Privacy Policy

This Privacy Policy describes how Rize Market LLC, doing business as NIL Desk ("Company," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use the NIL Desk platform, website, and related services (the "Service").

We are committed to protecting your privacy and handling your data responsibly. This policy applies to all users of the Service, including Athletes and Compliance Admins.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.

Information You Provide Directly

• Account Information: Full name, email address, password, role (Athlete or Compliance Admin), and institution affiliation.
• Deal Data: Brand names, deal values, compensation type and amount, deal terms, dates, deliverables, and deal status.
• Documents: Contracts, compliance documents, deliverable proofs, and payment proofs uploaded to the platform.
• Communications: Messages sent to us via our contact form, email, or in-app support channels.
• Phone Number: If optionally provided via the contact form.
• Emails for AI Processing: Email content forwarded to the platform for AI-powered deal extraction.

Information Collected Automatically

• Device Information: Browser type, operating system, device type, and screen resolution.
• Usage Data: Pages visited, features used, actions taken, and time spent on the Service. This data may be collected via PostHog analytics when active.
• IP Address: Collected automatically when you access the Service.
• Error Data: Crash reports, performance data, and diagnostic information, which may be collected via Sentry when active.

Information from Third Parties

• Social Login (Google, Apple): If you sign in with Google or Apple, we receive your name, email address, and profile photo from the provider. We do not receive your password.
• Payment Provider (Polar.sh): We receive subscription status and customer identifiers from Polar.sh. We do not receive or store credit card numbers or full payment details.

We use the information we collect to:

• Provide the Service: Create and manage your account, store and display deal data, and enable platform features.
• Enable Compliance: Allow Compliance Admins to view, monitor, and manage NIL deals across their institution's athletes.
• Process Payments: Facilitate institutional subscription billing through Polar.sh.
• AI Deal Extraction: Process forwarded emails through the Anthropic Claude API to extract deal terms automatically.
• Send Communications: Deliver transactional emails including deal notifications, deadline reminders, and account updates via Brevo.
• Improve the Service: Analyze usage patterns to fix bugs, improve features, and enhance user experience.
• Prevent Fraud: Detect, investigate, and prevent fraudulent or unauthorized activity.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.

Within Your Institution

If you are an Athlete linked to an Institution, Compliance Admins at your Institution can see your deal data once a deal reaches the "Signed" stage or beyond. Deals in the "Inquiry" stage may remain private. Your deal data is never shared with other institutions.

Service Providers

We share data with the following third-party service providers who process data on our behalf:

• Supabase — Database hosting, authentication, and file storage. Data stored in US-region servers.
• Polar.sh — Payment processing for institutional subscriptions.
• Brevo — Transactional email delivery (deal notifications, deadline reminders, account updates).
• Vercel — Frontend hosting and content delivery.
• Anthropic — AI processing for deal extraction from forwarded emails. Anthropic does not use submitted data for model training under their commercial terms.
• Google Analytics — Website traffic analytics. Collects anonymized page views, session data, and traffic sources via cookies. Governed by Google's Privacy Policy.
• PostHog — Product analytics (when active). Collects anonymized usage data.
• Sentry — Error tracking and performance monitoring (when active).
• Langfuse — AI/LLM observability and quality monitoring (when active).

What We Do NOT Do

• We do not sell your personal information to any third party.
• We do not share your data with advertisers or use it for ad targeting.
• We do not share athlete deal data with other institutions, brands, or external parties unless required by law.

Legal Requirements

We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

• Account Data: Retained for as long as your account is active. If you delete your account, personal identifiers are removed within 30 days.
• Deal Records: Retained for 7 years after a deal reaches the "Completed" or "Paid" stage, in accordance with NCAA compliance requirements.
• Anonymized Data: When Athletes delete their accounts, personal information is anonymized (name, email, contact details removed), but deal records are preserved in de-identified form for institutional compliance.
• Audit Logs: Retained for 7 years to support institutional compliance auditing.
• Automatic Cleanup: Expired retention data is permanently deleted via an automated scheduled cleanup process.

We implement industry-standard security measures to protect your personal information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Encryption at Rest: Data stored in our database is encrypted at rest via Supabase-managed encryption.
• Row-Level Security (RLS): Database access is restricted using PostgreSQL Row-Level Security policies, ensuring users can only access data they are authorized to see.
• Multi-Tenant Isolation: Institutional data is isolated using institution-level identifiers on all tenant-scoped tables.
• Secure Authentication: Passwords are hashed and salted. Social login uses OAuth 2.0 with Google and Apple.

While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

• Right to Know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (including the 7-year deal record retention requirement for NCAA compliance).
• Right to Opt-Out of Sale: We do not sell personal information, so this right does not apply. However, if our practices change, we will update this policy and provide an opt-out mechanism.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights

You can exercise your privacy rights by:

• Using the account deletion feature in the platform (Athletes).
• Emailing us at legal@nildesk.io with the subject line "Privacy Request."

We will respond to verifiable consumer requests within 45 days of receipt. We may need to verify your identity before processing your request to protect against unauthorized access.

We use cookies and similar technologies to operate and secure the Service. Here is a summary:

• Essential Cookies: Required for authentication and session management (Supabase auth cookies). These cannot be disabled without losing the ability to log in.
• Analytics Cookies: Google Analytics cookies are used to measure website traffic and usage patterns. PostHog analytics cookies may also be used when active to understand how users interact with the Service.
• No Advertising Cookies: We do not use any advertising, retargeting, or third-party tracking cookies.

For full details, see our Cookie Policy.

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal information from anyone under the age of 18.

If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly. If you believe we may have collected information from someone under 18, please contact us at legal@nildesk.io.

The Service may contain links to third-party websites, services, or applications that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

We encourage you to review the privacy policy of every site you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via email and/or in-app notification.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree, please stop using the Service.

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us: