letbook.ai

Privacy Policy

Last updated: 2026-04-22

This Privacy Policy explains how letbook.ai("we", "us", or "the Service") collects, uses, stores, and discloses personal information when you use our booking platform. By creating an account or using the Service, you agree to the practices described below.

1. Who we are

letbook.ai is a SaaS booking platform that enables facility operators (e.g. golf venues) to manage resources, programs, memberships, and customer bookings. Each facility ("Company") operates its own tenant on the Service; you may be a customer of one or more Companies.

Each Company is an independent data controller for the personal information of its customers. letbook.ai acts as a data processoron the Company's behalf — we process that data only as directed by the Company and in accordance with this Policy. Companies are responsible for ensuring they have a lawful basis to collect and use their customers' personal information through the Platform.

2. Information we collect

  • Account information: full name, email address, phone number, password hash.
  • Booking records: resources booked, program, start/end time, amount charged, cancellation history.
  • Payments: payment amount, currency, Stripe charge identifiers. Card numbers are handled entirely by Stripe and never reach our servers.
  • Account balance & transactions: top-ups, deductions, refunds, gift card redemptions.
  • Authentication metadata: sign-in provider (email or Google), session timestamps.
  • Technical logs: IP address, user agent, request timestamps, audit trail of key actions.
  • Optional lock access data: where a Company uses RemoteLock integration, a temporary access PIN and time window associated with your booking.

We do notcollect "sensitive information" within the meaning of the Australian Privacy Act (such as health, racial, religious, sexual orientation, or biometric data).

3. How we use your information

  • Provide and operate the booking service.
  • Process payments through Stripe and apply account balances.
  • Send transactional emails (booking confirmations, cancellations, membership activations, low-balance warnings, etc.).
  • Provision and revoke physical lock access (where a Company has enabled RemoteLock).
  • Detect abuse, prevent fraud, debug issues, and audit privileged actions.
  • Comply with legal obligations.

4. Where your data is stored (overseas disclosure)

Our database and application infrastructure are hosted on Amazon Web Services (AWS) in the Tokyo (ap-northeast-1) region via Supabase. If you are located in Australia, your personal information will be transferred to and stored in Japan.

We remain accountable for the handling of your information under the Australian Privacy Principles (APPs) even after it is transferred overseas. We take reasonable steps to ensure that our overseas service providers do not breach the APPs, including by entering into a Data Processing Addendum with Supabase and by limiting subprocessor access to what is necessary to operate the Service.

By creating an account you consent to this overseas transfer and storage, and you acknowledge that, once you have given this consent, the overseas recipient is no longer required by Australian law to handle your information in accordance with the APPs.

A full list of our subprocessors (including their location and function) is available at /legal/subprocessors.

5. Sharing with third parties

We share information only with:

  • The Company whose service you are using — administrators of that Company can see your profile, bookings, balance, and memberships within their tenant.
  • Stripe — to process card payments.
  • Resend / AWS SES — to deliver transactional emails.
  • RemoteLock — where a Company has enabled lock integration, your name, booking window, and PIN are sent to provision access.
  • Sentry — error diagnostics (may include request metadata, not your booking content).
  • Law enforcement — where required by valid legal process.

We do not sell personal information.

6. Security

  • All traffic is encrypted over TLS.
  • Database access is protected by Row Level Security (RLS) policies that restrict per-tenant visibility.
  • Passwords are stored as hashes (bcrypt/scrypt) by Supabase Auth — never in plain text.
  • Administrative actions are recorded in an audit log.
  • We scope API keys and OAuth tokens to the minimum required functionality.

7. Data retention

  • Booking & transaction records: retained for at least 7 years for tax and accounting purposes.
  • Account profile: retained while your account is active. On deletion, personally identifying fields are anonymized (name replaced with "Deleted User", email and phone removed); booking history is preserved for the Company's records but no longer linked to identifying data.
  • Audit logs: 12 months.
  • Application logs: 30 days.

8. Your rights

You may:

  • Access a copy of the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account (subject to the retention exceptions above).
  • Withdraw consent to overseas storage, which may prevent us from continuing to provide the Service.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, email us at privacy@letbook.ai. We will respond within 30 days.

9. Data breach notification

If a data breach is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), typically within 72 hours of the breach being confirmed.

10. Children

Users under 18 must have a parent or guardian create and manage their account. We do not knowingly collect personal information directly from children. If a child under 13 has provided personal information without parental consent, please contact us at privacy@letbook.ai and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page, and where appropriate, by email. Continued use of the Service after changes are published constitutes acceptance of the revised policy.

12. Contact

Questions about this Privacy Policy or your personal information can be directed to privacy@letbook.ai.