Privacy Policy

1. Introduction

S.O.A.A ("we", "us", "our") respects the privacy of every person who interacts with the Service. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the choices you have. By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

2. What We Collect

Account information. When you create a paid account, you provide your first name, last name, email address, date of birth, and a password. The password is salted and hashed before storage; we never see or store your plain-text password. We also persist the timestamp at which you accepted the Terms of Service and the version you accepted, for compliance audit purposes.

Anonymous identifier. A randomly generated identifier is written to your browser's local storage on first visit so the Service can remember per-session preferences (such as which ads you have already viewed) without identifying you personally. You can clear this identifier at any time by clearing your browser's site data; doing so will reset any per-session state.

Network metadata. When you make a request, we record limited metadata about the request (such as the IP address from which it originated, the timestamp, and the requested endpoint) for security, rate-limiting, and debugging purposes. We retain your client IP address for up to 24 hours as a fallback join key in case your browser clears its local storage during an active session.

Service activity (the picks engine). When you generate a slate or run the arbitrage tool, we record the full result so you can re-open it from your account history, and we record per-pick details including the sport, sportsbook, market, line, odds, line kind (stable / standard / aggressive), the AI's conviction grade, the pattern tokens the AI cited, and (after the event settles) whether the pick hit. This data is used to calibrate the engine over time and to measure long-run accuracy across risk profiles.

Usage counters. We track per-day counts of how many slates you have generated, how many ads you have watched, and how many advanced runs you have used against your plan's allowance. These counters reset on the schedule described in the Service.

Security audit log. We record every sign-in, sign-out, signup, account lock, password change, and subscription change, along with the IP address and timestamp of the event. We use this log exclusively to detect and respond to suspicious activity on your account.

Ad-interaction data. When you watch a rewarded video ad to unlock content, we log the ad event (shown / completed / skipped) and the ad provider session identifier so we can credit your account correctly and detect abuse. We do not learn the actual content of the ad you watched from this log.

Odds-history snapshots. Each time the engine fetches odds from a sportsbook, we save the (event, market, outcome, book, price, timestamp) tuple so the engine can detect line movement and steam. These snapshots are about MARKET ACTIVITY, not about you; they are not joined to your account.

Billing information. Payment processing is handled by Stripe, Inc., a regulated payment processor whose privacy practices apply to any information you provide during checkout. Stripe collects and stores your card number, billing address, and any other payment-method details on its own systems; we receive only a tokenized customer reference (your Stripe Customer ID) and a status flag for your active subscription. The Stripe Customer ID is persisted on your account so you keep the same saved payment methods across subscription cycles. We never see, store, or transmit your card number, banking credentials, or full billing address.

Sensitive personal information - NONE. We do not collect or infer any "sensitive personal information" as defined by the California Consumer Privacy Act, including precise geolocation, racial or ethnic origin, religious beliefs, health data, sex life or sexual orientation, genetic or biometric data, or information concerning citizenship or immigration status. We also do not collect government identification numbers, social security numbers, contact lists, microphone audio, or facial recognition data.

3. How We Use the Information

We use the information we collect to: (a) provide the Service to you and authenticate your account; (b) personalize your in-app experience and remember your preferences; (c) operate, maintain, secure, and improve the Service; (d) prevent abuse, fraud, and unauthorized access; (e) communicate transactional information about your account (e.g. password resets, billing receipts); (f) deliver and measure advertising that supports the free tier; and (g) comply with legal obligations.

Honest disclosure on data sharing. We do not sell your personal information for cash. However, if you use the free tier (which is ad-supported) or if you visit any page that loads our analytics tooling, we share certain limited information with our advertising and analytics partners as described below. Under the California Consumer Privacy Act and similar state laws, this kind of sharing for cross-context behavioral advertising may be defined as a "share" of personal information. We honor opt-out requests via the Global Privacy Control browser signal and via the "Do Not Sell or Share My Personal Information" link described in Section 8.

