Privacy Policy

Last updated: April 24, 2026  |  Effective date: April 24, 2026

This Privacy Policy (“Policy”) describes how Texas Preps Portal, LLC (“Company,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects information about you when you access or use the Texas Preps Portal website, mobile applications, application programming interfaces, and all associated services (collectively, the “Service”). This Policy is incorporated by reference into the Texas Preps Portal Terms of Service (“Terms”) available at /legal/terms.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree to this Policy, you must discontinue use of the Service immediately.

1. Definitions

Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms. The following additional definitions apply:

• “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• “Sensitive Personal Information” means a subset of Personal Information including government-issued identification numbers, financial account information, precise geolocation data, biometric data, health or medical information, and information concerning a Minor.
• “Processing” means any operation performed on Personal Information, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• “Controller” means the entity that determines the purposes and means of Processing Personal Information. For purposes of this Policy, the Company is the Controller with respect to all Personal Information collected through the Service.
• “Data Subject” means an identified or identifiable natural person whose Personal Information is Processed by the Company.

2. Information We Collect

2.1 Information You Provide Directly

We collect Personal Information that you voluntarily provide when you:

• Register for an account: username, email address (stored as a deterministic HMAC-SHA256 token for lookup purposes and separately as AES-256-GCM ciphertext where plaintext recovery is required by the Service), password (stored only as a salted bcrypt hash — never in plaintext), self-selected role, and birth year;
• Create or update a profile: display name, biography, profile photograph, school affiliation, graduation year, social media handles, and athletic performance statistics (for Athlete accounts);
• Publish content: articles, photographs, video clips, and other User Content you submit through the Service;
• Subscribe to a Portal plan: billing address and payment instrument details (processed and stored solely by Stripe, Inc. — the Company does not store full payment card numbers or CVV codes); and
• Contact us: any information you include in correspondence transmitted to our support, privacy, legal, or security email addresses.

2.2 Information Collected Automatically

When you access the Service, certain technical data is collected automatically by our infrastructure provider, Cloudflare, Inc., including: Internet Protocol (“IP”) address, browser type and version, operating system and version, referring URL, pages viewed, time and date of access, and session duration. This data is used for security, fraud prevention, rate-limiting, and aggregate traffic analysis, and is subject to Cloudflare’s privacy policy, available at https://www.cloudflare.com/privacypolicy/. The Company does not independently log or store IP addresses in its application-layer database.

2.3 Analytics Data (Article Pages Only)

On pages accessible at the /article/ path exclusively, the Service uses PostHog to record a single anonymous event (“article_view”) containing only the article’s unique identifier. No personally identifying attributes, session recordings, click maps, scroll-depth measurements, or cross-site tracking data are collected at any point. PostHog is configured with in-memory persistence only (no cookies or localStorage), session recording disabled, and autocapture disabled. No analytics instrumentation of any kind is deployed on any other page of the Service.

2.4 Information from Third-Party Sources

We may receive limited information about you from third-party sources, including: (a) payment processors (Stripe) that confirm the status and metadata of a Subscription transaction but do not transmit full payment card data to us; and (b) electronic consent providers (DocuSeal) that confirm whether a parental consent form has been completed and signed, along with the timestamp of signature and a submission identifier.

2.5 No Collection from Children Under 13

We do not knowingly collect Personal Information from children under the age of thirteen (13). Any account registration attempt that indicates a birth year reflecting an age below thirteen (13) is rejected at the point of registration without data collection.

3. How We Use Your Information

3.1 Purposes of Processing

We use the Personal Information we collect solely for the following purposes and on the following legal bases:

3.2 No Sale of Personal Information

The Company does not sell, rent, trade, license, or otherwise disclose your Personal Information to third parties for monetary or other valuable consideration, nor does it share your Personal Information for cross-context behavioral advertising purposes. This commitment applies to all Users, including California residents with rights under the CCPA/CPRA (see Section 9) and Texas residents with rights under the TDPSA (see Section 10).

3.3 No Automated Profiling for Significant Decisions

The Company does not use your Personal Information for automated profiling that produces legal or similarly significant effects on you, including without limitation automated eligibility determinations, credit scoring, targeted advertising based on behavioral data, or any form of decision-making that produces binding outcomes without meaningful human review.

4. How We Share Your Information

4.1 Service Providers

We share Personal Information with trusted third-party service providers who Process data on our behalf solely to provide the Service:

• Cloudflare, Inc. — cloud infrastructure, content delivery network, edge computing (Workers), D1 database, R2 object storage, Durable Objects, and DDoS protection;
• Stripe, Inc. — payment processing for Portal Subscriptions; subject to Stripe’s Privacy Policy at https://stripe.com/privacy;
• DocuSeal — electronic parental consent form delivery and legally binding signature capture;
• PostHog — anonymous aggregate analytics (article pages only, in-memory mode, no cookies).

