Security

Security at GolfStack

Last updated: May 25, 2026

Your rounds, mental game responses, and account data are personal. We treat them that way. Here is what we do to keep them safe, in plain language.

Authentication

Accounts use email and password through Supabase Auth. Passwords are never stored in plain text — they are hashed and salted before they touch our database. Sessions are managed with short-lived JWTs and refresh tokens. We support sign-in via magic link, and Apple and Google social sign-in on mobile.

Encryption

All traffic between your device and our servers is encrypted with TLS 1.2 or higher. Data at rest in the database is encrypted using Supabase's standard AES-256. Backups are encrypted with the same key class.

Database isolation

The database uses row-level security. Every query is scoped to your user ID by the database itself — not by application code — so even a bug in our backend cannot leak another golfer's rounds to your account. Tables for rounds, holes, mental responses, and user stats are all gated by user ID.

AI processing

When you generate an AI coaching story or scan a scorecard, the relevant data is sent to Anthropic Claude over a secure API connection. Anthropic does not train models on customer API data by default. Scorecard images are processed and discarded — they are not retained on Anthropic's side beyond the request lifecycle. You can disable AI processing entirely from account settings.

Payments

Payments are handled by Stripe. GolfStack never sees your full card number, CVV, or bank credentials. We only see the subscription status, the last 4 digits of your card for display, and the billing email. Stripe is PCI-DSS Level 1 compliant.

Access controls

Internal access to production systems is limited to the minimum needed to operate the service. All admin actions are logged. We do not export bulk user data unless required by law.

Vulnerability disclosure

If you find a security issue, please email security@stack.golf with details. Please do not disclose publicly until we have had a reasonable chance to fix it (90 days is typical). We will acknowledge reports within 5 business days and credit you in the release notes if you would like.

Incident response

If we detect a data incident that affects your account, we will notify you by email and in-app within 72 hours of discovery, along with a description of what happened, what data was affected, and what you can do.

Open questions

Going through procurement for a corporate tournament or club deployment? Email hello@stack.golf and we will complete your security questionnaire.