Privacy Policy
WedgeWoodAI Golf Club Management System
Last updated: 20 June 2026
1. Overview
WedgeWoodAI Limited (“we”, “us”, “our”) operates the GCMS National Platform (“the Platform”). We are committed to protecting the privacy of all individuals whose personal information we collect, use, and store. This policy outlines how we handle your personal information in compliance with the New Zealand Privacy Act 2020 and its Information Privacy Principles (IPPs).
2. Information We Collect
We collect the following categories of personal information:
Account Information
Name, email address, password (stored encrypted), phone number, profile image.
Membership Data
Membership ID, membership tier, membership dates, NZ Golf Club ID, date of birth, gender, address, city, region, postcode.
Emergency Contact Details
Emergency contact name and phone number (provided voluntarily for safety purposes).
Booking & Activity Data
Tee time bookings, event registrations, simulator reservations, booking history, and related payment references.
Authentication Data
Login timestamps, two-factor authentication status, session tokens, and Google OAuth tokens (if using Google SSO).
Technical Data
Browser type, IP address (via session cookies), and device information collected automatically during platform use.
3. How We Use Your Information
We use personal information for the following purposes:
- •Platform Access & Authentication: To create and manage your account, verify your identity, and provide secure access via credentials or Google SSO.
- •Club Management: To facilitate golf club onboarding, member management, event scheduling, and tee time booking across the national platform.
- •Communication: To send booking confirmations, event notifications, account-related updates, and security alerts (e.g., password reset emails).
- •Security & Fraud Prevention: To protect against unauthorized access using rate limiting, two-factor authentication, and login monitoring.
- •Platform Administration: To manage user roles (Admin, Editor, Viewer), monitor platform usage, and maintain system integrity.
4. Legal Basis for Processing
Under the NZ Privacy Act 2020, we collect personal information directly from you (IPP 2) for lawful purposes connected to our platform services (IPP 1). We do not collect more information than is reasonably necessary for these purposes (IPP 1). Where we collect information from third parties (e.g., Google SSO), we do so with your knowledge and consent.
5. Data Sharing & Third Parties
We share personal information only in the following circumstances:
- •CaddieChat Platform: Club, event, and tee time data is shared with the CaddieChat system to enable cross-platform booking and management functionality.
- •Google (if using SSO): Authentication tokens are exchanged with Google as part of the OAuth sign-in flow. We receive your name, email, and profile image.
- •Cloudflare: If enabled, Cloudflare Turnstile processes browser data for bot protection. No personal data is stored by Cloudflare for this purpose.
- •Legal Requirements: We may disclose information if required by law, court order, or to comply with legal obligations under New Zealand law.
We do not sell, rent, or trade your personal information to any third parties for marketing purposes.
6. Data Storage & Security
Your data is stored in secure, encrypted databases. Passwords are hashed using bcrypt with a cost factor of 12. All platform communications use HTTPS with HSTS enforcement. We implement role-based access controls (RBAC), rate limiting on authentication endpoints, and support two-factor authentication (2FA) for additional account security. For full details on our security measures, please see our Security Policy.
7. Data Retention
We retain your personal information for as long as your account is active or as needed to provide platform services. Booking records and event registrations are retained for operational and audit purposes. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., financial records).
8. Your Rights Under the NZ Privacy Act 2020
You have the following rights regarding your personal information:
- •Right of Access (IPP 6): You may request a copy of the personal information we hold about you.
- •Right of Correction (IPP 7): You may request that we correct any inaccurate or incomplete information.
- •Right to Deletion: You may request that we delete your account and associated personal data.
- •Right to Complain: If you believe your privacy has been breached, you may lodge a complaint with the Office of the Privacy Commissioner.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 20 working days as required by the Privacy Act 2020.
9. Cookies
Our platform uses cookies for authentication and session management. These are essential cookies required for the platform to function. We also use a preference cookie to remember your cookie consent choice. For detailed information about what cookies we use, please refer to the cookie consent banner displayed on your first visit. You may manage your cookie preferences at any time through your browser settings.
10. Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. If we make significant changes to how we handle personal information, we will notify affected users via email or a prominent notice on the platform.