Privacy Policy.

ZoneIN is operated by Ventiq LLC, which is the controller of the personal data described in this policy. "We," "us," and "our" refer to Ventiq LLC.

We collect the minimum needed to run a fan-operated community. We don't sell or rent your data. Free-tier pages show ads via Google AdSense, which uses cookies to deliver and measure ads — you can decline these via the cookie banner, and ZoneIN+ subscribers see zero ads either way. Embedded third-party content (RSS, videos, web embeds), affiliate click-outs (tickets, store), and payment processing are governed by those services' own privacy policies, not ours.

When you use ZoneIN we collect:

• Account info: email address, handle, display name, avatar seed. If you sign in via Google, we also receive your Google profile name and picture (you can replace either in Settings).
• Allegiances: which team you set as primary, which teams you follow.
• Content you create: threads, replies, votes, video links, Zone layouts, banter posts, chants, custom emoji submissions, uploaded banners and profile images.
• Cosmetic loadout: which equippable cosmetics (flair, frame, theme, cursor, profile mark, banner) you have unlocked and equipped.
• Engagement signals: which threads you opened, your hot-take score, prediction accuracy, last-active timestamp.
• Technical data: IP address (security + rate-limiting), browser user-agent, device type. Used transiently for abuse / fraud detection.
• Verification stamping (team admins only): when you submit the Brand Page Agreement to verify a team you represent, we record your IP address, browser user-agent, and timestamp as proof of consent. Used only for legitimacy of the verification record.
• Cookies + session: a session cookie for sign-in, a theme preference cookie, a CSRF token, and a consent-choice cookie that records whether you opted in to advertising cookies.
• Advertising signals (free tier, with consent): when you opt in to advertising cookies, Google AdSense may set cookies and read coarse signals (page topic, approximate location, device type) to deliver and measure ads. ZoneIN+ subscribers and free users who decline never see these cookies.
• Push notification keys (opt-in): if you enable push notifications, your browser's Push API endpoint URL and the public encryption keys (p256dh, auth) are stored so we can send notifications. You can revoke at any time in browser settings or in your ZoneIN profile.
• Payment info (subscribers only): handled entirely by Stripe. We never see or store your card number — we receive a charge confirmation, a subscription status flag, and the last 4 digits of the card for display in Settings.
• Affiliate click signals: when you click a ticket-vendor card or a store-vendor product, we log the click (which team / sport / vendor / referral code) so we can attribute commission. We do not push your email or handle to the vendor.
• Contact-form submissions: if you send us a message via the contact form or by emailing our support address, the message body, your email, and any attached metadata are stored in our admin inbox for response and audit.
• Vendor application data (store vendors only): if you apply to become a store vendor, the data you submit (Shopify domain, contact email, sport focus, etc.) is retained for review.

• We don't sell or rent personal data to advertisers, brokers, or anyone else.
• We don't share your account email, handle, or content with our ad partner.
• We don't run cross-site tracking pixels (no Facebook Pixel, no LinkedIn Insight, etc.).
• We don't share your team allegiances with the teams themselves.
• We don't fingerprint your device for cross-site tracking.
• We don't share your email or identity with NIL collectives, ticket vendors, or store vendors.

• Run the service — show you the communities you follow, the threads you post, your Zone, your equipped cosmetics.
• Personalize your feed and recommendations based on the teams you've followed.
• Protect the service from abuse — moderation, fan-flag, ban evasion, spam detection.
• Process subscription payments and route the agreed NIL share of NCAA subscriptions to the school's NIL revenue-share ledger.
• Attribute affiliate commission on outbound ticket / store clicks to the correct school's NIL ledger.
• Send transactional emails (sign-in magic links, contact-form replies, subscription confirmations) — never marketing without opt-in.
• Send push notifications to devices that have opted in.
• Aggregate anonymous metrics (community sizes, engagement totals) for product decisions.

