Privacy Policy
Last updated: April 12, 2026
1. Who We Are
MoundLab LLC (“we,” “us,” or “our”), a Delaware limited liability company with its registered address at 8 The Green, Suite A, Dover, DE 19901, operates the website at moundlab.com and the MoundLab platform. MoundLab LLC is the data controller for the purposes of applicable data protection laws. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services.
2. Information We Collect
Account Information
When you create an account, we collect:
- Email address (required)
- Display name (optional)
- Password (stored as a one-way bcrypt hash — we never store your plaintext password)
Google OAuth
If you sign in with Google, we receive your name, email address, and profile photo URL from Google. We store an OAuth access token to maintain your session. We do not access your Google contacts, calendar, or any other Google services.
Payment Information
Payments are processed by Stripe. We never see or store your credit card number. We store only your Stripe customer ID and subscription status to manage your plan.
Usage Data
We store the scouts you create, their configuration settings, and simulated pick history. All capital, profits, and losses referenced on MoundLab are entirely virtual with no monetary value.
Device & Fraud-Prevention Identifiers
When you create a free account, we collect certain technical characteristics of your device (such as browser type, operating system, and display configuration) and derive a hashed identifier from them. We use this identifier solely to enforce our one-free-account-per-person policy and to protect the integrity of the platform against abuse. This identifier is not used for advertising, analytics, or any purpose other than fraud prevention. It is automatically and permanently deleted if you upgrade to a paid subscription. You may request deletion of this identifier at any time by contacting us at the address below.
AI Strategy Coach
When you use the AI Strategy Coach, your conversation messages are sent to our AI provider (Anthropic, via the Vercel AI Gateway) for processing. Conversations are not stored permanently and are not used to train AI models. Anthropic’s data handling is governed by their own privacy policy.
3. How We Use Your Information
- To create and maintain your account
- To process subscription payments via Stripe
- To send transactional emails (welcome email, account notifications) via Resend
- To provide the AI Strategy Coach feature
- To display leaderboards, leagues, and scout comparisons
- To improve and maintain the platform
We do not sell your personal information. We do not serve advertisements. We do not engage in behavioral profiling or ad-targeting.
4. Third-Party Services
We share limited data with the following service providers, solely to operate MoundLab:
- Stripe — payment processing (receives your payment details directly)
- Google — OAuth authentication (if you choose Google sign-in)
- Resend — transactional email delivery (receives your email address)
- Anthropic / Vercel AI Gateway — AI Strategy Coach processing (receives your chat messages)
- Vercel — hosting and infrastructure
- Neon — database hosting
Each provider processes data according to their own privacy policies and data processing agreements.
4a. International Data Transfers
MoundLab is based in the United States and processes data in the US through our service providers (Vercel, Neon, Stripe, Resend, Anthropic). If you access MoundLab from outside the United States, your personal data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and our service providers’ data processing agreements to ensure appropriate safeguards are in place for international transfers in accordance with GDPR requirements.
4b. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or UK, we process your data under the following legal bases:
- Contractual necessity — account creation, subscription management, scout deployment, and league participation
- Legitimate interest — AI Strategy Coach, platform improvement, leaderboard display, and fraud prevention
- Legal obligation — compliance with applicable laws, responding to legal requests
- Consent — optional marketing communications (if any in future)
6. Data Retention
We retain your account data for as long as your account is active. If you delete your account, all personal data, scouts, picks, league memberships, and related records are permanently deleted within 30 days. Anonymized, aggregated data (such as total platform pick counts) may be retained indefinitely.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Portability — export your data in a machine-readable format (available via your account settings)
- Correction — update inaccurate personal information
- Deletion — permanently delete your account and all associated data
- Objection — object to certain types of processing
To exercise any of these rights, use the account management features in the platform or contact us at privacy@moundlab.com. We will respond to data subject requests within 30 days as required by GDPR.
8. US State Privacy Rights
This section supplements the rest of this Privacy Policy with disclosures required by state consumer privacy laws, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Delaware Personal Data Privacy Act (DPDPA), and similar laws in other states. These rights apply to residents of states with applicable consumer privacy legislation.
