Mully is built to keep your golf memories — not to mine them. This page says, in plain language and then in the proper legal language, what we do with the information you give us.
The short version: we store your rounds, photos, and reflections on EU servers so you can read them back from your phone. We don't sell your data, don't share it for advertising, and don't use your content to train AI models. The only third party we send anything to beyond the basics of running the app is Google's Gemini API — and only the photo of a scorecard, only when you point your camera at one, and only so it can read the strokes. Delete your account from Settings and everything is gone from our systems within 30 days.
01What we collect
Three buckets: what you give us, what you record in the app, and a small amount of operational data we need to keep the app running and safe.
We do not collect contacts, calendar, microphone, precise location, health data, or advertising identifiers. Camera and photo-library access are used only when you explicitly invoke the scorecard scan or attach a photo to a round.
Account information
From your sign-in provider (Apple or Google) we receive your email address, a stable account identifier, and — if you choose to share it on first sign-in — your name. You can change or remove your display name and avatar from inside the app at any time. We never see your password.
If you sign in with Apple's "Hide My Email" relay, the email we
receive is a private relay address (something like
[email protected]); we cannot see your real
address.
When you sign in with Apple we also receive a refresh token from Apple, which we store against your account so we can ask Apple to invalidate your sign-in session when you delete your account (see §05).
Rounds you record
For each round you save: the course you played, the tee you played from, the date, your strokes per hole, any notes or reflection tags you added, the weather you noted, and any photos you attached (scorecards and "moment" photos). Mully derives a handicap-index estimate from your rounds — that's a calculation, not a separate piece of data.
Operational data
Device and app metadata necessary to keep the service working: operating-system version, Mully app version, anonymised crash diagnostics, and short-lived counters used to rate-limit our own APIs against abuse. Authenticated requests are logged with a request identifier; we do not store your raw IP address against your account.
Lawful bases (EU/UK GDPR)
- Creating and operating your account, saving your rounds, running the scorecard scan you invoke — performance of the contract you enter into when you sign up (Art. 6(1)(b) GDPR).
- Crash diagnostics, rate-limit counters, fraud prevention, service security — our legitimate interests in keeping the app stable and protected (Art. 6(1)(f) GDPR).
- Optional product emails, if any — your consent, which you can withdraw at any time (Art. 6(1)(a) GDPR). Mully sends no marketing emails at launch.
Where it's stored
The database, your photos, and our application servers all run on Google Cloud in Belgium (europe-west1). Encrypted backups are kept in the same region. The complete list of third-party processors and their regions is in §04.
02How we use it
To show you your rounds, sync them across your devices, and keep them safe. To send you the very occasional product update if you've opted in. To debug crashes and improve the app. Nothing else.
03Scorecard scanning
When you point your camera at a scorecard and tap scan, the photo is sent — once, briefly — to Google's Gemini vision API so it can read the strokes and the course name. This is the only feature in Mully that sends anything beyond standard account operations to an external AI service, and it only happens when you explicitly invoke it.
3.1 · What's sent to the AI provider
For each scan we send Google's Gemini API:
- The image bytes of the scorecard photo you took
- A short, fixed system prompt that tells Gemini how to format its response (the same prompt every time, for every user)
- A request identifier we generate for tracing the call in our logs
We do not send your name, email, account identifier, location, device identifier, or any other personally identifying information. Gemini sees the photo and the request — that's it.
3.2 · What's retained, and for how long
On Mully's side: the original scorecard photo is stored alongside the round you saved (encrypted at rest on Google Cloud Storage in Belgium) so you can review it later. It lives there for as long as the round exists. When you delete a round or your account, the photo is deleted with it on the schedule described in §05.
On Google's side: Mully calls Gemini under a paid Google Cloud project with active billing. Under those terms, Google does not use your scorecard images to train, improve, or develop Google's models or services. Google logs prompts and responses for a limited period of time solely for detecting and preventing abuse of the API (e.g. spam, attempts to break the model), and discards them thereafter. Google's published terms for this service are at ai.google.dev/gemini-api/terms, and the data-processing addendum at business.safety.google/processorterms.
