Privacy Policy

Last updated: May 11, 2026

What we collect

When you create an account, we collect your email address and an optional display name. Your password is hashed with bcrypt before storage. We never store or see your plaintext password.

If you enable push notifications, we store the browser subscription endpoint provided by the Web Push API. This is a URL generated by your browser, not personal data.

Subscription billing is processed by Stripe. We store the Stripe customer ID, subscription ID, and subscription status returned by Stripe so we can grant and revoke access to paid features. We do not see, store, or have access to card numbers or other payment details; those live entirely within Stripe.

If you choose to provide your Discord username on the account page, we store it so an administrator can grant the Discord roles tied to your active subscriptions. Providing it is optional. You can update or remove it at any time from the account page.

What we do not collect

We do not track your betting activity, collect your location, read your contacts, or use advertising trackers. There are no analytics scripts on this site. We do not sell, rent, or share your data with third parties for marketing purposes.

How your data is used

  • Email: account authentication, verification codes, and service-related messages.
  • Push subscription: delivering pick or model notifications to your device.
  • Display name: shown only to you in your profile.
  • Discord username (optional): mapping your account to your Discord identity so an administrator can grant subscription-tied roles in the GOATed Analytics Discord server.
  • Stripe customer / subscription IDs: granting and revoking access to paid features based on the current state of your subscription in Stripe.

Third-party services

  • Stripe (stripe.com): processes subscription billing and stores all payment details. We receive only the IDs and subscription state needed to grant access.
  • Resend (resend.com): delivers transactional emails (verification codes, welcome emails).
  • Railway (railway.app): hosts the application and database.
  • Web Push API: browser-native notification delivery. No third-party push service.

Odds data is sourced from The Odds API. Injury data is sourced from ESPN public feeds. Neither service receives any of your personal data.

Cookies

We use a single cookie named "token" to keep you logged in. It contains a signed JWT (JSON Web Token) with your user ID and email. It expires after 72 hours. No tracking cookies, no third-party cookies, no cookie banners needed.

Data retention

Your account data is retained as long as your account exists. If you want your account deleted, email the address below and we will delete your account and all associated data within 7 days.

Security

Passwords are hashed with bcrypt. All traffic is encrypted via HTTPS. Authentication tokens are signed with a secret key stored securely on the server. Database access is restricted to the application.

Contact

For privacy-related questions or data deletion requests: privacy@goatedanalytics.com