Privacy Policy

1. Introduction

Welcome to Guru Sports (“we,” “our,” or “us”). Guru Sports operates AI-powered sports analytics applications, including The Projection (fantasy sports analytics) and The Spread Engine (sports betting intelligence), as well as our website at gurusports.io and related services (collectively, the “Services”).

This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you access or use our Services. It also describes your rights and choices regarding your personal information.

We are committed to protecting your privacy and handling your data transparently and responsibly. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

For questions or concerns about this Privacy Policy, contact us at privacy@gurusports.io.

2. Data Controller

Guru Sports is the data controller responsible for your personal information collected through our Services. Our contact details are:

• Guru Sports
• Email: privacy@gurusports.io
• Website: gurusports.io

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, our designated contact for data protection inquiries is reachable at dpo@gurusports.io. See Section 13 for additional details regarding your GDPR rights.

3. Information We Collect

We collect personal information through several channels. The following sections describe each category in detail.

3.1 Information You Provide Directly

• Account registration: Name, email address, username, and password when you create an account.
• Profile configuration: Favorite teams, preferred leagues (NFL, NBA, MLB, college sports), notification preferences, and analytics settings.
• Payment information: Billing name, billing address, and payment method details. Full payment card numbers are processed by our PCI-compliant third-party payment processors (e.g., Stripe) and are never stored on our servers. We retain only the last four digits of your card number and transaction metadata.
• Communications: Messages, feedback, support tickets, survey responses, and any other information you send to us directly.
• User-generated inputs: Projection queries, model parameters, saved analyses, lineup configurations, betting model inputs, and other selections you make within our analytics tools.

3.2 Information Collected Automatically

When you access or use our Services, we automatically collect certain information through cookies, log files, and similar technologies:

• Device information: Device type, manufacturer, model, operating system and version, browser type and version, screen resolution, and device identifiers.
• Usage data: Pages and screens viewed, features used, session duration and frequency, click and tap patterns, search queries within our tools, projection and model interaction data, navigation paths, and referral/exit pages.
• Log data: IP address, access timestamps, HTTP request method, response status codes, referring URLs, and error/crash logs.
• Location data: Approximate geographic location derived from your IP address (city/region level). We do not collect precise GPS location data.
• Cookies and tracking technologies: Session identifiers, authentication tokens, preference settings, and analytics data. See Section 9 for our complete Cookie Policy.

3.3 Information from Third Parties

• Single sign-on providers: If you sign in via Google, Apple, or another OAuth provider, we receive your name, email address, and profile photo (if available) as authorized by your settings with that provider.
• Analytics partners: Aggregated usage and performance data from analytics services (e.g., Google Analytics, Mixpanel) that help us understand how users interact with our Services.
• Sports data providers: Publicly available and licensed sports statistics, scores, odds, and related data that power our analytics products. This data does not contain personal information.
• Advertising and attribution partners: Campaign performance data and referral information, if applicable.

3.4 Sensitive Data

We do not intentionally collect sensitive personal data (also known as special category data under GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or sexual orientation. If you voluntarily provide such information (e.g., in a support message), we will treat it with heightened care and will not use it for any purpose other than responding to your inquiry.

4. How We Use Your Information

The following table summarizes the categories of personal data we process, the purposes for processing, and the applicable legal basis (where GDPR applies). Further detail on GDPR legal bases is provided in Section 13.

4.1 Additional Processing Purposes

In addition to the purposes listed above, we may use your information to:

• Develop, test, and improve our machine learning models and analytical algorithms using aggregated and anonymized data.
• Conduct internal research and statistical analysis to improve the accuracy of our projections and analytics.
• Send transactional communications, including account confirmations, subscription receipts, and service-related alerts.
• Send promotional communications about new features, products, or offers, with your consent where required by applicable law.
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
• Comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms and Conditions.
• Protect the rights, property, and safety of Guru Sports, our users, and the public.

5. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

5.1 Service Providers (Sub-Processors)

We engage third-party service providers to perform functions on our behalf. These providers are contractually obligated to process your data only as instructed by us and to maintain appropriate security measures. Current categories of service providers include:

• Cloud infrastructure and hosting (e.g., AWS, Supabase, Railway, Vercel)
• Payment processing (e.g., Stripe)
• Email and communication services (e.g., SendGrid, Resend)
• Analytics and monitoring (e.g., Google Analytics, Mixpanel, Sentry)
• Customer support tools
• Authentication services

A current list of sub-processors is available upon request by contacting privacy@gurusports.io.

5.2 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar corporate transaction, your personal information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

5.3 Legal Requirements and Protection of Rights

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce our Terms and Conditions or other agreements.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of Guru Sports, our users, or the public.