Lawful bases (EU / UK users). Where the General Data Protection Regulation applies, our lawful bases for processing are: contract (delivering the Service you signed up for, GDPR Art. 6(1)(b)); legitimate interest (fraud prevention, security, engine calibration, GDPR Art. 6(1)(f)); legal obligation (tax, audit, regulator response, GDPR Art. 6(1)(c)); and consent (cookies / advertising tracking, GDPR Art. 6(1)(a)). You may withdraw consent for advertising tracking at any time without affecting the other lawful bases.

We do not use your information to make solely automated decisions that produce legal or similarly significant effects on you.

4. Cookies, Local Storage, and Tracking Technologies

First-party storage. S.O.A.A uses your browser's local storage and session storage to keep small pieces of state on your device (your anonymous identifier, a cached snapshot of your account display fields after sign-in, and a flag tracking whether you have cleared the entry-ad gate this session). Once you sign in, an HTTP-only session cookie is also set on your browser by our server; this cookie is what authenticates your subsequent requests and is marked HttpOnly + Secure + SameSite=Lax so it cannot be read by JavaScript or attached to cross-site requests. A separate non-HttpOnly CSRF cookie is set alongside the session and exists solely to defend against cross-site-request-forgery attacks; it does not contain any personal information.

Analytics tracking. We may use Google Analytics or similar product-analytics services to understand which pages and features are used and to improve the Service. These services set their own cookies and may collect device identifiers, page-view paths, and interaction events. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Extension.

Advertising partners. The free tier of the Service is supported by rewarded video ads. Our ad partner (currently Google AdSense / Google Ads) may set cookies and pixel tags to deliver ads and measure their performance. These partners may combine data from the Service with data from other sites you visit to build interest profiles. You can adjust your ad preferences directly via Google Ad Preferences, opt out of interest-based advertising at the Network Advertising Initiative, or use the Digital Advertising Alliance opt-out.

EU / UK availability. The Service is currently designed for users in the United States. At this time we do not set non-essential analytics or advertising cookies on any visit - only the strictly necessary cookies required to authenticate you and protect against cross-site request forgery. If we add analytics or advertising cookies in the future, we will surface a consent banner for EU / UK visitors at that time and will not set those cookies until you affirmatively accept.

5. Service Providers

We rely on a small number of carefully selected service providers to operate the Service. Each provider receives only the information needed for its specific role and is contractually obligated (via a Data Processing Addendum or equivalent) to handle your information in accordance with applicable privacy laws. Current providers include:

• Stripe, Inc. — payment processing (privacy policy)
• Anthropic, PBC — primary AI analyst model (privacy policy)
• Google LLC — secondary AI reviewer model (Gemini), advertising (AdSense), and analytics (privacy policy)
• The Odds API — sportsbook odds data feed (no user data sent)
• Render.com — hosting infrastructure (privacy policy)
• Resend (when wired) — transactional email delivery

6. Data Retention

We retain account information for as long as your account is active and for a reasonable period thereafter in case you wish to reactivate. Saved slates and generation history are subject to per-plan retention rules described in the Service: paid Pro accounts retain recent generations on a daily-refresh basis, and Ultra accounts retain a Monday-through-Friday window that is wiped at the end of each week. Network metadata is retained for a limited operational window (typically no more than ninety days) and then deleted.

7. Security

We protect your information through industry-standard measures including transport-layer encryption (HTTPS / TLS) with HSTS, a strict Content Security Policy, salted and iterated password hashing (PBKDF2-HMAC-SHA256), constant-time password verification, HttpOnly + Secure session cookies, double-submit CSRF tokens on every state-changing request, per-account brute-force lockout after repeated failed sign-in attempts, log redaction of secret query parameters, parameterized database queries, per-IP rate limiting keyed on the real client IP, request body-size caps, a security audit log of authentication events, and least-privilege access controls. No system can be guaranteed to be perfectly secure; in the event of a breach affecting your information, we will notify affected Users in accordance with applicable law.