3.3 · Provider details & sub-processors
The vision-AI provider for scorecard scanning is Google LLC (Gemini API). Google may transiently process the request in any country where it maintains facilities; under Google's standard terms the transfer is governed by the EU Standard Contractual Clauses and Google's role is that of a data processor acting on Mully's instructions.
Beyond Gemini, scorecard scanning does not invoke any further sub-processors. The wider list of processors Mully uses to run the service (hosting, auth, email, error reporting, etc.) is in §04.
3.4 · Opt-out & manual entry
Scorecard scanning is opt-in by action — it only runs when you tap the scan button. Manual round entry is a first-class, fully-featured alternative. You can use Mully indefinitely without ever scanning a card and lose no functionality: every round feature (notes, tags, weather, photos, medals, handicap calculation, sharing) works identically whether the round was entered by hand or read from a scan.
If you've scanned cards in the past and want them gone from Mully, delete the round in question or your whole account, and the original card image is removed per §05.
04Sharing & processors
We use a small set of third-party processors to run the service. We do not sell your data and we do not share it for advertising. Each processor below is bound by a written agreement requiring them to process your data only on Mully's instructions, with appropriate security and confidentiality safeguards.
| Processor | Purpose | Region |
|---|---|---|
| Google Cloud (Cloud Run, Cloud SQL, Cloud Storage) | Hosting, database, photo storage, encrypted backups | Belgium (europe-west1) |
| Google Gemini API | Scorecard OCR (see §03) | Multi-region; SCCs apply |
| Google Places API | Course enrichment (address, photo, geographic coordinates of public golf courses — not your location) | Multi-region; SCCs apply |
| Apple (Sign in with Apple) | Authentication when you choose Apple sign-in | Apple infrastructure (global) |
| Google Sign-In | Authentication when you choose Google sign-in | Multi-region; SCCs apply |
| Resend | Transactional email (account-deletion confirmation; future shutdown notice) | United States; SCCs apply |
| Sentry | Crash and error diagnostics (anonymised stack traces; no message bodies or photos) | European Union |
| Cloudflare | DNS for the marketing site and email inbound routing | Global edge; EU-resident metadata |
We will update this table if we change processors. The current version of this page always reflects who we actually use.
05Retention
Your rounds, photos, notes, and account profile are kept for as long as your account exists. When you delete your account from Settings, your data is removed from our live systems immediately and from encrypted backups within 30 days. After 30 days no trace of your account remains on our side.
When the account you delete was created via Sign in with Apple, we also call Apple's token-revoke endpoint as part of the deletion so your access grant on Apple's side is invalidated. Mully will drop out of your Settings → Sign-In & Security → Sign in with Apple list once Apple's systems sync.
Where we are legally required to retain limited records (for example, accounting records for tax purposes — Spanish law requires we keep invoices and equivalent for several years), we retain only the minimum required, in a cold-storage form that's not used for any other purpose. Mully has no paid features today, so no payment records exist for any user at the time of writing.
06Your rights
Under EU and UK data protection law you have the right to:
- Access — ask us for a copy of the personal data we hold about you
- Rectification — correct anything inaccurate
- Erasure — delete your account from Settings, or write to us
- Restriction — ask us to limit how we process your data
- Portability — ask us for your data in a machine-readable format
- Objection — object to processing we do under legitimate interests
- Withdraw consent — for anything we ever process on the basis of your consent (today: nothing)
Write to us at [email protected] and we'll respond within 30 days. Most rights can also be exercised directly inside the app — you can edit your display name, replace your avatar, delete individual rounds, or delete your whole account from Settings without writing to anyone.
You also have the right to lodge a complaint with the Spanish data protection supervisory authority, the Agencia Española de Protección de Datos (AEPD), at www.aepd.es. If you are resident in another EU member state, you may also lodge a complaint with your local supervisory authority.
07Children
Mully is intended for golfers aged 16 and over. We don't knowingly collect information from children under 16. If you believe we have, tell us and we'll remove it.
08Changes & contact
When we change this policy we will tell you in the app and note the change here, with the date. Reach us at [email protected].