4.2 Public Profile Information

Certain information in your profile may be visible to other Users and the general public, including your username, role, display name, biography, school affiliation, and, for Athlete accounts with active parental consent, performance statistics. Your email address is never displayed publicly and is stored only in encrypted and tokenized form in our database at all times.

4.3 Legal Disclosures

We may disclose your Personal Information if we believe in good faith that disclosure is necessary to: (a) comply with a valid and binding legal process; (b) enforce our Terms of Service or protect the rights, property, or safety of the Company, our Users, or the public; (c) detect, prevent, or address fraud, security incidents, or technical failures; or (d) respond to an emergency that poses a credible risk to the health or safety of any person.

4.4 Business Transfers

In the event of a merger, acquisition, corporate reorganization, or sale of all or substantially all assets involving the Company, your Personal Information may be transferred to the successor entity as part of that transaction. If such a transfer results in a material change in how your Personal Information is Processed, we will provide notice in accordance with Section 13.2 of this Policy prior to your Personal Information becoming subject to a different privacy policy.

4.5 Aggregated and De-identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be re-associated with any individual with third parties for research, industry analysis, product improvement, or other purposes. Such data is not Personal Information and is not subject to the restrictions in this Policy.

5. Data Security

5.1 Encryption at Rest

All Personal Information stored in our Cloudflare D1 database is protected as follows: (a) email addresses are stored as HMAC-SHA256 keyed message authentication codes (for equality-based lookup) and, where plaintext recovery is required by the Service, separately as AES-256-GCM ciphertext with a randomly generated 96-bit initialization vector per record; (b) passwords are stored exclusively as bcrypt hashes with a computational cost factor of no less than ten (10) — passwords are never logged, transmitted in plaintext after initial receipt, or stored in any reversible form; and (c) all other Sensitive Personal Information is encrypted using AES-256-GCM with unique initialization vectors.

5.2 Encryption in Transit

All data transmitted between your browser or device and the Service is protected using Transport Layer Security (“TLS”) version 1.2 or higher. The Service enforces HTTPS exclusively and does not accept unencrypted HTTP connections. HTTP Strict Transport Security (“HSTS”) is configured to prevent protocol downgrade attacks.

5.3 Access Controls and Authentication

Access to production databases and infrastructure is restricted to authorized personnel on a strict need-to-know basis. All user authentication to the Service is performed using cryptographically signed JSON Web Tokens (“JWTs”) using the HMAC-SHA256 (“HS256”) algorithm with a secret key of at least 256 bits of entropy. Session tokens expire after a configurable period (default: 24 hours) and are invalidated upon logout.

5.4 Security Incident Response

In the event of a data security incident that is reasonably likely to result in harm to affected individuals (a “Data Breach”), the Company will: (a) investigate and contain the incident with reasonable promptness; (b) notify affected Users and relevant regulatory authorities within the timeframes required by applicable law; (c) provide notification that describes the nature of the incident, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the incident. Security incidents should be reported immediately to security@texasprepsportal.com.

5.5 Limitations of Security Measures

No method of transmission over the internet or method of electronic storage is one hundred percent (100%) secure or error-free. The Company cannot guarantee the absolute security of your Personal Information, and by using the Service you acknowledge and accept this inherent risk.

6. Data Retention

6.1 General Retention Principles

We retain Personal Information for no longer than is necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our contractual agreements.

6.2 Specific Retention Periods

• Account data (username, encrypted email token, password hash, role, registration timestamp): retained for the active life of the account and for three (3) years following account deletion;
• Published User Content (articles, profile data): retained until you request deletion, subject to legitimate-interests exceptions;
• Transactional records (Portal Subscription invoices, payment metadata): retained for seven (7) years to comply with applicable tax, accounting, and financial record-keeping obligations;
• Parental consent records (DocuSeal submission identifiers, signature timestamps, consent status): retained for a minimum of five (5) years from the date of execution;
• Security and access logs: retained for up to ninety (90) days, except where extended retention is required in connection with a security investigation or legal proceeding.

6.3 Deletion Procedures

Upon account deletion, we will delete or irreversibly anonymize your Personal Information within thirty (30) calendar days, subject to the retention exceptions set forth in Section 6.2 and any legal holds or regulatory requirements. Aggregated, de-identified data derived from your Personal Information is not subject to deletion requirements and may be retained indefinitely.

