Privacy Policy

StakeLink (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our social prediction game service at stakelink.app (the “Service”). Please read this policy carefully. By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

We collect the following categories of information:

Information You Provide Directly

• Email address — Collected when you create an account. Used for authentication, password reset, and service-related communications. Your email is stored securely and is never displayed publicly to other users.
• Display name — A user-chosen name that is publicly visible to other participants in your predictions and groups. This may be a pseudonym and does not need to be your real name.
• Password — Your password is hashed using bcrypt before storage. We never store or have access to your plaintext password.
• Phone number hash — If you optionally provide a phone number for SMS notifications, it is immediately hashed using SHA-256. The plaintext phone number is never stored in our database. The hash is used solely for notification delivery through our SMS provider and duplicate prevention.

Information Collected Automatically

• IP address hash — Your IP address is hashed using SHA-256 before storage. We do not store plaintext IP addresses. The hash is used for analytics aggregation and abuse prevention (such as detecting vote manipulation or automated access).
• Session cookies — We use HTTPOnly session cookies to authenticate registered users. Session tokens are stored in Redis and linked to your user account. See our Cookie Policy for full details.
• Anonymous session identifier — If you access a prediction through a shared link without an account, we assign a UUID cookie (“stakelink_anon”) with a one-year time-to-live. This identifier is used to associate your picks with your session and prevent duplicate submissions. It does not contain any personally identifiable information.
• Usage data and analytics events — We collect information about how you interact with the Service, including event type (e.g., prediction created, pick submitted, page viewed), browser user agent string, and HTTP referrer. This data is used to understand usage patterns, improve the Service, and diagnose technical issues.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Authentication and account management — To verify your identity, maintain your session, and enable account features such as password reset.
• Service operation — To process predictions, record picks, calculate outcomes, manage groups, and deliver the core functionality of the Service.
• Analytics and improvement — To understand how the Service is used, identify areas for improvement, monitor performance, and fix bugs.
• Notifications — To send prediction updates, resolution reminders, and other service-related communications via email or SMS (if you have opted in).
• Abuse prevention — To detect and prevent fraudulent activity, vote manipulation, automated abuse, and violations of our Terms of Service.

3. Data Storage and Security

We take the security of your data seriously and implement industry-standard measures to protect it:

• All data is stored in PostgreSQL databases with encrypted connections (TLS/SSL) between the application and database servers.
• Phone numbers are hashed with SHA-256 before storage and cannot be reversed to recover the original number.
• IP addresses are hashed with SHA-256 before storage and cannot be reversed to recover the original address.
• Passwords are hashed using bcrypt with per-user salts.
• Session management is handled through Redis with automatic expiration of session tokens.
• All communication between your browser and our servers is encrypted using HTTPS (TLS 1.2 or higher).

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining appropriate safeguards.

4. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties. We may share information with the following categories of service providers who assist us in operating the Service:

• Twilio — We use Twilio for SMS notification delivery. Phone number hashes may be transmitted to Twilio solely for the purpose of delivering SMS messages you have opted into. Twilio’s privacy practices are governed by their own privacy policy.
• Hosting provider — Our infrastructure is hosted by third-party cloud providers who may process data on our behalf. These providers are contractually obligated to protect your data and use it only as directed by us.

We may also disclose your information if required to do so by law, in response to a valid legal process (such as a court order or subpoena), or to protect the rights, property, or safety of StakeLink, our users, or others.

5. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to know — You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete — You have the right to request deletion of your personal information, subject to certain exceptions provided by law.
• Right to opt out of sale — StakeLink does not sell personal information. We have never sold personal information and have no plans to do so.
• Right to non-discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, please contact us at [email protected]. We will verify your identity before processing your request and respond within forty-five (45) days.

6. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with the following rights regarding your personal data:

• Right of access — You have the right to request a copy of the personal data we hold about you.
• Right to rectification — You have the right to request correction of inaccurate personal data.
• Right to erasure — You have the right to request deletion of your personal data under certain circumstances (“right to be forgotten”).
• Right to restrict processing — You have the right to request that we limit how we use your personal data.
• Right to data portability — You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object — You have the right to object to the processing of your personal data for certain purposes, including direct marketing.

Our legal basis for processing personal data is: (a) performance of a contract (providing the Service as described in our Terms of Service); (b) legitimate interests (analytics, abuse prevention, and service improvement); and (c) consent (where applicable, such as for optional SMS notifications). To exercise any of your GDPR rights, please contact us at [email protected]. We will respond within thirty (30) days.

7. Cookies

StakeLink uses strictly necessary cookies for core functionality including authentication and session management. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. For complete details about the specific cookies we use and how to manage them, please see our Cookie Policy.

8. Data Retention

• Account data — Your account information (email, display name, hashed password) is retained for as long as your account is active. Upon account deletion, this data is permanently removed within thirty (30) days.
• Analytics and usage data — Event-level analytics data is retained for twelve (12) months from the date of collection and is then automatically purged.
• Hashed data — Phone number hashes and IP address hashes are one-way cryptographic transformations. These hashes are irreversible and cannot be used to recover the original phone number or IP address.
• Prediction and pick data — Predictions and picks are retained as part of the Service’s historical record. Upon account deletion, your predictions will be anonymized (display name removed) rather than deleted, to preserve the integrity of group prediction histories.
• Session data — Authentication sessions stored in Redis expire automatically after thirty (30) days of inactivity. Anonymous session cookies expire after one (1) year.

9. Children’s Privacy

The Service is not directed at children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

10. SMS Notifications

If you choose to provide a phone number for SMS notifications, you consent to receiving service-related text messages including prediction updates, resolution reminders, and group activity alerts. Standard message and data rates from your carrier may apply.

You may opt out of SMS notifications at any time by:

• Replying STOP to any SMS message from StakeLink
• Updating your notification preferences in your account settings
• Contacting us at [email protected]

After opting out, you will receive a single confirmation message acknowledging your opt-out request. You will not receive any further SMS messages unless you re-subscribe.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

[email protected]