.

If you are located in the European Economic Area (EEA) or the United Kingdom, the transfer of your data to Singapore is protected by Standard Contractual Clauses (SCCs) as approved by the European Commission. You may request a copy of the relevant safeguards by contacting us at privacy@cardie.golf.

If you are located in China or Thailand, please refer to the relevant regional addendum for specific information about cross-border data transfer safeguards.

7. How Long We Keep Your Data

We retain your data for as long as your account is active. Your accumulated round history, statistics, and handicap are the core value of the service, and we keep this data so you can access and build on it over time.

If you delete your account: We will delete your personal data and scorecard images within 30 days of your deletion request. During this period, your account is deactivated and your data is not accessible to other users.

Anonymized data: After account deletion, we may retain anonymized, aggregated data (such as course scoring averages) that cannot be linked back to you. This data is used to improve the service for all users.

Backup retention: Backup copies of your data may persist in our backup systems for up to 90 days after deletion, after which they are automatically purged.

8. Your Rights

Depending on where you are located, you have some or all of the following rights regarding your personal data:

Access — You can request a copy of the personal data we hold about you.

Correction — You can request that we correct inaccurate data.

Deletion — You can request that we delete your personal data. You can do this directly in the App under account settings, or by contacting us.

Data portability — You can request a copy of your data in a structured, commonly used format. Use the "Request my data" feature in the App.

Withdraw consent — You can withdraw consent for optional data collection (location, analytics) at any time in the App's privacy settings.

Object — You can object to processing based on legitimate interest.

Complaint — You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, use the relevant feature in the App or contact us at privacy@cardie.golf. We will respond within 30 days.

9. Children and Minors

Cardie is intended for users aged 16 and older. By signing in with Apple or Google, you confirm that you are at least 16 years of age.

We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will delete their account and all associated data promptly.

10. Analytics and Tracking

We use PostHog for usage analytics. PostHog is self-hosted on our own infrastructure in Singapore — your analytics data does not leave our control.

Analytics are entirely optional. You choose whether to enable analytics during onboarding, and you can change this at any time in the App's privacy settings. If you do not opt in, no analytics data is collected or transmitted.

When enabled, PostHog collects information about how you interact with the App, such as screens visited and features used. This data is used in aggregate to improve the App. We do not use analytics to build individual behavioral profiles or to target you with advertising.

The App does not use cookies. As a native mobile application, Cardie does not place cookies on your device.

11. Data Security

We take reasonable technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS/SSL) and at rest
Authentication through established providers (Apple, Google) rather than storing passwords
Row-level security on our database, ensuring users can only access their own data
Access controls limiting which team members and systems can access personal data
Regular security reviews of our infrastructure and third-party providers

No system is completely secure. If we become aware of a data breach that is likely to result in a risk to your rights, we will notify affected users and relevant authorities within 72 hours, in accordance with applicable law.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you through the App or by email before the changes take effect.

The "Last Updated" date at the top of this policy indicates when the most recent changes were made. Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

13. Regional Addenda

If you are located in the following jurisdictions, additional terms apply:

Thailand — Personal Data Protection Act (PDPA) Addendum

1. Data Controller

For the purposes of the Personal Data Protection Act B.E. 2562 (2019), the data controller is:

Mapraow Labs Pte. Ltd.
Singapore
Contact: privacy@cardie.golf

2. Cross-Border Data Transfer

Your personal data is transferred to and stored in Singapore, where our servers are located.

Under the PDPA, cross-border transfers of personal data require adequate safeguards. We protect your data through the following measures:

Standard contractual clauses between Cardie and our data processors (Supabase, AWS) requiring them to maintain data protection standards comparable to the PDPA
Encryption of your data in transit and at rest
Access controls and row-level security ensuring only authorized systems and personnel can access your data
Singapore's own Personal Data Protection Act (PDPA 2012), which provides a comparable level of data protection

By consenting to our Privacy Policy during onboarding, you acknowledge and consent to the transfer of your personal data to Singapore for the purposes described in this policy.

3. Your Rights Under the PDPA

In addition to the rights described in our main Privacy Policy, you have the following rights under Thailand's PDPA:

Right to access — You may request a copy of the personal data we hold about you, or request that we disclose how we obtained your data.

Right to data portability — You may request that we transfer your personal data to another data controller in a commonly used, machine-readable format, where technically feasible.

Right to object — You may object to the collection, use, or disclosure of your personal data at any time, subject to applicable exceptions.

Right to erasure — You may request that we delete, destroy, or anonymize your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent.

Right to restrict processing — You may request that we temporarily suspend the use of your personal data in certain circumstances, such as while we verify its accuracy.

Right to rectification — You may request that we correct any inaccurate or incomplete personal data.

