Privacy Policy

1. Introduction

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. Where applicable law requires express consent for specific uses, we will obtain that consent before relying on it.

SimTheGame is operated from Ontario, Canada. The Service is available to users worldwide, including a large U.S. user base. Your personal information may be processed in Canada, the United States, and other countries where our service providers operate.

2. Definitions

"Personal information" means information about an identifiable individual, as defined under PIPEDA. It does not include the name, title, business address, or telephone number of an employee of an organization, nor information that has been irreversibly aggregated or anonymized. For users in the EU/UK, "personal information" includes any information meeting the definition of "personal data" under the GDPR or UK GDPR. For U.S. state-law purposes, "personal information" has the meaning given in the applicable state statute.

"Service provider" means a third party that processes personal information on our behalf and only for our specified purposes.

3. Information we collect

We collect personal information in three ways: information you provide to us directly, information collected automatically when you use the Service, and information we receive from third parties.

3.1 Information you provide directly

• Account information: your name, email address, and (via Clerk, our authentication provider) any sign-in identifiers Clerk passes to us (e.g., Google account ID, profile name).
• Subscription and billing information: billing address, plan selection, transaction history. We do not collect or store your full payment card number, CVV, or banking credentials. Those are handled directly by Stripe under Stripe's own privacy policy.
• Communications: the content of emails or support messages you send to us, including any personal information you choose to include.
• Preferences: settings you save in the Service, such as your timezone and tier.

3.2 Information collected automatically

• Device and connection data: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone, language preference, and referring URL.
• Usage data: pages or screens viewed, simulations you run, matchups you open, refreshes, time and duration of sessions, click events, and feature interactions.
• Cookies and similar technologies: small data files stored in your browser that help us authenticate sessions, remember preferences, and analyze how the Service is used. See Section 8.

3.3 Information from third parties

• Clerk (authentication): when you sign in, Clerk shares your verified email address, name (if available), unique user identifier, and authentication status with us.
• Stripe (payment processing): when you subscribe, Stripe shares limited information about the transaction (e.g., last four digits of card, card brand, billing country, payment status, subscription identifiers).
• Sportsbook odds aggregators: these are not personal-information sources about you, but they provide the market data the Service simulates against.

3.4 Sensitive information

We do not knowingly collect sensitive categories of personal information (such as government identification numbers, health information, biometric data, or precise geolocation). Please do not submit such information to us.

3.5 Children

The Service is not directed to, and we do not knowingly collect personal information from, children under the age of eighteen (18). For U.S. users this includes compliance with the Children's Online Privacy Protection Act (COPPA), which restricts the collection of personal information from children under thirteen (13). For users in jurisdictions where the digital age of consent under data-protection law is sixteen (16) or another age below eighteen (18), we still apply the eighteen (18) minimum because the Service is intended for adults. If you believe a child has provided personal information to us, contact us at [email protected] and we will delete the information.

4. Why we collect and use personal information

We use personal information for the following purposes, each supported by a legal basis under PIPEDA (consent, contractual necessity, legal obligation, or legitimate interests) and under the GDPR / UK GDPR where applicable:

1. Providing the Service. Creating and maintaining your account, authenticating you, processing your subscription, running simulations you request, and delivering features.
2. Billing and payments. Charging your subscription fees through Stripe, calculating taxes, sending receipts and renewal notices, and handling refunds and disputes.
3. Communicating with you. Sending transactional emails (receipts, password resets, security alerts, service announcements, policy updates) and, with your express consent, marketing or promotional emails.
4. Improving the Service. Analyzing usage patterns, monitoring performance, debugging issues, testing new features, and producing aggregated, de-identified insights.
5. Security and fraud prevention. Detecting, preventing, and investigating fraudulent, unauthorized, or unlawful activity, and protecting the integrity of our systems and other users.
6. Compliance. Complying with applicable laws, regulations, court orders, lawful requests from authorities, and our own legal and audit obligations.
7. Business operations. Managing internal records, supporting corporate transactions (such as financings or sales of all or substantially all of our assets), and pursuing legitimate business interests that are not overridden by your privacy rights.

