ONYX
◆ Legal

Privacy Policy

Effective date: June 28, 2026

TL;DR -- Key Points
  • We collect your email address, auth data, and usage logs. No more than what is necessary to run the product.
  • Payment card data is handled entirely by Stripe. We never see or store it.
  • Your data is never sold, shared with advertisers, or used for marketing by third parties.

01 Overview

ONYX ("we," "us," or "our") operates onyxmlb.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data. We keep it plain and direct -- no legalese padding.

By using the Service, you agree to the collection and use of information as described in this policy. If you disagree with any part of this policy, please discontinue use of the Service.

02 Information We Collect

Account information. When you create an account -- via email and password or Google OAuth -- we store your email address and authentication provider. Passwords are hashed using industry-standard cryptography and are never stored in plain text or accessible to us.

Usage and log data. We collect standard server-side logs including your IP address, browser type and version, pages visited, and request timestamps. This data is used for security monitoring, debugging, and product improvement. It is not sold or shared for advertising purposes.

Subscription and billing data. When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We receive and store only your subscription status, plan tier, and a Stripe customer reference ID. We never receive, see, or store your card number, CVV, or billing address. Stripe's handling of your payment data is governed by their own Privacy Policy at stripe.com/privacy.

Communication data. If you contact us by email, we retain the content of that correspondence to respond and improve support quality. We do not share support communications with third parties.

Cookies and session tokens. We use authentication cookies solely to maintain your logged-in session. These are strictly necessary and expire when you sign out. We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies of any kind.

03 How We Use Your Information

We use the information we collect only for the following purposes:

  • To authenticate you and maintain secure access to your account
  • To deliver the features and content associated with your subscription tier
  • To send transactional emails -- account verification, subscription receipts, password reset
  • To send the optional daily ONYX digest (opt-out available on request)
  • To diagnose technical issues, debug errors, and improve product stability
  • To detect and prevent fraud, abuse, or violations of our Terms of Service
  • To comply with legal obligations where required by law

We do not use your data for behavioral advertising, interest profiling, or any purpose beyond those listed above. We do not sell your personal information to any third party under any circumstances.

04 Third-Party Services and Data Processors

We use a small number of trusted third-party service providers to operate the product. Each acts as a data processor on our behalf and is contractually prohibited from using your data for their own purposes.

Supabase. We use Supabase for database hosting and user authentication. Your account data and app data are stored in Supabase-managed Postgres infrastructure hosted on AWS. Supabase is SOC 2 Type II certified. Privacy policy: supabase.com/privacy.

Vercel. Our web application is served via Vercel. Vercel processes incoming HTTP requests and may log IP addresses and request metadata for CDN and security purposes. Privacy policy: vercel.com/legal/privacy-policy.

Stripe. All payment processing is handled by Stripe. We never receive or store your card details. Stripe is PCI DSS Level 1 certified. Privacy policy: stripe.com/privacy.

Resend. We use Resend for transactional email delivery (account verification, daily digest). Resend receives your email address to deliver messages on our behalf. Privacy policy: resend.com/legal/privacy-policy.

Google OAuth. If you choose to sign in via Google, Google authenticates your identity and shares your email address and display name with us. How Google processes your data in that flow is governed by Google's Privacy Policy at policies.google.com/privacy.

We do not share your data with any other third parties, including data brokers, analytics platforms, or advertising networks.

05 Data Retention

We retain your account data for as long as your account remains active. If you request account deletion, we will permanently delete your personal information from our systems within 30 days, except where we are required to retain it by applicable law (e.g., for tax or legal compliance purposes).

Server logs are retained for a maximum of 90 days and are then purged automatically. Anonymized aggregate usage statistics may be retained indefinitely for product analytics.

06 Your Rights

You have the following rights regarding your personal data at any time:

  • Access -- Request a copy of the personal data we hold about you
  • Correction -- Request correction of any inaccurate or incomplete data
  • Deletion -- Request deletion of your account and associated personal data
  • Portability -- Request your data in a portable, machine-readable format
  • Objection -- Object to any processing that is not strictly necessary for service delivery

To exercise any of these rights, email us at hello@onyxmlb.com from the address associated with your account. We will respond within 30 days.

If you are located in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA). We honor both frameworks on request without requiring you to specify which law applies.

07 Security

We implement reasonable and appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encrypted data transmission via HTTPS/TLS for all connections
  • Industry-standard bcrypt password hashing via Supabase Auth
  • Row-Level Security (RLS) policies on our database restricting data access to authenticated owners
  • Environment variable isolation for all service credentials and API keys

No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you promptly via email and take immediate remediation steps.

08 Children

ONYX is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@onyxmlb.com and we will promptly delete that data.

09 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via the email address associated with your account at least 7 days before taking effect. The "Effective date" at the top of this page reflects the most recent revision.

Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.

10 Contact

Questions, concerns, or requests regarding this Privacy Policy or your personal data should be directed to:

ONYX
Email: hello@onyxmlb.com

We aim to respond to all written inquiries within 5 business days. For urgent data-related requests (suspected breach, imminent harm), please indicate urgency in your subject line.