00Plain-English summary
- We collect the minimum data needed to run SmarterPicks: your Whop account info (email, name, user ID, subscription status), your IP address for rate-limiting our APIs, and — if you opt in — your newsletter email.
- We don't see or store your payment card. Whop is the merchant of record and handles billing.
- We don't use Google Analytics, the Meta pixel, or any third-party advertising / tracking pixels. There are no advertising cookies on this site.
- Auth tokens stay in your browser's
localStorage. We don't have a backend database of users. - If you use the AI Pick Explainer chat, your questions and the pick context are sent to Anthropic to generate a reply. We don't store those conversations on our servers.
- You can request access, correction, deletion, or export of your data at any time — email privacy@smarterpicks.io.
- We do not sell or "share" your personal information for cross-context behavioral advertising. Ever.
01Scope & who we are
This Privacy Policy describes how SmarterPicks ("SmarterPicks," "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit smarterpicks.io, the SmarterPicks Terminal, the members area, our newsletter, and any related pages (collectively, the "Service").
It applies to everyone who interacts with the Service — visitors, free-trial users, paying members, and anyone who emails us. It does not cover third-party sites we link to (Whop checkout, Discord, sportsbooks, news sources) — each of those is governed by its own privacy policy.
For the purposes of the EU/UK General Data Protection Regulation, SmarterPicks is the controller of the personal data described here.
02Data we collect
Below is the full list. If a category isn't on this table, we don't collect it.
localStorage on your device:
whop_token— short-lived Whop access tokenwhop_refresh— refresh token used to renew the access tokenwhop_user_id— your Whop user IDwhop_user— your Whop user object (name, email, avatar URL)whop_access— your subscription access flag
sessionStorage.whop_pkce to hold a temporary PKCE state/verifier; it is cleared once the callback completes. These keys are read only by SmarterPicks JavaScript and sent only to whop.com APIs.
x-forwarded-for header. We hold it in an in-memory counter for at most one minute to enforce per-IP request limits and prevent abuse. It is not written to a database, logged persistently, or correlated with your account./api/newsletter endpoint forwards it (with your IP, for spam protection) to the email-service provider configured in our NEWSLETTER_WEBHOOK_URL environment variable — currently Beehiiv. We do not store newsletter signups on our infrastructure; the ESP is the system of record.support@smarterpicks.io or privacy@smarterpicks.io, we receive your email address, the message content, and any attachments. We retain support correspondence for up to 24 months for service quality and dispute resolution unless you ask us to delete it sooner.Data we explicitly don't collect
- Payment information. We never see your card number, CVV, billing ZIP, expiration date, or bank account info. Whop is the merchant of record.
- Betting history. We don't know which picks you placed, which sportsbook you used, how much you wagered, or whether you won.
- Location beyond country-level. We don't use precise geolocation, browser geolocation prompts, or any GPS/Wi-Fi-based location services.
- Device identifiers / fingerprints. No canvas, audio, font, or WebGL fingerprinting. No advertising IDs.
- Cross-site tracking. No Google Analytics, no Meta/Facebook Pixel, no TikTok Pixel, no LinkedIn Insight Tag, no advertising network tags.
- Biometric, health, religious, sexual-orientation, or political data. Never requested, never inferred.
03How we use it
We use the data above only for these specific purposes:
- Provide the Service. Authenticate you, show you the right tier of content (free vs. members-only picks), display your name in the members area.
- Operate, secure, and improve the Service. Rate-limit APIs to prevent abuse, monitor uptime, debug errors, prevent fraud.
- Provide the AI Pick Explainer. Forward your chat input and the relevant pick context to Anthropic so the model can reply.
- Send transactional or service messages. Confirm a free-trial signup, notify you of policy changes, respond to your support emails. These are not marketing.
- Send the newsletter — only to addresses that opted in via the form. Every newsletter includes a one-click unsubscribe link.
- Comply with law. Respond to lawful requests, enforce our Terms, defend legal claims.
We do not use your data for: advertising profiling, automated decision-making with legal effects, training third-party AI models on your conversations, selling to data brokers, or any cross-context behavioral advertising.
04Who we share with
We share personal data only with the service providers below — each acts as a processor (GDPR) / service provider (CCPA) on our behalf, under contractual terms restricting use to providing the contracted service. We do not sell personal information for monetary or other valuable consideration. We do not "share" it for cross-context behavioral advertising as those terms are defined under CPRA.