Categories of Personal Information
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Business Purpose | Retention | Sold/Shared |
|---|---|---|---|---|
| Identifiers | Email, display name, Stripe customer ID | Account creation, billing | Until account deletion + 30 days | No |
| Internet activity | Session tokens, pages visited | Authentication, service delivery | Session: 7 days; logs: 30 days | No |
| Commercial information | Subscription plan, payment status | Billing, plan enforcement | Until account deletion + 30 days | No |
| Unique personal identifiers | Device fingerprint (hashed) | Fraud prevention (one-free-account-per-person) | Until account deletion or paid upgrade | No |
| Inferences | Agent configurations, simulated pick history | Service delivery (game features) | Until account deletion + 30 days | No |
Your Rights Under State Privacy Laws
Depending on your state of residence, you may have some or all of the following rights. Where a right is available under your state’s law, we honor it regardless of whether you reside in that state:
- Right to Know / Access — request disclosure of the categories and specific pieces of personal data we have collected about you.
- Right to Delete — request deletion of your personal data. Use the “Delete account” option in your account menu, or email us.
- Right to Correct — request correction of inaccurate personal data.
- Right to Opt-Out of Sale or Sharing — opt out of the sale or sharing of your personal data for targeted advertising. We do not sell or share personal data, but you can submit a request at our Do Not Sell or Share page.
- Right to Opt-Out of Profiling — opt out of automated profiling that produces legal or similarly significant effects. MoundLab does not engage in such profiling.
- Right to Limit Use of Sensitive Data — limit our use of sensitive personal data to what is necessary. Our only sensitive data use is device fingerprinting for fraud prevention.
- Right to Data Portability — obtain your data in a portable, machine-readable format. Use the “Export my data” option in your account menu.
- Right to Restrict Processing — request that we restrict processing of your personal data in certain circumstances (available to EEA/UK residents under GDPR and to residents of states with equivalent provisions).
Submitting Requests
You can exercise your rights through the following methods:
- Self-service: Account menu → “Export my data” (access/portability) or “Delete account” (deletion)
- Opt-out page: moundlab.com/privacy/do-not-sell
- Email: privacy@moundlab.com
We will verify your identity before processing a request. Response times by state law: California (45 days), Virginia, Colorado, Connecticut, Texas, Oregon, Delaware, and other states (45 days). You may designate an authorized agent to submit a request on your behalf.
Appeals
If we decline your privacy request, you have the right to appeal. To appeal, email privacy@moundlab.com with “Privacy Appeal” in the subject line. We will respond to appeals within 60 days. If your appeal is denied, you may contact your state’s Attorney General to submit a complaint.
Global Privacy Control
MoundLab honors the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing under California (Cal. Civ. Code § 1798.135(e)), Colorado (CPA § 6-1-1306), Connecticut (CTDPA § 42-520(b)), and other applicable state laws. If your browser sends a Sec-GPC: 1 header, we treat it as an opt-out request automatically.
Sale and Sharing of Personal Data
MoundLab has not sold, shared, or disclosed for targeted advertising any personal data in the preceding 12 months and does not have plans to do so. We do not engage in cross-context behavioral advertising. We do not process personal data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects.
Non-Discrimination
We will not discriminate against you for exercising your privacy rights under any state law. You will not receive a different level or quality of goods or services, be denied goods or services, or be charged different prices for exercising any of your rights under this section.
Financial Incentive Disclosure (California)
MoundLab offers paid subscription tiers (Contender, Pro, Season Pass) that provide additional features such as more agent slots and backtesting access. These tiers require payment and are not conditioned on the collection or retention of additional personal information beyond what is described in this policy. The pricing of each tier reflects the cost of providing additional computational resources, not a valuation of your personal information. You may cancel your subscription at any time via the Stripe customer portal without any penalty.
State-Specific Notices
- California: We comply with the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code § 1798.121. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.
- Connecticut: We provide pre-renewal notice for auto-renewing subscriptions at least 30 days before charge, in compliance with CT Gen. Stat. § 42-527b.
- Delaware: As a Delaware LLC, we comply with the Delaware Personal Data Privacy Act (DPDPA). We do not process personal data for targeted advertising.
- Virginia: We do not process personal data for targeted advertising or sell personal data as defined by the VCDPA.
- Colorado: We honor universal opt-out mechanisms including GPC signals as required by the CPA.
- Texas: We comply with the TDPSA. We do not sell biometric or sensitive personal data. We have not disclosed personal data to third parties for targeted advertising.
- Oregon: We comply with the OCPA. Oregon residents may exercise their rights without creating an account by emailing us.
9. Children’s Privacy
MoundLab is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will promptly delete it.
10. Security
We use industry-standard security measures including encrypted connections (HTTPS/TLS), bcrypt password hashing, and secure cloud infrastructure. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top reflects the most recent revision.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 requirements.
13. Contact
For privacy-related questions or requests, contact our privacy team at privacy@moundlab.com.
MoundLab LLC, 8 The Green, Suite A, Dover, DE 19901, United States.