Right to withdraw consent — Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent for optional data collection (location, analytics) in the App's privacy settings.

Right to lodge a complaint — You have the right to lodge a complaint with the Personal Data Protection Committee (PDPC) if you believe your personal data has been processed in violation of the PDPA.

To exercise any of these rights, use the relevant feature in the App or contact us at privacy@cardie.golf. We will respond within 30 days.

4. Lawful Basis for Processing

Consent — For optional data processing including location data and usage analytics. We obtain your consent during onboarding and you may withdraw it at any time.

Contractual necessity — For data processing required to provide the Cardie service, including account management, scorecard processing, round history, and handicap calculation.

Legitimate interest — For device information collection necessary for app functionality and security, where such interest does not override your fundamental rights.

5. Sensitive Data

Under the PDPA, certain categories of data are classified as sensitive. Of the data Cardie collects, location data may be considered sensitive personal data. We collect location data only with your explicit, separate consent and only when you actively scan a scorecard. You may use Cardie without enabling location data.

6. Data Breach Notification

In the event of a personal data breach that is likely to cause serious harm to you, we will notify the PDPC and affected individuals without delay and no later than 72 hours after becoming aware of the breach, as required by the PDPA.

Contact

Email: privacy@cardie.golf
Entity: Mapraow Labs Pte. Ltd., Singapore

This addendum is provided in English and Thai. In case of conflict, the English version governs.

China — Personal Information Protection Law (PIPL) Addendum

1. Cross-Border Data Transfer

Your personal information is transferred to and stored in Singapore, where our servers are located. This transfer is necessary to provide you with the Cardie service.

Before your data is transferred outside of China, we inform you of the following as required by the Personal Information Protection Law:

Name of overseas recipient: Mapraow Labs Pte. Ltd.
Contact: privacy@cardie.golf
Location: Singapore

Categories of personal information transferred: Account information (name, email), scorecard photos, golf scores and statistics, location data (if enabled), device information, and usage analytics (if enabled).

Purpose of transfer: To provide the Cardie service — storing your account and round data, processing scorecard images, calculating your handicap, operating competitions, and managing your subscription.

Method of transfer: Encrypted transmission over secure internet protocols (TLS/SSL).

How to exercise your rights with the overseas recipient: Contact privacy@cardie.golf to exercise any right described in this policy, including access, correction, deletion, and data portability. We will respond within 30 days.

Safeguards: We have implemented standard contractual clauses and technical measures (encryption in transit and at rest, access controls, row-level security) to protect your personal information during and after transfer.

Your separate consent for this cross-border transfer is obtained during the App's onboarding process. You may withdraw this consent at any time by deleting your account, as the cross-border transfer is necessary for the service to function.

2. Your Rights Under PIPL

Right to be informed — You have the right to know how your personal information is collected, used, stored, and shared. This policy and addendum serve as that notice.

Right to restrict or refuse processing — You may restrict or refuse the processing of your personal information, except where processing is required by law or necessary to perform a contract with you.

Right to request explanation — You may request an explanation of the rules we apply to the processing of your personal information.

Right to request deletion — You may request deletion of your personal information. We will process deletion requests within 30 days. You can initiate deletion directly in the App under account settings.

Right to portability — You may request a copy of your personal information in a structured, commonly used format.

Right of deceased persons — The close relatives of a deceased user may exercise the above rights with respect to the deceased user's personal information, unless the deceased user made other arrangements during their lifetime.

To exercise any of these rights, contact us at privacy@cardie.golf.

3. Sensitive Personal Information

Location data is classified as sensitive personal information. We collect location data only with your separate, explicit consent and only for the specific purpose of identifying your golf course and retrieving weather conditions. You may decline location data collection and the App will function normally — you will select your course manually.

Scorecard photos contain handwriting. While handwriting is not biometric data (we do not use it to identify you), we treat scorecard images with care and process them only for the stated purposes of score extraction and handicap verification.

4. Automated Decision-Making

Cardie uses automated processing to extract scores from scorecard photos and to calculate your handicap index. These automated processes do not make decisions that have significant effects on your rights or interests. You always have the opportunity to review and correct extracted scores before they are saved.

5. Local Representative

If required by applicable regulation based on the volume of Chinese users, we will designate a local representative in China and update this addendum with their contact information.

Contact

Email: privacy@cardie.golf
Entity: Mapraow Labs Pte. Ltd., Singapore

This addendum is provided in English and Chinese. In case of conflict, the English version governs.

14. Contact Us

If you have questions about this privacy policy or how we handle your data:

Email: privacy@cardie.golf

Entity: Mapraow Labs Pte. Ltd., Singapore

This document is the authoritative English version. Translations into other languages are provided for convenience only.