Privacy Policy
Effective Date: Last Updated: April 27, 2026
1. Introduction
("Golden West Games," "we," "our," or "us") operates Billiard CRM, a cloud-based customer relationship management tool built for billiards businesses โ pool table dealers, mechanics, and refelt shops.
This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. It applies to:
- Shop owners (businesses that pay for a Billiard CRM subscription)
- End customers (the clients of those shop owners whose information is stored in the CRM)
By using Billiard CRM, you agree to this policy. If you don't agree, please don't use the service.
Questions? Email us: steve@goldenwestgames.com
2. Information We Collect
2a. Account Information
When you sign up for Billiard CRM, we collect:
- Your name and email address
- Your business name, phone number, and address
- Your password (stored as a one-way hash โ we never see your plaintext password)
2b. Customer and Client Data You Enter
Billiard CRM is a tool you use to manage your own customers. When you use it, you may enter:
- Your customers' names, addresses, phone numbers, and email addresses
- Job records (pool table service, refelt work, deliveries, etc.)
- Photos of jobs and tables (stored in Google Cloud Storage)
- Payment history and invoice records
We are a data processor for this information. You โ the shop owner โ are the data controller. You are responsible for having a lawful basis to collect and store your customers' information.
2c. Usage Data
We automatically collect certain technical data when you use the app:
- Pages and features you interact with
- Browser type, operating system, and device type
- IP address
- Error reports and crash logs (via Sentry)
- Timestamps of actions
2d. Cookies and Similar Technologies
We use the following technologies to keep you signed in and protect against abuse:
| Technology | Purpose | Retention |
|---|---|---|
| NextAuth session cookie | Keeps you logged in | Session / 30 days |
| Upstash KV | Rate limiting to prevent abuse | Ephemeral |
| Sentry session replay (if enabled) | Helps us debug errors | 90 days |
We do not use third-party advertising cookies or tracking pixels.
2e. Payment Information
Payments are processed by Stripe. When you enter payment card information, it goes directly to Stripe's servers โ we never see, store, or have access to your full card number, CVV, or expiration date. We receive only a Stripe token and limited metadata (last four digits, card brand, expiration month/year).
If you use Stripe Connect to process payments for your own customers, the same principle applies: your customers' card data goes directly to Stripe.
3. How We Use Your Information
We use the information we collect to:
- Deliver the service โ run the CRM, store your data, and make it accessible to you
- Send transactional communications โ account confirmations, password resets, invoices, and service notifications (via Resend for email, Twilio for SMS)
- Prevent fraud and abuse โ detect suspicious activity, enforce rate limits, and protect user accounts
- Improve the product โ analyze aggregate usage patterns to understand which features are used and where users run into problems
- Comply with legal obligations โ respond to lawful requests from government authorities, retain records as required by law
We do NOT sell your personal information to anyone, for any purpose.
We do NOT use your data or your customers' data to train AI models.
4. Who We Share Your Information With
We share information only with the vendors needed to operate the service. We have data processing agreements in place with each vendor. We do not sell data to third parties.
| Vendor | What they receive | Their privacy policy |
|---|---|---|
| Stripe | Payment processing; subscription billing; Stripe Connect for merchant payouts | stripe.com/privacy |
| Twilio | SMS sending and receipt (opt-in confirmations, job notifications, STOP/HELP handling) | twilio.com/legal/privacy |
| Resend | Transactional email delivery (account emails, invoices) | resend.com/legal/privacy-policy |
| Supabase | PostgreSQL database hosting; data is encrypted at rest | supabase.com/privacy |
| Vercel | Application hosting and serverless function execution | vercel.com/legal/privacy-policy |
| Google Cloud Storage | Storage of job photos and uploaded files | cloud.google.com/terms/cloud-privacy-notice |
| Sentry | Error monitoring and crash reporting; may include stack traces and session data | sentry.io/privacy/ |
| Upstash | Redis-based rate limiting; ephemeral request metadata only | upstash.com/privacy |
We may also disclose information:
- To comply with law โ in response to a court order, subpoena, or other lawful request
- To protect safety โ if we believe disclosure is necessary to prevent harm to you or others
- In a business transfer โ if Golden West Games is acquired or merges, your information may transfer to the new owner, who will be bound by this policy
5. Data Retention
We keep your data only as long as necessary. Here's how long we retain different types of data:
| Data Type | Retention Period |
|---|---|
| Account data (name, email, settings) | While your account is active + 30 days after deletion request, then permanently deleted |
| Customer and job records you entered | Same as account data โ deleted with your account |
| Payment records and invoices | 7 years from transaction date (IRS record-keeping requirement) |
| Error logs (Sentry) | 90 days |
| Application logs (server logs) | 90 days |
| Database backups | 30 days, then automatically purged |
Account deletion: You can delete your account at any time from Settings โ Account. This starts a 30-day grace period during which you can cancel the deletion. After 30 days, your account and all associated data are permanently and irreversibly deleted, except for payment records retained for legal compliance.
6. Your Privacy Rights
6a. Rights for All Users
Regardless of where you live, you have the right to:
- Access โ request a copy of the personal information we hold about you
- Correction โ ask us to fix inaccurate or incomplete information
- Deletion โ request that we delete your account and data (see Section 5 for retention exceptions)
To exercise these rights, go to Settings โ Account inside the app, or email steve@goldenwestgames.com.