We will not use personal information for purposes materially different from those described in this Privacy Policy without first notifying you and, where required, obtaining your consent.

5. How we share personal information

We do not sell your personal information. We do not "share" your personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA.

We share personal information only in the following circumstances:

5.1 Service providers

We share personal information with third-party service providers that perform services on our behalf, subject to contractual obligations that require them to protect the information and use it only for the purposes we authorize. Our current key service providers include:

We do not transmit user account information to The Odds API. We may engage additional service providers from time to time; material changes to this list will be reflected in updates to this Privacy Policy.

5.2 Legal and regulatory disclosures

We may disclose personal information without your consent where permitted or required by law, including:

• to comply with a subpoena, court order, search warrant, or other legal process;
• to comply with a lawful request from a government, regulator, or law-enforcement authority;
• to investigate, prevent, or take action regarding suspected illegal activity, fraud, breach of our Terms, or threats to the rights, property, or safety of SimTheGame, our users, or the public;
• to enforce or apply our Terms and Conditions, or other agreements;
• in connection with an investigation conducted by the Office of the Privacy Commissioner of Canada, a state attorney general, or another regulator.

5.3 Business transfers

If SimTheGame is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of all or substantially all of its assets, or transition of service to another provider, your personal information may be transferred to the successor or acquirer as part of that transaction. We will use reasonable efforts to notify you of any such transfer and any material change to applicable privacy practices.

5.4 With your consent

We will share your personal information for any other purpose with your express consent.

6. Retention

We retain personal information only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including:

• the duration of your account;
• a reasonable period after account closure (typically up to twelve (12) months for active accounts and longer where required for legal, regulatory, accounting, or audit purposes, including tax records that under Canadian law generally require retention for at least six (6) years);
• the period during which a legal claim could arise from your use of the Service.

Backup copies of personal information may be retained for a longer period for disaster-recovery purposes, after which they are securely deleted or de-identified. Aggregated and de-identified data, which cannot be linked back to you, may be retained indefinitely. You may request deletion of your personal information as described in Section 9.

7. Cookies and similar technologies

The Service uses cookies and similar tracking technologies to:

• maintain your session and keep you signed in;
• remember preferences such as timezone;
• understand how the Service is used (analytics);
• detect and prevent fraud and security incidents.

Cookies we use generally fall into the following categories:

• Strictly necessary cookies: required for the Service to function (authentication, security). These cannot be disabled without breaking the Service.
• Preference cookies: remember your settings between sessions.
• Analytics cookies: help us understand aggregate usage patterns.

You can usually configure your browser to refuse or delete cookies. Doing so may impair the functionality of the Service.

"Do Not Track" and Global Privacy Control. The Service does not respond to legacy "Do Not Track" headers because no industry-standard mechanism has been agreed for honouring them. Where required by applicable U.S. state law, the Service treats Global Privacy Control (GPC) browser signals as a valid opt-out of the "sale" or "sharing" of personal information; as noted in Section 9.8, we do not currently sell or share personal information.

8. Your rights and choices

Subject to applicable law and reasonable identity verification, you have the following rights with respect to your personal information.

8.1 Access

You may request a copy of the personal information we hold about you, including information about how we have used and disclosed it. We may charge a minimal fee where permitted by law for processing voluminous or repetitive requests.

8.2 Correction

You may request that we correct inaccurate or incomplete personal information. Where the information cannot be corrected (for example, where third-party records are at issue), we will note your concern in our records.

8.3 Withdrawal of consent

You may withdraw your consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may affect your ability to use some or all of the Service.

8.4 Marketing opt-out

You may opt out of marketing communications at any time using the unsubscribe link in any marketing email or by contacting us at [email protected]. Opting out of marketing does not affect transactional or account-related communications.

8.5 Deletion

You may request deletion of your account and associated personal information. We will action deletion requests within thirty (30) days, subject to retention obligations described in Section 6 (for example, tax records and dispute-resolution records).

8.6 How to make a request

Send your request, with sufficient information to verify your identity and the scope of the request, to [email protected]. We will respond within thirty (30) days. If we need to extend the response period, we will tell you and explain why.