We may also disclose information if we believe in good faith it is necessary to (a) comply with a subpoena, court order, or other legal process; (b) enforce our Terms; (c) protect the rights, safety, or property of SmarterPicks, our users, or the public; or (d) facilitate a merger, acquisition, or asset transfer — in which case we will notify you in advance and your data will continue to be subject to a policy at least as protective as this one.
05Legal basis (EU/UK GDPR)
If you are in the European Economic Area, United Kingdom, or Switzerland, Article 6 of the GDPR requires us to identify a legal basis for each processing activity:
- Performance of a contract (Art. 6(1)(b)) — authenticating you, granting access to members-only content, processing your free-trial or subscription, providing the AI Pick Explainer when you use it.
- Legitimate interests (Art. 6(1)(f)) — operating the Service, rate-limiting and security monitoring, responding to support requests, debugging errors. We have assessed these interests against your rights and concluded they are not overridden, but you may object at any time (see Section 10).
- Consent (Art. 6(1)(a)) — newsletter subscriptions, optional cookies if we ever add any. Withdrawing consent is one click in any email or via contact; withdrawal doesn't affect prior processing.
- Legal obligation (Art. 6(1)(c)) — responding to valid law-enforcement requests, financial recordkeeping if applicable.
06Cookies, local storage & similar technologies
SmarterPicks does not set first-party cookies on its own domain. We use the browser's localStorage and sessionStorage for the keys enumerated in Section 2. These are strictly necessary for the Service to remember that you're signed in.
Third-party services we embed (Synthesia video player, if you click play; Google Fonts; Whop login flow on whop.com) may set their own cookies in your browser when their code runs. Those cookies are governed by their respective privacy policies linked in Section 4.
You can clear SmarterPicks storage at any time by signing out (which calls localStorage.removeItem on every whop_* key) or by clearing site data in your browser. We do not block functionality if you do — but you'll need to sign in again.
07Retention
- Browser storage (auth tokens, user object): lives in your browser until you log out, clear site data, or the refresh token expires. We never see it server-side except when you initiate an API call that requires it.
- IP-based rate-limit counters: held in memory for the duration of the one-minute rolling window, then evicted.
- AI chat content: not retained on SmarterPicks servers after the response is returned. Anthropic's retention is governed by their policy and our API agreement with them.
- Newsletter subscriptions: held by Beehiiv for as long as you remain subscribed plus a short suppression-list period after unsubscribe.
- Support correspondence: up to 24 months, then deleted unless an open dispute requires longer retention.
- Server logs (Vercel): per Vercel's policy, typically up to 30 days.
- Whop-side account data: governed by Whop's retention policy. To delete data Whop holds, use Whop's own account deletion flow or contact them directly.
08Security & breach notification
We protect personal data with technical and organizational measures appropriate to the risk:
- HTTPS / TLS 1.2+ on every page and API endpoint.
- OAuth 2.0 with PKCE for the Whop login flow — no password ever crosses our domain.
- API keys (Anthropic, The Odds API, newsletter webhook) are stored as encrypted environment variables in Vercel, never exposed to the client.
- No admin dashboard, no user database, no internal tooling that reads bulk user data — there is nothing to log into.
- Dependencies are kept current and the codebase is open to security reports.
If we learn of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Art. 33 and notify affected users without undue delay where required by Art. 34 or by applicable US state law.
09International data transfers
SmarterPicks is operated from the United States. If you access the Service from outside the US, your information will be transferred to, processed in, and stored in the US and potentially other countries where our processors operate (e.g., Anthropic, Vercel, Whop, Beehiiv all process data primarily in the US).
For transfers from the EEA, UK, or Switzerland to the US, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission and the UK International Data Transfer Addendum where applicable, supplemented by the technical measures described in Section 8. Where our processors participate in the EU-US Data Privacy Framework, we rely on that adequacy decision in addition to SCCs.
You can request a copy of our SCC-backed agreements with a specific processor by emailing privacy@smarterpicks.io.
10Your rights
Subject to applicable law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — fix anything inaccurate.
- Delete — request erasure of your data ("right to be forgotten"). Note: data held by Whop is subject to Whop's own deletion flow; we will delete what we control.
- Port — receive your data in a structured, machine-readable format (JSON), or have it transmitted to another controller where technically feasible.
- Object — to processing based on legitimate interests, including profiling (we don't profile, but the right exists).
- Restrict — pause processing while a dispute is resolved.
- Withdraw consent — at any time, without affecting prior processing.
- Lodge a complaint — with your local supervisory authority (EEA/UK) or attorney general (US states).
How to exercise these rights
Email privacy@smarterpicks.io from the email associated with your account. We will verify your identity (typically by sending a confirmation link to that address), respond within 30 days, and let you know if we need to extend by up to 60 more days for complex requests. There is no charge for the first request in a 12-month period.
