limlock

v0.1 · effective: · last updated:

Limlock — Privacy Policy

who we are

Limlock is a coordination protocol for multi-principal group event planning, with golf as its reference vertical. The service is operated by Limlock ("we," "us," or "our") as an unincorporated project, based in the Province of Ontario, Canada.

This Privacy Policy explains what information we collect when you use Limlock at limlock.com and via our APIs, how we use it, who we share it with, and what rights you have over it. It applies to anyone interacting with Limlock — whether you arrive directly, through a shared link, or via an AI agent calling Limlock on your behalf.

For the architectural commitments behind these privacy practices — including non-aggregation, no flow of funds, end-user consent, and course-routed booking — see our governance page.

Geographic availability: Limlock is available to residents of Canada. The reference course inventory in v0.1 is concentrated in Ontario; coverage of other provinces will expand in future versions.

what we collect

We collect only what's necessary to coordinate group events. The categories are:

Account information (only if you sign up for an account)

Email address, hashed password, account creation date.

Coordination data (when you create or join an intent)

  • Display name ("player name") — typically a first name or nickname; we do not request or require legal names. Each participant enters their own display name when they join an intent; you do not submit names on behalf of others.
  • Availability windows — dates and time ranges when you're available.
  • Preferences — maximum price, cart preference, holes preference, course distance radius.
  • Vote choices on resolved booking options.
  • Click-throughs to external booking systems.

Approximate location (only when you grant browser geolocation permission)

Approximate latitude and longitude, used to calculate distance to nearby courses. Discarded after the request that uses it; not stored long-term unless you save a course.

Technical data

  • IP address (which is personally identifying information under PIPEDA) — used for rate limiting and abuse prevention.
  • Browser user-agent, operating system.
  • Page navigation events, request timestamps.
  • Hashed device tokens used to identify a participant across requests within the same intent.
  • Hashed session tokens for authenticated sessions.

Public coordination receipts (important — please read)

Limlock generates a receipt for every significant action in an intent's lifecycle: intent creation, constraint submission, resolution, votes, and booking handoff. The receipts are designed for cryptographic signing using Ed25519, and the schema accommodates a signature field on every receipt. In v0.1, receipts are issued with empty signature fields while we provision and harden the signing infrastructure; verifiers should treat unsigned receipts as untrusted until the signing rollout completes. The current status of signing infrastructure is documented at /spec/receipts.

Whether signed or unsigned, receipts are publicly queryable at /receipts/:intentId so third parties can verify Limlock's coordination history without trusting the API.

Each receipt contains:

  • An intent identifier
  • A display name (the one you entered when joining the intent)
  • Action metadata (timestamp, vote choices, booking-handoff details, etc.)
  • A signature field (empty in v0.1; populated once signing infrastructure ships)

What this means in practice: the display name you enter when joining a coordination becomes part of a permanent, public record. Once issued, a receipt cannot be modified, and we do not delete or rewrite receipts.

The data in a receipt is the same data you've already shared with the other participants in your group — the receipt format makes it verifiable to outside parties, but it doesn't expose information you didn't already make available within the coordination.

Identifiability through context: display names combined with intent context (course, date, other participants in the same coordination) may identify a specific individual to someone who knows that group socially. If that's a concern, use a generic display name when joining an intent.

If you do not want a display name to appear in a public receipt, do not submit it as a constraint. We are working on architectural approaches that would let users redact display names from future receipts; v0.1 does not yet support this.

For the receipt schema and reasoning behind the public-queryability design, see /spec/receipts.

