Privacy Policy

We collect information you provide directly: your name, email address, school, sport, graduation year, and social media handles. When you use NilPilot, we also collect usage data: pages visited, features used, deal data you enter, NIL valuation history, and profile completeness scores. For security purposes, we log login timestamps and IP addresses.

Your data powers your experience: personalizing your NIL valuation dashboard, building your media kit, tracking your deal pipeline, and surfacing market rate benchmarks relevant to your sport and conference. We also use your email to send important account notifications (security alerts, subscription updates). We do not send marketing emails without your explicit opt-in.

We use aggregated, anonymized data to improve platform accuracy — for example, improving valuation models based on trends across all athletes. Individual data is never used in these aggregates without anonymization.

We never sell your individual data. Period.

Anonymized aggregate benchmarks (e.g., "average NIL value for wide receivers at Power 5 schools") may be displayed platform-wide if you've opted in via your account settings. These benchmarks contain no personally identifiable information.

We may share data with:

• Service providers who help run the platform (hosting, email delivery, analytics) — under strict data processing agreements.
• Law enforcement when required by valid legal process.
• Acquirers if NilPilot is acquired — you'll be notified and given the option to delete your data.

If you're a California resident, you have the right to:

• Know what personal data we hold about you.
• Delete your personal data (with limited exceptions for legal obligations).
• Opt out of any data sharing (beyond what's required to provide the service).
• Non-discrimination — we won't treat you differently for exercising these rights.

For athletes in the European Union (including Italy, where our team is based), we process your data under:

• Consent — for optional features like benchmark sharing.
• Contract performance — to provide the services you signed up for.
• Legitimate interests — for security logging and fraud prevention.

Your rights include access, rectification, erasure ("right to be forgotten"), data portability, and the right to object. Contact our data representative at nilpilot@polsia.app for any EU/GDPR requests.

NilPilot requires users to be 18 or older, or to have verifiable parental/guardian consent. Many college athletes are 18–22; some freshmen may still be 17. If a minor is using NilPilot with parental consent, the parent/guardian accepts our Privacy Policy on the athlete's behalf.

We do not knowingly collect data from children under 13. If we become aware of such data, we delete it immediately.

NilPilot uses only:

• Session cookies — required for login authentication. Without these, you cannot stay logged in.
• Preference cookies — to remember UI settings (optional, deletable).

We do NOT use:

• Third-party advertising cookies.
• Social media tracking pixels (Meta Pixel, Twitter Pixel, etc.).
• Cross-site tracking of any kind.
• Google Analytics or similar behavioral tracking tools.

We keep your data as long as your account is active. If you delete your account:

• Personal profile data is removed within 30 days.
• Anonymized contribution to aggregate benchmarks may persist (no PII).
• Backup copies are purged within 90 days per our backup rotation policy.

We protect your data with:

• bcrypt password hashing (salt rounds: 12).
• HTTPS everywhere — TLS 1.2+ on all connections.
• Encrypted sessions — server-side, PostgreSQL-backed.
• Regular dependency audits — automated vulnerability scanning.
• IP-based rate limiting — on login and signup endpoints.
• Anomaly detection — failed login monitoring and trust scoring.

For privacy questions, data requests, or to exercise your rights, reach out directly — no ticket system, no bots.

Use subject line "Privacy Inquiry" or "Data Request" to help us route your message. We respond within 5 business days for general inquiries and 45 days for formal CCPA/GDPR requests.