8. Your Choices and Rights

You can update your account information from the in-app account page or by contacting us. You can request that we delete your account and the personal information associated with it; we will honor the request within a reasonable period (typically within 30 days), subject to any retention required by law (such as financial records). You can also export your account data in a machine-readable format on request.

Global Privacy Control (GPC). We honor the GPC do-not-track signal as a universal opt-out from the "sale" or "sharing" of personal information for cross-context behavioral advertising. If your browser sends the GPC header, we will treat that as a standing opt-out request and will not share your anonymous identifier with advertising partners. GPC does not disable core authentication or session cookies.

Opt-out methods. You may opt out of data sharing for targeted advertising and profiling by: (a) enabling Global Privacy Control in your browser; (b) visiting the "Do Not Sell or Share My Personal Information" link in the site footer; or (c) emailing [email protected] with the subject "Opt Out of Profiling."

8a. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018 as amended (CCPA / CPRA) gives you these rights:

• Right to know what personal information we collect
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to data portability
• Right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising
• Right to limit use and disclosure of sensitive personal information (we do not collect any — see Section 2)
• Right to non-discrimination for exercising any of these rights

We do not sell your personal information for cash. We may "share" it under CCPA's broader definition with advertising partners as described in Section 4. Use the "Do Not Sell or Share" link in the site footer, enable Global Privacy Control in your browser, or contact [email protected] to exercise any of the rights above.

8b. European Union / United Kingdom Residents (GDPR / UK GDPR)

If the GDPR applies to your processing, you have the right to access, rectify, erase, restrict, and port your personal data, the right to object to processing based on legitimate interest, the right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK or the CNIL in France), and the right to withdraw any consent you previously gave (without affecting the lawfulness of processing before withdrawal).

International transfers. S.O.A.A is operated from the United States and your personal data will be transferred to and processed in the United States. Where required, we rely on European Commission Standard Contractual Clauses (per GDPR Art. 46(2)(c)) or adequacy decisions for these transfers. A copy of our SCCs is available on written request to [email protected].

Data Protection contact. For GDPR inquiries, please reach our privacy team at [email protected].

8c. Other US State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have substantially similar rights to the California rights described above. We honor universal opt-out signals (including Global Privacy Control) across all such jurisdictions and will respond to verifiable consumer requests within the timeframes required by each applicable law.

9. International Users

S.O.A.A is operated from the United States. If you access the Service from another jurisdiction, your information will be transferred to, processed in, and stored in the United States. See Section 8b for the transfer mechanism that applies to EU / UK residents.

10. Minimum Age & Children

S.O.A.A is intended for users aged 18 years or older. At signup we collect your date of birth, compute your age server-side, and reject any account whose holder is under 18. You also affirm at signup, under penalty of perjury, that you are at least 18 and that all information you have provided is true and accurate.

We do not knowingly collect personal information from anyone under 18, and we do not knowingly collect any information at all from anyone under 13 (consistent with the Children's Online Privacy Protection Act, COPPA). If we learn that we have collected information from a person below the applicable minimum age, we will delete the account and the associated information immediately.

Non-wagering reminder. S.O.A.A is an informational analytics tool. It does not accept, facilitate, or encourage wagering, hold user funds, or operate as a sportsbook. Decisions to wager with third-party operators are yours alone; the minimum-age requirement above reflects the regulated-adjacent nature of the topic, not any claim that S.O.A.A itself is a gambling product.

11. Changes

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the most recent revision. Material changes will be highlighted in the in-app announcement system or by email when we hold an active email address on your account.

12. Contact

Questions, requests, or complaints can be sent to [email protected]. For information about responsible play and access to confidential help, please see our Responsible Use Notice. For accessibility-related questions or accommodation requests, please see our Accessibility Statement.