Notification subscriptions (only when you opt in)

Contact details (email address or phone number) you supply to receive notifications about a specific intent.

what we explicitly do not collect

  • Payment card details, bank information, or other financial credentials. Per architectural commitment, Limlock is never in the flow of funds.
  • Legal names (display names are sufficient for coordination).
  • Government-issued identifiers (SIN, driver's license, passport).
  • Health information.
  • Information about children. Limlock is intended for adults coordinating recreational golf; we do not knowingly collect information from anyone under 18.
  • Sensitive personal information beyond what's required for the coordination service.

how we use what we collect

  • Provide the service — match group availability, rank tee-time options, count votes, hand off the winner to the course's booking surface.
  • Send notifications you opted into — you'll only receive messages tied to subscriptions you explicitly created.
  • Improve the service — aggregated, anonymized analytics about how the coordination loop performs (success rates, drop-off points). Player names are scrubbed from analytics records that include emails or other identifying patterns.
  • Prevent abuse — rate limiting, fraud detection, terms-of-service enforcement.
  • Comply with legal obligations — respond to lawful requests from authorities.

how booking decisions are made (automated processing)

When all participants in an intent have submitted constraints, Limlock's resolver processes them automatically to produce 3-5 ranked booking options. The ranking is generated algorithmically based on:

  • Date and time overlap across the group's availability
  • Course distance from the group's home location
  • Price relative to the group's stated maximum
  • Cart and holes preferences
  • Current weather where available
  • Historical course condition data where available

The output is a ranked list — you and your group make the final choice via voting. Limlock does not autonomously book on your behalf.

If you would like a human to review a specific resolver outcome (for example, you believe a course was unfairly excluded), email dylan@limlock.com and we will respond within 30 days.

agent-invoked use

Limlock exposes machine-readable interfaces (an A2A agent card, a Claude Skill, eventually an MCP server) that allow AI agents to invoke the coordination protocol on a user's behalf. When an agent calls Limlock for you:

  • You are the user. The human principal directing the agent is bound by this Privacy Policy and our Terms of Service.
  • The agent is a tool acting on your instructions. Limlock does not separately accept consent from the agent; consent flows from you.
  • Personal information you provide via an agent is treated identically to personal information you provide via the website. All collection, use, retention, and rights provisions apply.

If you suspect an agent has invoked Limlock on your behalf without your authorization, contact dylan@limlock.com.

who we share information with

We share data only with service providers that help us operate Limlock. We do not sell, rent, or trade personal information to advertisers, marketing companies, or data brokers.

Service providers (data processors):

ProviderPurposeLocation
SupabaseDatabase, authenticationUS / Canada (per project)
CloudflareCDN, DNS, email routingGlobal edge
RailwayAPI hostingUS
ResendTransactional email (when wired)US
SentryError monitoring (with PII scrubbing)US / EU

Each processor is contractually bound to handle your data only on Limlock's instructions and to provide reasonable safeguards.

Map basemap tiles:

When a page displays a map (notably the radar view on the home page), your browser requests basemap tile images from CARTO's public basemap CDN at basemaps.cartocdn.com. CARTO receives your IP address and the tile coordinates of the area you are viewing as part of standard HTTP fetch metadata. Limlock does not send any additional data to CARTO; the tile request is a direct browser-to-CDN fetch. CARTO's privacy policy: carto.com/privacy.

Booking surfaces:

When you tap a "book a tee time" link, you are redirected to the course's own booking system (Chronogolf, Tee-On, foreUP, course websites, etc.). Limlock does not share your data with these systems — you interact with them directly under their own privacy policies and terms.

Public coordination receipts:

Receipts include intent identifiers and display names. They are publicly queryable so third parties can verify Limlock's completion history. See the prominent disclosure under "what we collect" above.

international transfers

Some of our service providers process and store data outside Canada — primarily in the United States. We use standard contractual clauses and equivalent safeguards (per OPC guidance for cross-border transfers) to protect your data while it is in transit and at rest with these processors. We document each cross-border transfer in an internal Privacy Impact Assessment available for review on request.

data retention

DataRetention
Account informationUntil you delete your account
Coordination intent dataIndefinite (receipts depend on it)
Coordination receiptsIndefinite (part of the verifiable history)
Server logs (including IP addresses)90 days
Analytics events12 months
Notification subscriptionsUntil you unsubscribe or the intent expires

Receipts and the underlying coordination data are retained indefinitely because the receipt chain is the verifiable record of what Limlock did. Deleting individual intents would corrupt the chain. If you want your data removed, you can request account deletion (see "your rights" below). On deletion:

  • Account-level identifying details (email, hashed password, IP logs older than 90 days) are scrubbed from active databases.
  • We decline to issue further receipts naming you in any new intents.
  • Coordination receipts already issued and naming you remain in their published form, per the receipts disclosure under "what we collect" above.

