Privacy
Updated 2026-06-08. Plain English. No legalese.
What this is
BookATeeTime is a Chrome extension that books tee times for you on the BCC ForeTees site at the exact moment booking opens. You install it once with an invite code from your club admin, then arm it for a date and time. When the booking window opens, the extension logs into ForeTees, clicks your slot, and confirms back to the admin so they know it worked.
This page tells you exactly what data the extension touches, where it goes, and what we do with it.
What we collect and where it lives
| What | Where | Why |
|---|---|---|
Invite code (e.g. BCC-XX-XXXX-XXX) |
Your device (chrome.storage.local) |
Your identity. Every API call carries it. |
| Name and email | Our backend (Firebase Firestore) | Your club admin entered these when they invited you. Used to address emails and identify you in admin tools. |
| Auth token (JWT) | Your browser memory only (chrome.storage.session). Cleared when you close Chrome. |
Authenticates your API calls without re-sending the invite code. Lasts 2 hours, then auto-renews. |
| ForeTees username and password (only if you enable auto-login in Settings) | Your device only. Encrypted with AES-GCM, key derived from your invite code via PBKDF2 (600,000 rounds). | Auto-fills the ForeTees login page when your session expires mid-snipe. Never sent to our backend — stored only on your device and used locally. Auto-deleted after 30 days, after which you re-enter it. |
| Saved playing partners (names, handicaps, member IDs) | Your device + synced via chrome.storage.sync across your Chrome browsers |
So you can quick-fill the same group every time. |
| Sniper target (date, time, players you armed) | Your device | What you're armed for. |
| Preferences (release rules, polling intervals, notification settings) | Synced via chrome.storage.sync |
So your settings follow you across devices. |
| Activity events (sniper armed, slot found, booking confirmed, failures, timing measurements, errors) | Last 1000 events on your device (ring buffer, oldest evicted) AND sent to our backend | So your admin can see whether your booking worked and so we can debug failures. Attributed to your invite code. Not anonymized. |
| Server time offset | Your device | A small millisecond delta used to fire at the exact moment booking opens. |
Where data goes on the network
The extension talks to three places. That's the whole list.
- teetimesniper.bmrkllc.com (also reachable as bookateetime-bcc.web.app) — our backend on Firebase. Handles activation, group assignments, audit events. Always HTTPS.
- *.bethesdacountryclub.org (including ftapp.bethesdacountryclub.org, the ForeTees-powered booking system). The extension reads the page (slot buttons, login form) and clicks on your behalf, only when you have a tab open there and the sniper is engaged.
- fonts.googleapis.com — Google Fonts CSS for the extension's own UI. Cosmetic only. No scripts, no tracking.
No third-party analytics. No ad networks. No data brokers. No social media SDKs.
About the activity events — operational analytics, not marketing
The extension does collect operational telemetry — every time you arm, every slot click, every booking outcome, errors, timing measurements. These events go to our backend tied to your invite code. Calling that "anonymized" would be wrong, so we don't.
We use these events for:
- The admin dashboard. When the club admin dispatches an assignment to you, they need to see whether it worked. Events feed a Live Events page that shows sniper status, booking confirmations, and failures.
- Debugging. When something breaks, we read the logs to figure out why. Failed POSTs are queued locally and retried automatically; if delivery permanently fails after about eight attempts, we drop the event and surface that to admin.
We do NOT use these events for advertising, marketing, behavioral profiling, or selling to anyone. There is no opt-out — if the operational telemetry is uncomfortable for you, the right move is to not install the extension.
What we don't do
- No payment or financial data.
- No browsing history outside ForeTees and our own backend.
- No marketing emails (other than your initial invite and an optional re-issued invite if your token is reset).
- No third-party analytics or ad trackers.
- No selling, sharing, or licensing your data.
- Your ForeTees username and password never leave your device.
- We don't access ForeTees data beyond what's needed for the booking action you armed.
Your controls
- Uninstall the extension from Chrome. Wipes everything stored on your device.
- Settings → Account → Clear credentials. Deletes your saved ForeTees login from the device.
- Ask the admin to revoke your access. Kills your invite code. Your JWT stops working immediately. Your name flips to "revoked" in the admin dashboard. Backend records stay so the audit history is intact, but you can no longer authenticate.
How long we keep things on the backend
- Your roster entry (name, email, role, status): as long as you're a member.
- Activity events: indefinitely, for audit history and admin oversight. We can purge on request.
- If you're revoked: records stay but marked
revoked, and you can no longer authenticate.
Who runs this
BookATeeTime is run by the BCC Morning Game group. It's not a company. Brian Byrne is the admin.
Questions or data requests: brian@bmrkllc.com
Extension support: teetimesniper.bmrkllc.com
Changes
If we change anything material, the date at the top changes. Continued use after a change means you're OK with it.