ONYX ("we," "us," or "our") operates onyxmlb.com. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data. We keep it plain and direct -- no legalese padding.
By using the Service, you agree to the collection and use of information as described in this policy. If you disagree with any part of this policy, please discontinue use of the Service.
Account information. When you create an account -- via email and password or Google OAuth -- we store your email address and authentication provider. Passwords are hashed using industry-standard cryptography and are never stored in plain text or accessible to us.
Usage and log data. We collect standard server-side logs including your IP address, browser type and version, pages visited, and request timestamps. This data is used for security monitoring, debugging, and product improvement. It is not sold or shared for advertising purposes.
Subscription and billing data. When you subscribe to a paid plan, payment processing is handled entirely by Stripe. We receive and store only your subscription status, plan tier, and a Stripe customer reference ID. We never receive, see, or store your card number, CVV, or billing address. Stripe's handling of your payment data is governed by their own Privacy Policy at stripe.com/privacy.
Communication data. If you contact us by email, we retain the content of that correspondence to respond and improve support quality. We do not share support communications with third parties.
Cookies and session tokens. We use authentication cookies solely to maintain your logged-in session. These are strictly necessary and expire when you sign out. We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies of any kind.
We use the information we collect only for the following purposes:
We do not use your data for behavioral advertising, interest profiling, or any purpose beyond those listed above. We do not sell your personal information to any third party under any circumstances.
We use a small number of trusted third-party service providers to operate the product. Each acts as a data processor on our behalf and is contractually prohibited from using your data for their own purposes.
Supabase. We use Supabase for database hosting and user authentication. Your account data and app data are stored in Supabase-managed Postgres infrastructure hosted on AWS. Supabase is SOC 2 Type II certified. Privacy policy: supabase.com/privacy.
Vercel. Our web application is served via Vercel. Vercel processes incoming HTTP requests and may log IP addresses and request metadata for CDN and security purposes. Privacy policy: vercel.com/legal/privacy-policy.
Stripe. All payment processing is handled by Stripe. We never receive or store your card details. Stripe is PCI DSS Level 1 certified. Privacy policy: stripe.com/privacy.
Resend. We use Resend for transactional email delivery (account verification, daily digest). Resend receives your email address to deliver messages on our behalf. Privacy policy: resend.com/legal/privacy-policy.
Google OAuth. If you choose to sign in via Google, Google authenticates your identity and shares your email address and display name with us. How Google processes your data in that flow is governed by Google's Privacy Policy at policies.google.com/privacy.
We do not share your data with any other third parties, including data brokers, analytics platforms, or advertising networks.
We retain your account data for as long as your account remains active. If you request account deletion, we will permanently delete your personal information from our systems within 30 days, except where we are required to retain it by applicable law (e.g., for tax or legal compliance purposes).
Server logs are retained for a maximum of 90 days and are then purged automatically. Anonymized aggregate usage statistics may be retained indefinitely for product analytics.
You have the following rights regarding your personal data at any time:
To exercise any of these rights, email us at hello@onyxmlb.com from the address associated with your account. We will respond within 30 days.
If you are located in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA). We honor both frameworks on request without requiring you to specify which law applies.
We implement reasonable and appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:
No security system is impenetrable. In the event of a data breach affecting your personal information, we will notify you promptly via email and take immediate remediation steps.
ONYX is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@onyxmlb.com and we will promptly delete that data.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via the email address associated with your account at least 7 days before taking effect. The "Effective date" at the top of this page reflects the most recent revision.
Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.
Questions, concerns, or requests regarding this Privacy Policy or your personal data should be directed to:
ONYX
Email: hello@onyxmlb.com
We aim to respond to all written inquiries within 5 business days. For urgent data-related requests (suspected breach, imminent harm), please indicate urgency in your subject line.