7. Cookies and Tracking Technologies

7.1 Strictly Necessary Cookies

The Service uses a minimal set of cookies that are strictly necessary for the operation of the platform:

• Authentication session cookie: a short-lived, HttpOnly, Secure, SameSite=Strict cookie that stores your JWT to maintain your authenticated session across page loads. This cookie expires automatically at the end of your session or upon token expiration (default: 24 hours), whichever is sooner;
• CSRF protection token: a SameSite=Strict, short-lived cookie used to prevent cross-site request forgery attacks on state-mutating API operations.

7.2 Analytics on Article Pages

On /article/ pages only, PostHog is initialized with in-memory persistence exclusively, meaning no cookie, localStorage entry, or other persistent identifier is written to your browser or device. No tracking identifier is associated with your browser across sessions or across pages.

7.3 Absence of Advertising and Third-Party Tracking Cookies

The Company does not deploy third-party advertising cookies, retargeting pixels, conversion tracking scripts, social media share buttons that set cookies, or any cross-site behavioral tracking technology on any page of the Service. No advertising network, data broker, or social media platform has access to data collected from your interactions with the Service.

7.4 Managing Cookies

You may configure your browser or device settings to refuse all cookies, clear existing cookies, or alert you when cookies are being set. If you disable the authentication session cookie described in Section 7.1, you will not be able to log in to the Service. Disabling all other cookies will not affect your ability to browse public Content on the Service.

8. Minor Users’ Privacy

8.1 COPPA Compliance

We comply with the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506, and the Federal Trade Commission’s COPPA Rule, 16 C.F.R. Part 312. We do not knowingly collect Personal Information from children under the age of thirteen (13) without first obtaining verifiable parental consent. Any account registration attempt that indicates a birth year reflecting an age below thirteen (13) is rejected at the point of registration without data collection.

8.2 Minor Athlete Accounts (Ages 13–17)

Users who register as Athletes and whose birth year indicates they are between thirteen (13) and seventeen (17) years of age (inclusive) are classified as Minors in our system (the “is_minor” flag). Prior to activation of Athlete Profile features, a verifiable parental or legal guardian consent form is transmitted via DocuSeal to the email address provided during registration. Until parental consent is received, confirmed, and recorded in our system (the “consent_signed” flag), the Minor’s account is restricted to read-only access of publicly available Content on the Service.

8.3 Parental Rights Regarding Minor’s Data

Parents and legal guardians of Minor Users have the right, at any time, to: (a) review all Personal Information collected from and displayed about their child; (b) request correction of inaccurate Personal Information; (c) request deletion of their child’s account and all associated Personal Information; (d) revoke previously granted consent, which will result in deactivation of Athlete Profile features and deletion of athlete-specific data; and (e) prohibit the Company from collecting further Personal Information from their child. To exercise any of these rights, please contact privacy@texasprepsportal.com with your child’s username, a description of the requested action, and documentation establishing your parental or guardian relationship.

9. California Privacy Rights (CCPA/CPRA)

9.1 Applicability

This Section 9 applies exclusively to natural persons who are residents of the State of California, as defined by Cal. Civ. Code § 1798.140(d) (“California Consumers”). In the event of any conflict between this Section 9 and the remainder of this Policy with respect to the rights of California Consumers, this Section 9 shall govern.

9.2 Categories of Personal Information Collected in the Past 12 Months

• Identifiers: username, email address (in encrypted/tokenized form only), unique account and device identifiers, IP address (via Cloudflare infrastructure, not stored in application database);
• Personal information as listed in Cal. Civ. Code § 1798.80(e): name (display name), billing address (Portal Subscription holders only);
• Internet or other electronic network activity information: pages visited within the Service, article view events (anonymous, article ID only), Cloudflare infrastructure access logs;
• Inferences drawn from the above: role classification (Visitor, Athlete, Coach, Reporter) based on self-reported registration data.

We do not collect Social Security numbers, driver’s license numbers, financial account numbers, precise geolocation data, biometric identifiers, health or medical information, genetic data, sexual orientation, religious or philosophical beliefs, or union membership through the Service.

9.3 Your Rights as a California Consumer

• Right to Know (Cal. Civ. Code § 1798.100): the right to request disclosure of the categories and specific pieces of Personal Information we have collected about you;
• Right to Delete (Cal. Civ. Code § 1798.105): the right to request deletion of Personal Information we have collected from you, subject to exceptions;
• Right to Correct (Cal. Civ. Code § 1798.106): the right to request correction of inaccurate Personal Information we maintain about you;
• Right to Opt-Out of Sale or Sharing (Cal. Civ. Code § 1798.120): as stated in Section 3.2, the Company does not sell or share Personal Information — no opt-out action is needed;
• Right of Non-Discrimination (Cal. Civ. Code § 1798.125): the right not to receive discriminatory treatment for exercising your CCPA/CPRA privacy rights.