6b. California Residents โ CCPA/CPRA Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know โ the categories and specific pieces of personal information we've collected about you in the past 12 months, including the sources, business purpose, and third parties with whom it was shared
- Right to Delete โ request deletion of your personal information, subject to certain exceptions (legal retention requirements, active transactions, etc.)
- Right to Correct โ request that we correct inaccurate personal information
- Right to Opt Out of Sale or Sharing โ we do not sell or share your personal information for cross-context behavioral advertising, but you may still submit a request via our Do Not Sell or Share My Personal Information page or by emailing steve@goldenwestgames.com
- Right to Limit Use of Sensitive Personal Information โ we do not use sensitive personal information (as defined under CPRA) for purposes beyond delivering the service
- Right to Non-Discrimination โ we will not discriminate against you for exercising any of these rights
How to exercise your California rights:
- Email steve@goldenwestgames.com with "California Privacy Request" in the subject line
- Visit our Do Not Sell or Share My Personal Information page
We will respond to verified requests within 45 days. We may extend this by an additional 45 days when necessary, with notice.
6c. SMS Communications (TCPA)
If you have opted in to receive SMS messages from Billiard CRM (for job notifications or account alerts):
- Reply STOP at any time to unsubscribe from all SMS messages
- Reply HELP for help or contact information
- Message and data rates may apply
- You can also opt out by updating your preferences in Settings โ Notifications
Opting out of SMS will not affect your ability to use the service.
6d. Email Communications
- Transactional emails (account confirmations, password resets, invoices) are required for the service to function. You cannot opt out of these while your account is active.
- Non-essential emails (product announcements, tips) include an unsubscribe link. Click it at any time to stop receiving them.
7. CCPA Categories of Personal Information โ 12-Month Disclosure
The following table discloses, for the 12-month period preceding the effective date of this policy, the categories of personal information we collected, the sources, our business purpose for collecting it, and the third parties with whom it was shared.
| CCPA Category | Examples Collected | Source | Business Purpose | Shared With |
|---|---|---|---|---|
| Identifiers | Name, email, IP address, user ID | Directly from you; automatically | Service delivery, authentication, fraud prevention | Supabase, Vercel, Sentry, Resend |
| Customer records (Cal. Civ. Code ยง 1798.80) | Business name, phone, address | Directly from you | Service delivery | Supabase, Vercel |
| Commercial information | Subscription plan, billing history | Directly from you; Stripe | Billing, legal compliance | Stripe |
| Internet/electronic activity | Pages visited, features used, error events | Automatically | Product improvement, debugging | Sentry, Vercel |
| Geolocation data | Approximate location via IP address | Automatically | Fraud prevention, rate limiting | Upstash, Vercel |
| Professional/employment info | Business name, role | Directly from you | Service delivery | Supabase |
| Inferences | Usage patterns | Derived internally | Product improvement | None |
Categories NOT collected: Social Security numbers, driver's license numbers, financial account numbers, precise geolocation (GPS), biometric data, health or medical information, contents of private communications, racial or ethnic origin, religious beliefs, union membership, genetic data.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
8. Children's Privacy
Billiard CRM is not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you are under 13, please do not use this service or provide any information to us.
If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe we may have information from or about a child under 13, please contact us at steve@goldenwestgames.com.
9. Security
We take reasonable measures to protect your information, including:
- Encryption in transit โ all data transmitted between your browser and our servers uses TLS (HTTPS)
- Encryption at rest โ your data stored in Supabase (PostgreSQL) and Google Cloud Storage is encrypted at rest using industry-standard AES-256 encryption managed by those providers
- Payment security โ Stripe handles all card data. We operate under PCI DSS SAQ-A scope, meaning card data never touches our servers
- Access controls โ role-based access control (RBAC) limits who in your organization can see what data
- Rate limiting โ Upstash-backed rate limiting protects against brute-force and credential-stuffing attacks
- Error monitoring โ Sentry monitors for anomalies and errors that could indicate security issues
Important limitation: No security measure is perfect or impenetrable. We cannot guarantee that our security measures will prevent every possible breach. If a breach occurs that affects your rights or freedoms, we will notify you as required by applicable law.
10. International Users
Billiard CRM is currently operated from the United States and is intended for US-based businesses. Our servers and service providers are located in the United States. If you are accessing the service from outside the United States, your information will be transferred to and processed in the United States.
We are not currently subject to GDPR because we do not actively target users in the European Economic Area. If we expand internationally, we will update this policy and obtain the appropriate legal basis for data processing under GDPR before doing so.
If you are an EU/EEA resident who has nonetheless signed up for the service, we will honor your access, correction, and deletion rights on a best-effort basis and encourage you to contact us at steve@goldenwestgames.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Send an email notice to the address on your account at least 14 days before the change takes effect
- Display a prominent notice inside the Billiard CRM app
If you continue to use Billiard CRM after the updated policy takes effect, you accept the updated terms. If you don't agree with the changes, you may delete your account before the effective date.
The "Last Updated" date at the top of this page always reflects the most recent revision.
12. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or how we handle your data, please contact us:
Golden West Games
Email: steve@goldenwestgames.com
For California residents: you may also submit requests via the Do Not Sell or Share My Personal Information page.
This document is a draft prepared for attorney review. It does not constitute legal advice and should not be relied upon as such until reviewed and approved by a licensed attorney.