← Back to StreamCaddy

Privacy Policy

Version: privacy-policy-v1 · Effective: June 1, 2026

1. What Data We Collect

Information you provide

  • Email address — used to create and identify your account
  • ZIP code — entered manually; used to resolve your local broadcast market (DMA) for blackout and availability calculations. We do not use GPS or device location.
  • Followed teams — the sports teams you select; used to personalize game recommendations
  • Streaming service subscriptions — the services you tell us you have; used to calculate your current watchability and suggest improvements

Information collected automatically

  • Session tokens — short-lived authentication tokens stored in your browser's local storage; used to keep you signed in
  • Usage analytics — page views, feature interactions, and session identifiers collected via Vercel Analytics; used to understand how the product is used and to improve it
  • Affiliate click data — when you click a recommendation link on the Improve My Setup tab, we record which link was clicked; used to track affiliate commissions and understand which recommendations are acted on

2. What We Do Not Collect

  • Payment or credit card information
  • Social security numbers or government-issued IDs
  • Health or medical information
  • Social media profiles or contacts
  • Precise GPS or device location — only ZIP code, entered by you
  • Address book or contact list

Advertising and tracking we do not use

StreamCaddy does not use Meta/Facebook Pixel, Google Ads remarketing tags, or any third-party advertising network pixels. We do not participate in programmatic advertising, retargeting, or cross-site tracking. Our analytics are first-party only and are never shared with ad networks.

3. How We Use Your Data

  • Personalization — your teams, ZIP, and subscriptions are used to compute which games you can watch and to recommend streaming changes
  • Service improvement — usage analytics help us understand which features are working and where users encounter friction
  • Affiliate tracking — click data on recommendation links is used to attribute commissions from affiliate partnerships
  • Authentication — session tokens authenticate you with the StreamCaddy backend; they are not used for any other purpose

4. Data Storage and Infrastructure

StreamCaddy's frontend is hosted on Vercel. The API server is hosted on Railway. User data is stored in a PostgreSQL database provided by Neon. Caching is handled by Upstash Redis. All services are U.S.-based. Data is transmitted over encrypted HTTPS connections.

5. Third-Party Services

StreamCaddy uses the following third-party services:

  • Vercel — frontend application hosting and edge delivery
  • Railway — API server hosting
  • Neon — PostgreSQL database hosting
  • Upstash — Redis caching and rate limiting
  • PostHog — first-party product analytics (page views, feature usage). Data is not shared with advertising networks.
  • Google Analytics (GA4) — acquisition analytics only (page views, signup events). No remarketing or ad targeting enabled.
  • Sentry — error monitoring and performance tracking. Captures error context (page URL, browser type) but not personal data.
  • Google — Google OAuth for sign-in (if you choose this method)
  • Apple — Apple Sign In (if you choose this method)
  • Affiliate networks — attribution for outbound recommendation links

Each of these services has its own privacy policy. StreamCaddy does not control how these services handle data that is transmitted to them as part of their normal operation.

6. Data Sharing

We do not sell your personal data to third parties. We share data only with the service providers listed above, and only to the extent necessary to operate the service. We do not share your teams, ZIP, or subscription data with advertisers, data brokers, or marketing platforms.

7. Data Retention

We retain your data for as long as your account is active. Specific retention periods:

  • Account data (email, teams, ZIP, subscriptions) — retained until you delete your account
  • Watchability decision logs — 2 years; anonymized (user ID removed) after account deletion
  • Consent records — 7 years (legal compliance requirement)
  • Financial/savings records — 7 years (audit requirement)
  • Usage analytics — retained in aggregate form; individual session data expires per PostHog/GA4 default retention policies

Upon account deletion, personal data is removed within 45 days. Audit records (decision logs, consent history) are anonymized rather than deleted to preserve system integrity for accuracy measurement and legal compliance.

8. Your Rights (CCPA — California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know — you can request a description of the categories and specific pieces of personal information we have collected about you
  • Right to deletion — you can request deletion of your personal information, subject to certain exceptions
  • Right to opt out of sale — we do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link and update this policy
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights

To exercise any of these rights, contact us at [email protected].

9. Data Deletion

To request deletion of your account and associated data, email [email protected] with the subject line "Data Deletion Request." We will confirm receipt and process your request within 30 days.

10. Children's Privacy

StreamCaddy is not directed at children under the age of 13 and does not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, contact us at [email protected].

11. Security

We use encrypted HTTPS connections for all data in transit, and store authentication tokens using industry-standard practices. No security measure is perfect — if you discover a security vulnerability, please disclose it responsibly by contacting [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact

Privacy questions or requests? Contact us at [email protected].