5.4 With Your Consent

We may share your information for purposes not described in this Privacy Policy with your explicit consent.

5.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This data may be used for industry analysis, research, marketing, or other business purposes.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. The following table outlines our standard retention periods:

When personal data is no longer required, we securely delete or irreversibly anonymize it. Anonymized data may be retained indefinitely for statistical and analytical purposes.

7. Data Security

We implement commercially reasonable technical, administrative, and organizational measures to protect your personal information, including:

• Encryption: Data encrypted in transit using TLS 1.2+ and at rest using AES-256 or equivalent.
• Access controls: Role-based access controls, principle of least privilege, and multi-factor authentication for administrative access.
• Infrastructure security: Hosted on SOC 2 compliant cloud infrastructure with network segmentation, firewalls, and intrusion detection systems.
• Password security: User passwords are hashed using industry-standard algorithms (e.g., bcrypt) and are never stored in plaintext.
• Monitoring: Continuous monitoring for security incidents, anomalous access patterns, and unauthorized data access.
• Vendor security: Third-party service providers are evaluated for their security practices and are required to maintain appropriate safeguards.
• Incident response: Documented incident response procedures to address and mitigate security breaches promptly.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your information and encourage you to use strong, unique passwords and to keep your login credentials confidential.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR or other applicable law.
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• Document the breach, its effects, and the remedial actions taken, in accordance with our internal incident response procedures.

Notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services. This section describes the types of cookies we use and your choices regarding them.

9.1 Types of Cookies

• Strictly necessary cookies: Essential for core functionality, including authentication, session management, security, and load balancing. These cookies cannot be disabled without impairing the Services.
• Functional/preference cookies: Remember your settings, preferences, and choices (e.g., language, timezone, favorite teams) to provide a personalized experience.
• Analytics/performance cookies: Collect information about how you use our Services, such as pages visited, session duration, and error reports. We use this data to improve performance and user experience. These may include third-party analytics tools such as Google Analytics.
• Marketing/advertising cookies: Used to deliver relevant advertisements and measure campaign effectiveness. These cookies may track your browsing activity across websites. We will only set marketing cookies with your explicit consent.

9.2 Cookie Consent and Management

When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You can update your preferences at any time through our cookie settings panel or your browser settings.

Strictly necessary cookies do not require consent, as they are essential for the basic operation of our Services. All other cookies require your affirmative consent before being placed on your device, in accordance with the ePrivacy Directive and GDPR.

Most browsers allow you to block or delete cookies through their settings. However, disabling certain cookies may limit your ability to use some features of our Services.

9.3 Do Not Track

Some browsers send a “Do Not Track” (DNT) signal. There is currently no industry standard for how to respond to DNT signals. We do not currently respond to DNT signals, but we honor cookie preferences set through our consent management tools.

10. Automated Decision-Making and Profiling

Our Services use machine learning models and statistical algorithms to generate sports projections, analytics, and insights. This section explains how automated processing applies to your data.

10.1 How We Use Automated Processing

• Our ML models process publicly available sports data (player statistics, team records, game results, odds) to generate projections and analytics.
• Your profile preferences (favorite teams, leagues) are used to personalize the content and analytics displayed to you.
• Usage patterns may be analyzed to recommend features or content we believe will be relevant to you.

10.2 Impact and Safeguards

Our automated processing is designed to enhance your experience with our Services and does not produce legal or similarly significant effects on you. Specifically:

• Projections and analytics are provided for informational and entertainment purposes only and are not intended to constitute financial, betting, or legal advice.
• No automated decisions are made that would have legal effects or significantly affect your rights (e.g., we do not use automated processing to determine account eligibility or pricing on an individual basis).
• You are free to accept, reject, or disregard any analytics or projections generated by our models.

10.3 Your Rights Regarding Automated Decisions

Under GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. If you believe any automated decision has significantly affected you, you may contact us at privacy@gurusports.io to request human review of the decision.

11. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information. To exercise any of these rights, contact us at privacy@gurusports.io.

11.1 Rights Available to All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Deletion: Request that we delete your personal information, subject to certain legal exceptions (e.g., data we are required to retain for legal compliance).
• Data portability: Request a copy of your data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV).
• Marketing opt-out: Opt out of marketing communications at any time by following the unsubscribe link in our emails, adjusting your notification settings, or contacting us.
• Cookie preferences: Manage your cookie settings through our consent management tool or your browser settings.
• Account deletion: Delete your account through your account settings or by contacting us. We will process your request in accordance with Section 6 (Data Retention).

11.2 Additional Rights for EEA, UK, and Swiss Residents

If you are located in the EEA, UK, or Switzerland, you have additional rights under GDPR, as described in Section 13.