8.7 If you are a United States resident

If you are a resident of the United States, you have rights under federal law and your state's privacy laws, including (where applicable) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Oregon Consumer Privacy Act ("OCPA"), the Montana Consumer Data Privacy Act ("MCDPA"), the Delaware Personal Data Privacy Act ("DPDPA"), the Iowa Consumer Data Protection Act ("ICDPA"), the Tennessee Information Protection Act ("TIPA"), the New Hampshire Privacy Act, the Maryland Online Data Privacy Act, the New Jersey Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Indiana Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act, in each case as in effect from time to time.

Subject to applicable law and reasonable identity verification, your rights as a U.S. resident generally include the rights to:

1. Know and access the categories and specific pieces of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share that information;
2. Correct inaccurate personal information;
3. Delete personal information, subject to legally required retention exceptions;
4. Data portability: receive a copy of your personal information in a portable, machine-readable format;
5. Opt out of (i) the "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA); (ii) targeted advertising (we do not engage in cross-context behavioural advertising); and (iii) certain profiling that produces legally or similarly significant effects (we do not engage in such profiling);
6. Limit use and disclosure of sensitive personal information (we do not knowingly collect sensitive personal information beyond limited authentication identifiers);
7. Non-discrimination: we will not deny goods or services, charge different prices, or provide a different level of quality solely because you exercised a privacy right.

Categories of personal information collected (CCPA notice at collection). In the preceding twelve (12) months, we have collected the following statutory categories of personal information about U.S. residents, as listed in Cal. Civ. Code § 1798.140: identifiers (name, email, IP address, account ID); commercial information (subscription tier, transaction history); internet or other electronic network activity (usage logs, session data); geolocation data (approximate, derived from IP); inferences (derived preferences). We do not collect biometric information, racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic data, precise geolocation, sex-life or sexual-orientation data, or information about a known child under 16.

Sources, purposes, retention. Sources, business purposes, and retention windows for each category are described in Sections 3, 4, and 6 of this Privacy Policy.

No sale or sharing. We do not sell personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. Because we do not sell or share personal information, no "Do Not Sell or Share My Personal Information" link is required.

Global Privacy Control. Where required by applicable state law, we treat Global Privacy Control ("GPC") browser signals as an opt-out of sale/share, even though we do not sell or share personal information.

California "Shine the Light" (Cal. Civ. Code § 1798.83). California residents may request information about our disclosures of personal information to third parties for the third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Authorized agents. You may designate an authorized agent to exercise your rights on your behalf. We may require you and your agent to provide written authorization and verification of identity before acting on the request.

Appeals. Residents of states whose privacy laws require an appeals process (including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Tennessee, and New Jersey) may appeal a denial of their privacy-rights request by replying to our response email or contacting us at [email protected]. We will respond to your appeal within the timeline required by applicable law (typically forty-five (45) or sixty (60) days).

How to exercise your U.S. rights. Submit a request via email to [email protected] with the subject line "Privacy Rights Request" and indicate the right you wish to exercise and the state in which you reside. We will respond within forty-five (45) days of receipt, extendable once by an additional forty-five (45) days where reasonably necessary, with notice to you.

9. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, loss, and destruction. These safeguards include:

• transport-layer encryption (HTTPS/TLS) for data in transit;
• encryption at rest for stored personal information where supported by the underlying provider;
• access controls and authentication for our systems;
• segregation of payment information through Stripe so that we do not handle full card details;
• regular review of our security practices.

No method of transmission over the internet or method of electronic storage is one hundred percent secure. We cannot guarantee absolute security of your personal information.

In the event of a privacy breach that creates a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's breach-reporting requirements, and notify other regulators (such as state attorneys general and EU supervisory authorities) where required.

10. Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. The Service's simulation outputs are mathematical translations of priced markets and are not used to make decisions about individual users.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make a material change, we will provide notice through the Service or by email (if you have provided one) before the change takes effect. The "Last updated" date at the top of this Privacy Policy reflects the most recent revision.

Your continued use of the Service after the effective date of an update constitutes your acceptance of the updated Privacy Policy.