Self-serve deletion via an in-product button is a planned v0.2 feature; v0.1 deletion is handled via email request.

CASL compliance

Limlock complies with Canada's Anti-Spam Legislation (CASL). When you opt in to receive notifications about an intent:

  • Your opt-in is express consent for the specific intent and channel (email or SMS) you selected.
  • We identify Limlock as the sender in every notification.
  • We include an unsubscribe mechanism in every commercial electronic message.
  • We honor unsubscribe requests within 10 calendar days, per CASL's statutory deadline.
  • We do not transfer notification subscriptions to other parties.

To unsubscribe from any specific notification, use the unsubscribe link included in the message. To unsubscribe from all Limlock notifications, contact dylan@limlock.com.

your rights

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Withdraw consent to our processing (subject to legal or contractual restrictions).
  • Delete your account and associated personal information (subject to retention limits described above for receipts).
  • Object to specific uses of your information.
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To request a copy of your personal data ("data portability"), email dylan@limlock.com. We will provide your data in a structured, commonly used technological format (JSON) within 30 days of receiving your request.

To exercise any other right, email the same address. We respond within 30 days.

data breaches

If a security breach involving personal information occurs and creates a "real risk of significant harm" (as defined under PIPEDA), we will:

  • Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible.
  • Notify affected individuals as soon as feasible, with information about the breach and steps you can take to reduce risk.
  • Notify any organizations or government institutions that may help mitigate harm.

We maintain records of all breaches involving personal information for at least 24 months, regardless of whether they meet the "real risk of significant harm" threshold. These records are available for review by the OPC on request.

cookies and similar technologies

We use only the minimum technical storage necessary to operate the service:

  • Session cookies for authenticated sessions (HttpOnly, Secure).
  • localStorage to remember your display name across visits and to persist intent state during a session.

We do not use third-party advertising cookies, tracking pixels, or cross-site tracking technology.

security

We use reasonable technical and organizational safeguards to protect your data:

  • TLS/HTTPS for all transport.
  • Hashed and salted passwords.
  • Hashed device tokens for share-link authentication.
  • Ed25519 cryptographic signing infrastructure for coordination receipts (the schema and verification path are in place; signing rolls out post-v0.1 — see the receipts disclosure under "what we collect" for the current state).
  • Service-role-only access to sensitive database operations.
  • Regular security review.

No security control is absolute. If you believe your account has been compromised or you have identified a security issue, contact us at dylan@limlock.com.

children's privacy

Limlock is intended for adults (18+) coordinating recreational golf rounds. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email (to account holders) or prominent notice on limlock.com. The "Last updated" date at the top reflects the most recent revision. Continued use of Limlock after changes take effect indicates acceptance.

This policy will be updated to reflect any material changes in Canadian federal or provincial privacy law that affect Limlock's obligations. Canada's federal private-sector privacy framework is currently in flux — Bill C-27, which would have enacted the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), died on the Order Paper when Parliament was prorogued in January 2025, and replacement legislation is expected from the federal government.

contact

Privacy Officer

Privacy Officer, Limlock
dylan@limlock.com
Limlock
Province of Ontario, Canada

The Privacy Officer is responsible for Limlock's compliance with PIPEDA and is your point of contact for any privacy-related question, request, or complaint.

Independent oversight

If you are not satisfied with our response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada:

30 Victoria Street
Gatineau, Quebec K1A 1H3
priv.gc.ca
1-800-282-1376

This Privacy Policy is governed by the laws of the Province of Ontario, Canada. It does not create a contract between you and Limlock — the Terms of Service does that.

limlock · privacy · v0.1 · 2026-04-27