You may use an authorized agent to submit a request on your behalf; we will require documentation of their authority and may verify directly with you.
11California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights with respect to your personal information.
Categories collected in the last 12 months
- Identifiers — email, name, Whop user ID, IP address.
- Internet or electronic network activity — server logs (request URL, status, country, user agent).
- Inferences — none. We do not build profiles.
We collect these from you directly (when you sign up, type in chat, submit the newsletter form) and from Whop (when you authenticate via OAuth). The business purpose for each category is described in Section 3. The processors we disclose to are listed in Section 4.
"Sale" and "sharing" of personal information
SmarterPicks does not sell personal information for monetary or other valuable consideration. SmarterPicks does not "share" personal information for cross-context behavioral advertising as defined by CPRA. We have not done so in the preceding 12 months and have no plans to do so.
Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" link in our footer — there is nothing to opt out of. If we ever change that, we will add the link and disclose the change here.
Sensitive personal information
We do not collect, use, or disclose sensitive personal information beyond what is necessary to perform the service you requested (e.g., your account email). Accordingly, the right to limit use of sensitive PI under CPRA § 1798.121 does not apply, but you may still email us with any such request.
Your California rights
In addition to the rights in Section 10, you have the right to:
- Know what categories of personal information we have collected, the sources, the business purposes, and the categories of recipients.
- Delete personal information we collected from you, subject to permitted exceptions (e.g., security, debugging, legal obligations).
- Correct inaccurate personal information.
- Non-discrimination — we will not deny you the Service, charge you a different price, or provide a lower-quality experience because you exercised your rights.
- Use an authorized agent — see Section 10.
To submit a California rights request, email privacy@smarterpicks.io with the subject line "California Privacy Request." We will verify your identity using the email associated with your account.
Shine the Light
California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct-marketing purposes. We do not share personal information for third-party direct-marketing.
12Other US state privacy laws
If you are a resident of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island, Tennessee, or another US state with a comprehensive privacy law in effect, you have rights similar to those described in Sections 10 and 11 — including the right to access, correct, delete, port, and opt out of targeted advertising, sale, or certain profiling.
We do not engage in targeted advertising, do not sell personal data, and do not conduct profiling that produces legal or similarly significant effects, so the opt-outs available under these statutes have nothing to apply to today. If you still wish to file a request, email privacy@smarterpicks.io and we will respond within the statutory timeframe (typically 45 days, extendable by 45 more for complex requests).
You may appeal a decision regarding your request by replying to our response email; we will respond to the appeal within 60 days. If your appeal is denied you may contact your state Attorney General.
13Age requirement & children
The Service is intended only for adults 21 years of age or older in jurisdictions where sports wagering is legal. We do not knowingly collect personal information from anyone under 21, and the Service is not directed at children under 16 within the meaning of GDPR Art. 8 or under 13 within the meaning of COPPA.
If we learn that we have collected personal information from a person under the required age without verifiable parental or guardian consent, we will delete it promptly. Parents or guardians who believe their child has provided us with personal information should email privacy@smarterpicks.io.
14Do Not Track & Global Privacy Control
Some browsers transmit "Do Not Track" (DNT) or Global Privacy Control (GPC) signals. Because we do not sell or share personal information and do not run cross-site tracking, our handling does not change based on those signals — there is nothing for them to opt out of. We treat valid GPC signals received from California residents as a deemed opt-out request for any "sale" or "sharing" that might apply in the future.
15Changes to this policy
If we materially change how we collect, use, or share personal information, we will:
- Update the "Last updated" date at the top of this page;
- Increment the version number;
- Post a notice on the homepage for at least 30 days following the change; and
- If the change is material and adverse, email everyone with an active account or newsletter subscription.
Prior versions are kept in the public GitHub repository where this Site lives, so the change history is auditable.
16Contact & complaints
For any privacy question, request, or complaint:
Privacy contact
Email: privacy@smarterpicks.io
General support: support@smarterpicks.io
Security: security@smarterpicks.io
Postal mail: c/o SmarterPicks · 1207 Delaware Ave #1145 · Wilmington, DE 19806 · USA. (Mail-handling address; please prefer email for faster response.)
EEA/UK supervisory authority complaints: If you believe we have not handled your data properly, you have the right to lodge a complaint with your local data-protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents can complain to the Information Commissioner's Office at ico.org.uk.
US state attorneys general: Most US state privacy laws allow you to complain to your state attorney general. California residents can contact the California Privacy Protection Agency at cppa.ca.gov.