Privacy Policy
Effective date: April 17, 2026 · Last updated: April 19, 2026
BookATeeTime ("the Extension") is an invite-only Chrome extension for members of the BCC Morning Game group. This policy explains what information the Extension collects, how it is used, and your rights.
1. What We Collect
The Extension stores data using Chrome's built-in storage APIs: chrome.storage.local (on-device only) and chrome.storage.sync (synced across your Chrome devices via your Google account).
Local storage (on this device only):
- Invite code — your personal membership activation code (e.g. BCC-XX-XXXX-XXX), stored locally and used as your identity for API requests (transmitted via JWT or as a query parameter)
- Session token — a signed authentication token (JWT) issued by our server on first activation, stored locally and used to authenticate your API requests. Expires automatically after 7 days and is silently refreshed.
- ForeTees credentials — if you enable auto-login in Settings, your ForeTees username and password are stored locally on your device. These credentials are never transmitted to our servers — they are only used to auto-fill the ForeTees login page.
- Sniper target — the tee time date, time slot, and playing partners you configure in the popup
- Saved players — names of regular playing partners you've saved for quick re-use (stored locally)
- Member info — your name and email address (as entered by the group administrator who created your invite) are stored on our backend server for account management
- Debug log — a rolling log of extension activity used for troubleshooting (stored locally only)
- Server time offset — a calculated offset to synchronize timing with the booking server
Synced storage (across your Chrome devices):
- Saved players — also synced via
chrome.storage.syncso your player list is available on all your devices - Preferences — your preferred time range, polling interval, notification settings, and club URL
- Release rules — per-day booking window schedules (days in advance, release time)
Your invite code is used as an identifier in API requests to our backend (via your JWT token or as a query parameter). ForeTees credentials are stored on-device only and are never sent to our servers.
2. What We Do Not Collect
- We do not collect payment or financial information
- We do not track your browsing history
- We do not run analytics or ad tracking of any kind
- We do not transmit your ForeTees credentials to any server — they remain on your device
- We do not access any ForeTees data beyond what is required to complete the tee time booking action you initiate
3. Network Requests
The Extension makes the following outbound network requests:
- bookateetime-bcc.web.app — our backend API, used to activate your membership (issue a session token), fetch group assignments, and log booking events. Requests are authenticated using a signed JWT Bearer token. In some cases, your invite code may also be sent as a query parameter for identification.
- ftapp.bethesdacountryclub.org — the ForeTees booking system, accessed only when you arm the sniper and the booking window opens
- fonts.googleapis.com — Google Fonts stylesheet loaded for UI typography (CSS only, no JavaScript or tracking)
All communication with our backend uses HTTPS. No data is sold or shared with third parties for advertising purposes.
4. Data Security
We take the security of your membership access seriously:
- Transport encryption — all API communication uses HTTPS (TLS 1.2+). No data is transmitted in plaintext.
- Token-based authentication — after your invite code is verified once, all subsequent requests use a cryptographically signed JWT (HMAC-SHA256). Your invite code never travels over the network again.
- Automatic expiry — session tokens expire after 7 days and are silently renewed. A revoked token is blocked immediately on our backend.
- No credential storage on servers — our backend stores only your invite code status (active/inactive), not the token itself.
5. Group Assignments
Club administrators may use the admin dashboard to dispatch a tee time assignment to your account. This assignment (date, time, and playing group) is fetched by the Extension when you open the popup and is stored locally. It is not shared with other members.
6. Data Retention
All data stored by the Extension resides on your local device. Removing the Extension from Chrome permanently deletes all locally stored data. Our backend retains only your invite code status (active/inactive) and anonymized event logs for system diagnostics.
7. Children's Privacy
This Extension is intended for adult members of BCC. We do not knowingly collect data from anyone under 13 years of age.
8. Changes to This Policy
If we make material changes to this policy, we will update the effective date above. Continued use of the Extension after changes constitutes acceptance of the updated policy.
9. Contact
For questions about this privacy policy or your data, contact the Morning Game administrator:
Morning Game · BCC
Extension support: bookateetime-bcc.web.app