Privacy Policy

Account information: When you create an account via Clerk, we receive your email address, authentication provider (password or SSO provider ID), and account creation timestamp. We do not receive your password.

Billing information: When you subscribe, Stripe collects and stores your payment details. We receive a Stripe customer ID and subscription metadata; we never see your full card number.

Usage data: Page views, API endpoint calls, timestamps, IP address (for rate limiting only — not stored long-term), and browser user-agent string.

Cookies and similar technologies: Session cookies for authentication (set by Clerk), a minimal preference cookie for the responsible-gambling notice dismissal. We do not use third-party advertising cookies.

• To authenticate you and provide the Service.
• To process subscription payments (via Stripe).
• To enforce rate limits and prevent abuse.
• To send transactional emails (receipts, password resets).
• To measure aggregate usage and improve the product (e.g., which pages are popular — not individual user tracking).
• To comply with legal obligations.

We do not sell your personal information. We do not share your data with advertisers.

We rely on the following processors, each governed by their own privacy policy:

• Clerk — authentication
• Stripe — payments and subscription management
• Supabase — database hosting (PostgreSQL)
• Vercel — application hosting, edge CDN
• Upstash — rate-limit key-value store (stores only a hashed identifier and a counter; no personal data)
• Sportradar — source of NBA event data (we send no user data to them)

• Account records are retained while your account is active and for up to 90 days after deletion, unless retention is required by law.
• Payment records are retained by Stripe per their financial-record retention obligations.
• Rate-limit counters expire automatically within 24 hours.
• Application logs are retained for up to 30 days.

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the data we hold about you.
• Correct — request that inaccurate data be fixed.
• Delete — request erasure of your account and associated data.
• Object or restrict — limit certain processing.
• Portability — receive your data in a portable format (JSON).
• Opt out of “sale” — we do not sell data, so this right is satisfied by our practices.

To exercise any of these rights, email kevin@dunkladder.com. We will respond within 30 days.

The Service is not intended for users under 18. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us and we will delete it promptly.

We use industry-standard measures to protect data, including TLS in transit, encrypted storage at the provider level, and scoped access via RLS policies in our database. No method is perfectly secure; you use the Service at your own risk.

Our infrastructure is operated primarily in the United States. If you use the Service from the EU, UK, or other jurisdictions, your data is transferred to the US. Where required, we rely on Standard Contractual Clauses with our processors to provide lawful transfer mechanisms.

We may update this policy. Material changes will be noted at the top of this page with a new “Last updated” date. Continued use after changes indicates acceptance.

Privacy questions or data requests: kevin@dunkladder.com.