Privacy policy.

When you create an account: your email address (for sign-in and account recovery) and a hashed password. We never see the plain-text password; a managed identity provider handles authentication.

When you subscribe: billing identifiers from Stripe (a customer ID and a subscription ID) so we know which subscription corresponds to which account. Stripe holds your card data; we never see it.

When you visit the site: standard server access logs (IP address, user agent, requested URL, timestamp, response code) retained for 30 days for security and rate-limiting. Aggregate page-view analytics via Google Analytics 4, with IP anonymization on.

When you use the bankroll or bet-tracking features as an authenticated subscriber: your bankroll amount and logged bets are stored under per-user keys tied to your account identifier, so only your session can read them back. This is the data you explicitly enter; we never auto-log bets on your behalf.

A separate legacy single-password access path exists for the publisher's own use during development. Bets logged through that path live in a shared default namespace and are not associated with any subscriber. No subscriber data lands in that namespace, and the per-user scoping above applies to every subscriber-facing request.

If the managed data store is unavailable in a given deployment, the same bet records may write to encrypted application storage as a reliability backstop. This is not a separate product destination and is covered by the same deletion workflow.

When you use /ask: your question is sent to a managed AI provider to generate a response and is logged for 30 days so we can debug model quality. We do not associate ask questions with your account identity.

Email + hashed password: account authentication only.

Stripe identifiers: to recognize active subscriptions and unlock subscriber content. We do not use them for marketing.

Server logs: security, rate-limiting, debugging.

Bankroll + logged bets: so the bankroll and bet-tracking features can recall what you entered between sessions. Deleted when you delete your account, or sooner on request.

Analytics: aggregate page-view counts so we can see which entries land with readers. Individual sessions are not tracked back to accounts.

Four processor categories only:

• Cloud infrastructure provider — account authentication, application hosting, storage, static assets, and AI processing. Encrypted in transit and at rest.
• Managed data-store provider — session caches, rate limits, API key metadata, and per-user bankroll + bet log storage. Encrypted in transit and at rest.
• Stripe — billing only.
• Google Analytics 4 — aggregate analytics with IP anonymization.

We do not share with sportsbooks, exchanges, affiliate networks, ad networks, or any data broker.

Two self-service paths live on /mlb/account:

• Cancel subscription — opens Stripe's hosted billing portal where you can update your card, download invoices, or end the subscription without deleting your account. Your bet log and bankroll persist so resubscribing later picks up where you left off.
• Delete account — the Danger Zone issues a single call that cancels any active subscription, wipes your bankroll and bet log across every storage location named below, removes your account record, and returns a per-step receipt of what was removed. No email round-trip.

For data access or correction (rather than deletion), email noreply@posterior.pro from the address on your account; we respond within 30 days.

Account deletion removes your authentication record, your application-database row, your Stripe customer link, your per-user bankroll key, and every bet record whose embedded userId field matches your account identifier — including any that landed on the file-fallback path. Aggregated analytics and server logs that cannot be tied back to you are retained.