Privacy Policy
Last updated: April 7, 2026
1. Introduction
Nerd Dawg Sports LLC, DBA PickEm Engagement ("we," "us," or "our") operates a white-label, multi-tenant business-to-business software-as-a-service ("SaaS") platform that enables independent operators ("Tenants") to host free-to-play pick'em prediction competitions for their communities. This Privacy Policy describes how we collect, use, share, and protect personal information when you interact with the PickEm Engagement platform (the "Service"), whether as a Tenant administrator, a player, or a visitor to our website.
In the context of data protection law, Tenants act as data controllers for the personal information of their players, and PickEm Engagement acts as a data processor on behalf of each Tenant. When we collect information directly from you in our capacity as the platform operator (for example, during account creation on the apex domain or payment processing for Tenant subscriptions), we act as a data controller.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
2.1 Personal Information You Provide
When you create an account, we collect the following information directly from you:
- Email address — used for authentication, notifications, and account recovery.
- Name (first name, last name, and optional display name) — used to personalize your experience and display on leaderboards.
- Password — stored only in hashed form using industry-standard cryptographic algorithms; we never store or have access to your plaintext password.
- Terms of Service acceptance timestamp — recorded when you agree to our Terms.
2.2 Usage Data
We automatically collect certain technical information when you access the Service:
- IP address — used for security monitoring, abuse prevention, and approximate geolocation.
- Device information — browser type, operating system, device model, and screen resolution.
- Access logs — timestamps of requests, pages visited, and referring URLs.
- Push notification tokens — if you opt in to mobile push notifications, we store device tokens to deliver notifications.
2.3 Payment Data
If you are a Tenant administrator purchasing a subscription, payment information (credit card numbers, billing addresses) is collected and processed directly by our payment processor, Stripe. We do not store full credit card numbers on our servers. We receive and store only:
- Stripe customer identifier and subscription identifier.
- Subscription plan, status, and billing frequency.
- Payment event metadata (invoice success, failure, refund events) for billing audit purposes.
2.4 Picks and Game Data
As a core function of the Service, we collect and store:
- Picks and predictions — individual bets, parlays, survivor picks, and tiebreaker predictions you submit.
- Leaderboard positions — computed rankings, scores, and win/loss records within competitions.
- Virtual wallet balances and transactions — all in-app currency is virtual, has no cash value, and cannot be exchanged for real money.
- Season entry data — which seasons and leagues you have joined, and your participation status.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service — authenticating your identity, processing picks, calculating leaderboards, settling outcomes, and delivering notifications.
- Account management — managing your profile, preferences, and Tenant membership.
- Communication — sending transactional emails (account verification, password resets, slate reminders, settlement summaries, payment receipts) and, where you have opted in, promotional communications from your Tenant.
- Payment processing — facilitating Tenant subscription billing, refunds, and reactivation through Stripe.
- Security and fraud prevention — detecting unauthorized access, abuse, and violations of our Terms of Service.
- Platform improvement — analyzing aggregate usage patterns to improve performance, reliability, and user experience.
- Legal compliance — complying with applicable laws, regulations, legal processes, or enforceable governmental requests.
- Audit logging — recording administrative actions for accountability and platform integrity.
4. Data Sharing
4.1 Sharing with Tenant Operators
Because PickEm Engagement is a multi-tenant platform, the Tenant under which you create your account has access to your profile information (name, email, display name), your picks, your leaderboard rankings, and your participation history within that Tenant's leagues and seasons. Tenant administrators may use this information to manage their competitions, communicate with their players, and administer their community. Each Tenant's use of your data is governed by that Tenant's own privacy practices.
4.2 Sharing with Third-Party Processors
We share personal information with the following third-party service providers, each of which processes data solely on our behalf and in accordance with our instructions:
- Supabase — database hosting and user authentication. Supabase stores all account data, picks, leaderboard data, and authentication credentials (hashed passwords and session tokens) on our behalf.
- Stripe — payment processing. Stripe collects and processes payment card information directly from Tenant administrators. Stripe's handling of payment data is governed by the Stripe Privacy Policy.
- Resend — transactional email delivery. Resend processes recipient email addresses and email content to deliver notifications, invitations, password resets, and other transactional messages on our behalf.
- The Odds API — sports odds data. We send requests to The Odds API to retrieve current betting odds and lines for sporting events. No personal user data is shared with The Odds API; we transmit only sport and event identifiers.
- ESPN — sports schedule and score data. We retrieve game schedules, scores, and results from ESPN's publicly available data feeds. No personal user data is shared with ESPN.
4.3 Other Disclosures
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation or governmental request; (b) protect and defend our rights or property; (c) prevent fraud or abuse of the Service; or (d) protect the personal safety of users or the public.
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via prominent notice on the Service or by email prior to your information becoming subject to a different privacy policy.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Service. When you or your Tenant requests account deletion, we will remove or anonymize your personal information within a reasonable period, except where retention is required by law or for legitimate business purposes such as audit compliance.
Attorney Review Required
Specific data retention periods should be defined here (e.g., account data retained for X years after deletion request, billing records retained for Y years for tax compliance, audit logs retained for Z years). Consult legal counsel to determine appropriate retention schedules based on applicable regulations (GDPR, CCPA, tax law, etc.).
Aggregate, de-identified data that cannot reasonably be used to identify you may be retained indefinitely for analytics and platform improvement purposes.
6. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential cookies — required for authentication, session management, and security. These include the Supabase session cookie (HttpOnly, Secure) and the impersonation cookie used by platform administrators. The Service cannot function without these cookies.
- Preference cookies — store your display preferences, such as theme settings or notification preferences, to enhance your experience.
We do not use third-party advertising cookies or cross-site tracking technologies. We do not sell your data to advertisers or data brokers. We do not participate in behavioral advertising networks.
Most web browsers allow you to manage cookie preferences through browser settings. Note that disabling essential cookies will prevent you from using the Service.
7. Third-Party Services
The Service relies on the following third-party services. Each service has its own privacy policy governing its collection and use of data:
7.1 Supabase
Role: Database hosting, user authentication, file storage, and real-time infrastructure. Supabase hosts our PostgreSQL database, manages authentication flows (sign-up, sign-in, password reset, email verification), and stores tenant-uploaded assets (logos and branding images) in object storage. All data is encrypted at rest and in transit. See the Supabase Privacy Policy.
7.2 Stripe
Role: Payment processing for Tenant subscriptions. Stripe handles all credit card collection, storage, and processing through its PCI DSS-compliant infrastructure. We use Stripe Checkout (hosted payment pages) and the Stripe Customer Portal so that sensitive payment details are entered directly on Stripe's servers, not ours. Stripe also powers subscription management, invoicing, and refund processing. See the Stripe Privacy Policy.
7.3 Resend
Role: Transactional email delivery. Resend transmits emails on our behalf, including account verification messages, password reset links, slate reminder notifications, settlement summary emails, payment receipts, and player invitation emails. Resend processes recipient email addresses and rendered email content to fulfill delivery. See the Resend Privacy Policy.
7.4 The Odds API
Role: Sports odds and betting lines data. We query The Odds API to retrieve current odds for sporting events displayed within the Service. This is a server-to-server integration; no personal user information is transmitted to The Odds API. Only sport identifiers and event identifiers are included in our requests. See the The Odds API Privacy Policy.
7.5 ESPN
Role: Sports schedule and score data. We retrieve game schedules, start times, scores, and final results from ESPN's publicly available data feeds to populate slates and settle outcomes. This is a server-to-server integration; no personal user information is transmitted to ESPN.
8. Children's Privacy
The Service is not directed to children under the age of 17. We do not knowingly collect personal information from anyone under 17 years of age. By creating an account, you represent and warrant that you are at least 17 years old.
In compliance with the Children's Online Privacy Protection Act ("COPPA") and similar laws in other jurisdictions, if we become aware that we have inadvertently collected personal information from a child under the age of 13 (or the applicable age threshold in your jurisdiction), we will take prompt steps to delete that information. If you believe we have collected information from a child, please contact us immediately at the address provided in Section 13.
9. Your Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
- Right of access — you may request a copy of the personal information we hold about you.
- Right to correction — you may request that we correct inaccurate or incomplete personal information. You can update your name, display name, and email through your account settings at any time.
- Right to deletion — you may request that we delete your personal information, subject to any legal obligations requiring retention.
- Right to data portability — you may request a machine-readable copy of your personal information to transfer to another service.
- Right to opt out — you may opt out of non-essential communications at any time. You may also request that we cease processing your personal information for certain purposes.
To exercise any of these rights, please contact us using the information in Section 13. We will respond to your request within the timeframe required by applicable law.
Attorney Review Required
Jurisdiction-specific rights disclosures should be added here. For users subject to the GDPR, detail the lawful basis for processing, the right to lodge a complaint with a supervisory authority, and the right to restrict processing. For users subject to the CCPA/CPRA, disclose the categories of personal information collected and sold (if any), the right to know, the right to delete, and the right to opt out of sale. Consult legal counsel to ensure compliance with all applicable privacy regulations.
10. Data Security
We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit using TLS (HTTPS) for all connections.
- Encryption of data at rest in our database and storage systems.
- Cryptographic hashing of passwords using industry-standard algorithms; plaintext passwords are never stored.
- Row-level security (RLS) policies in our database ensuring that each Tenant's data is isolated from other Tenants.
- API key authentication using SHA-256 hashed keys; raw API keys are never stored after initial generation.
- HttpOnly, Secure session cookies to prevent cross-site scripting attacks from accessing session tokens.
- HMAC-SHA256 signed impersonation tokens with strict read-only enforcement.
- Audit logging of all administrative actions for accountability and incident investigation.
No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
11. International Data Transfers
The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States or other countries where our service providers maintain facilities. These countries may have data protection laws that differ from the laws of your jurisdiction.
By using the Service, you consent to the transfer of your information to the United States and other countries as described in this Privacy Policy.
Attorney Review Required
Specify the legal mechanism for international data transfers (e.g., Standard Contractual Clauses, adequacy decisions, binding corporate rules, or reliance on the EU-U.S. Data Privacy Framework). If serving users in the European Economic Area or United Kingdom, this section must identify the specific safeguards in place. Consult legal counsel to determine the appropriate transfer mechanism.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and notify you by prominent notice on the Service or by email to the address associated with your account.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the posting of changes constitutes your acceptance of those changes.
13. Contact for Privacy Inquiries
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Email: privacy@pickemengagement.com
We will endeavor to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.
See also: Terms of Service