9.4 Submitting a Verifiable Consumer Request

To exercise any right described in Section 9.3, please submit a verifiable consumer request by emailing privacy@texasprepsportal.com with the subject line “California Privacy Request.” The request must include: (a) your first and last name; (b) your account username (if applicable); (c) the specific right(s) you wish to exercise; and (d) sufficient information to allow us to verify your identity. We will confirm receipt within ten (10) business days and respond substantively within forty-five (45) calendar days of receipt.

9.5 Authorized Agent

You may designate an authorized agent to submit a CCPA/CPRA request on your behalf by providing the agent with a signed written authorization and submitting a copy of such authorization to privacy@texasprepsportal.com along with the request.

9.6 Shine the Light

California Civil Code § 1798.83 permits California residents to request information about the disclosure of their Personal Information to third parties for direct marketing purposes during the preceding calendar year. As the Company does not disclose Personal Information to third parties for direct marketing purposes, no such disclosure has occurred and no responsive information is available.

10. Texas Privacy Rights (TDPSA)

10.1 Applicability

This Section 10 applies to natural persons who are residents of the State of Texas and qualify as “consumers” under the Texas Data Privacy and Security Act (“TDPSA”), Tex. Bus. & Com. Code §§ 541.001 et seq., as amended.

10.2 Your Texas Privacy Rights

• Right to Access: to confirm whether the Company Processes your Personal Information and, if so, to access such information;
• Right to Correction: to correct inaccuracies in your Personal Information;
• Right to Deletion: to delete Personal Information provided by or obtained about you;
• Right to Data Portability: to obtain a copy of your Personal Information in a portable, readily usable format;
• Right to Opt Out: to opt out of Processing of your Personal Information for purposes of targeted advertising, sale, or profiling. As stated in Sections 3.2 and 3.3, the Company does not engage in any of these activities.

10.3 Exercising Your Texas Rights

To exercise any right described in Section 10.2, please contact privacy@texasprepsportal.com with the subject line “Texas Privacy Request.” We will respond within forty-five (45) business days of receipt and may extend the response period by a further forty-five (45) business days with notice.

11. International Data Transfers

The Company is incorporated and operated in the United States, and the Service is hosted on Cloudflare’s global infrastructure, with data processing potentially occurring in multiple jurisdictions. If you access the Service from outside the United States, please be aware that your Personal Information may be transferred to, stored in, and Processed in the United States, where data protection laws may differ from those applicable in your country of residence. By using the Service from outside the United States, you consent to such transfer, storage, and Processing.

12. Third-Party Links and Services

The Service may contain hyperlinks to, or embedded content from, third-party websites, services, or applications that are not owned, controlled, or operated by the Company. This Policy applies solely to Personal Information collected by the Company through the Service and does not apply to information collected by third parties. The Company disclaims all responsibility for the information practices of third-party websites or services, and you access and use such websites or services entirely at your own risk.

13. Changes to This Policy

13.1 Right to Amend

The Company reserves the right to modify this Policy at any time to reflect changes in our data practices, applicable law, or the features of the Service. The date of the most recent revision will always be displayed at the top of this page.

13.2 Notice of Material Changes

If we make material changes to this Policy, we will notify registered Users by email and by posting a prominent notice on the Service homepage not less than fourteen (14) days prior to the effective date of such changes, except where changes are required immediately by applicable law or are necessary to protect the security or integrity of the Service.

13.3 Continued Use Constitutes Acceptance

Your continued use of the Service after the effective date of any amendment to this Policy constitutes your acknowledgment of and agreement to be bound by the amended Policy. If you do not agree to the amended Policy, your sole remedy is to discontinue use of the Service and request deletion of your account in accordance with Section 6.3.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our Processing of your Personal Information, please contact our Privacy team at:

• Privacy inquiries and data subject requests: privacy@texasprepsportal.com
• Security incidents and vulnerability reports: security@texasprepsportal.com
• DMCA copyright notices and counter-notifications: dmca@texasprepsportal.com
• Legal and Terms of Service matters: legal@texasprepsportal.com
• Mailing address: Texas Preps Portal, LLC, Attn: Privacy Officer, Austin, Texas, United States

We endeavor to respond to all privacy-related inquiries within fourteen (14) calendar days and to all verifiable consumer requests within the timeframes prescribed by applicable law.