11.3 Response Timeframe

We will acknowledge your request within 5 business days and respond substantively within 30 days. If we require additional time (up to 60 additional days for complex requests), we will notify you of the extension and the reasons for it.

We may ask you to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.

12. Jurisdiction-Specific Provisions

12.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share your personal information.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell your personal information or share it for cross-context behavioral advertising purposes. No opt-out is necessary, but we will honor any Global Privacy Control (GPC) signals sent by your browser.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise your California privacy rights, contact us at privacy@gurusports.io or submit a request through our website. We will verify your identity using information associated with your account.

12.2 Other U.S. State Privacy Laws

Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, and others) may have similar rights to access, correct, delete, and port their personal information, as well as the right to opt out of targeted advertising and profiling. To exercise these rights, contact us at privacy@gurusports.io.

13. GDPR – Additional Information for EEA, UK, and Swiss Residents

This section provides additional information required by the General Data Protection Regulation (EU GDPR and UK GDPR) for individuals located in the European Economic Area, United Kingdom, and Switzerland.

13.1 Data Controller

Guru Sports is the data controller for the personal data processed through our Services. You may contact us regarding data protection matters at dpo@gurusports.io.

13.2 Lawful Bases for Processing

We process your personal data on the following legal bases under Article 6(1) of the GDPR:

• (a) Consent (Article 6(1)(a)): Where you have given clear, affirmative consent to process your personal data for specific purposes, such as marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• (b) Contract performance (Article 6(1)(b)): Processing necessary for the performance of our contract with you, including creating and managing your account, providing our analytics Services, processing payments, and delivering the features you have subscribed to.
• (c) Legal obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, such as tax reporting, fraud prevention, and responding to lawful requests from authorities.
• (f) Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include improving and securing our Services, conducting analytics on aggregated data, preventing fraud, and marketing our Services to existing customers. You have the right to object to processing based on legitimate interests (see Section 13.4).

The specific legal basis applicable to each data processing activity is identified in the table in Section 4.

13.3 International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA, UK, or Switzerland, including the United States, where our servers and some of our service providers are located. When we transfer personal data outside these jurisdictions, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable.
• Additional supplementary measures where required by the transfer risk assessment.
• Adequacy decisions by the European Commission or UK Secretary of State, where applicable.

You may request a copy of the relevant transfer safeguards by contacting us at dpo@gurusports.io.

13.4 Your GDPR Rights

In addition to the general rights described in Section 11, individuals in the EEA, UK, and Switzerland have the following rights under GDPR:

• Right to restriction of processing (Article 18): You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.
• Right to object (Article 21): You have the right to object to processing of your personal data based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
• Right to object to direct marketing: You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time, including profiling related to such marketing.
• Right related to automated decision-making (Article 22): See Section 10 for details on our use of automated processing and your related rights.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state or UK territory where you reside, work, or where the alleged infringement took place. A list of EU data protection authorities is available at https://edpb.europa.eu. For the UK, you may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk.

13.5 Data Protection Impact Assessments

Where our processing activities are likely to result in a high risk to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR. This includes assessments of our machine learning models and any new processing activities involving large-scale or sensitive data.

13.6 Sub-Processor Management

We maintain written data processing agreements with all sub-processors in accordance with Article 28 of the GDPR. These agreements require sub-processors to process personal data only on our documented instructions, maintain appropriate security measures, assist with data subject rights requests, and delete or return personal data upon termination of services.

We will provide reasonable notice before engaging a new sub-processor that processes EU/UK personal data. A current list of sub-processors is available upon request at dpo@gurusports.io.

14. Children’s Privacy

Our Services are not directed to individuals under the age of 18 (or under the age of 16 in the EEA, where applicable). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that a child has provided us with personal information, please contact us at privacy@gurusports.io and we will take prompt steps to delete such information and terminate the child’s account.

15. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services not operated by us, including sports data providers, sportsbooks, fantasy sports platforms, and social media networks. We are not responsible for the privacy practices, content, or security of these third-party services.

We encourage you to review the privacy policies of any third-party services before providing them with your personal information. The inclusion of a link to a third-party service does not imply endorsement by Guru Sports.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. When we make material changes, we will:

• Post the updated Privacy Policy on our website with a new Effective Date and Last Updated date.
• Notify you by email (if you have an account) or through a prominent notice in our Services at least 30 days before the changes take effect, where required by applicable law.
• Where required by GDPR, obtain your consent to any material changes that affect the legal basis for processing your data.

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes, except where consent is specifically required.

Previous versions of this Privacy Policy are available upon request.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us through the following channels:

General Privacy Inquiries

Guru Sports

Email: privacy@gurusports.io

Website: gurusports.io

Data Protection / GDPR Inquiries

Email: dpo@gurusports.io

We aim to respond to all inquiries within 5 business days.