ZoneIN surfaces content from third-party sites in several ways:

• Web Embed tiles render iframes pointing at URLs you supply. The embedded site sees your browser directly — its own cookies, headers, and privacy policy apply within the iframe.
• Video attachments (YouTube, Vimeo, Twitch, etc.) are embedded by ID and load from the source platform's servers. Their tracking applies inside the embed.
• RSS aggregation fetches headlines server-side; clicking a headline opens the source site directly in your browser.
• Authentication providers — magic-link email (sent via Resend) and Google OAuth. When you sign in with Google, Google sees the sign-in event and shares your email, name, and profile picture with us under their own privacy policy.
• Stripe Checkout handles payment when you subscribe to ZoneIN+ or Team+. Their privacy policy covers payment data.
• Stripe Connect handles KYC and payouts for NIL collective entities only — individual fans never interact with Connect. Verified schools' collectives onboard through Stripe's hosted Express flow; we receive capability flags but not the collective's KYC documents.
• Ticket vendor affiliate links (SeatGeek, etc.) — clicking a game card sends you to the vendor's site to complete the purchase. The vendor processes the transaction under its own privacy policy. We receive an aggregated commission report.
• Store vendor affiliate links and embedded carts — clicking a product sends you to the vendor's site (or hands off a Shopify cart) for checkout. We do not handle payment, shipping, or refunds. The vendor handles your purchase under its own privacy policy.
• Email delivery and inbound — outbound transactional and support emails are sent via Resend. If you email our support address, Resend forwards the parsed message to our server for storage in the admin inbox.
• Web Push uses your browser's native Push API and your platform's push server (Apple, Google, Mozilla). The push endpoint sees notification deliveries; we never include personal content in the push payload beyond what you'd see in-app.

You should read the privacy policies of any third-party site you embed or click into. ZoneIN can't and doesn't see what happens inside an embedded iframe or after you click through to a vendor.

First-party cookies set directly by ZoneIN:

• Session cookie — keeps you signed in. Required.
• CSRF token — protects forms from cross-site forgery. Required.
• Theme preference — remembers light / dark / equipped theme.
• Consent (zi_consent) — records your cookie-banner choice so we don't ask again on every page.

Third-party cookies are set only on free-tier pages and only if you accept advertising cookies via the banner:

• Google AdSense — delivers and measures ads. Google's ad cookies are documented in Google's advertising privacy notice. You can opt out of personalized advertising in your Google Ad Settings independent of any choice on ZoneIN.

ZoneIN+ subscribers never receive third-party cookies from us — ZoneIN+ pages skip the AdSense script entirely.

Free-tier pages show ads via Google AdSense. We use AdSense's contextual targeting (the page's team / league / sport topic) to serve relevant ads; we do not share your account email, handle, or posted content with Google. If you accept advertising cookies, AdSense may also personalize ads using its own profile of your browser — this is independent of your ZoneIN identity.

You have three ways to limit advertising:

• Choose Essential only on the cookie banner — we still serve ads contextually but Google won't personalize them.
• Send a Global Privacy Control signal from your browser — we treat this as a CCPA opt-out and a do-not-personalize request.
• Subscribe to ZoneIN+ — no ads, no AdSense script loaded.

Account data is retained while your account is active. If you delete your account, we remove your profile, content, and personal data within 30 days, except for:

• Moderation records (bans, fan-flags, abuse reports) — retained for safety / abuse investigation.
• Verification records (Brand Page Agreement consent + IP / UA stamping) for any teams you verified — retained for the legitimacy of the public verification claim.
• Financial records (subscription receipts, NIL ledger entries, vendor commission attributions) — retained for tax, audit, and dispute purposes per applicable law (typically 7 years).
• Backup snapshots — age out on a normal rotation (typically 30-90 days).
• Records we're legally required to keep.

Wherever you live, you can:

• Access the personal data we hold on you — Settings shows most of it directly, and a full export is available on request.
• Correct or update inaccurate data — most fields are editable in Settings.
• Delete your account and associated personal data.
• Object to or restrict specific processing (e.g. opt out of personalized feed recommendations, revoke push notifications).
• Lodge a complaint with your local data protection authority.

EEA / UK residents: ZoneIN is the data controller. Our legal bases are: contract (running the service, processing subscriptions, attributing affiliate commission), consent (optional emails, push notifications, advertising cookies), and legitimate interests (security, abuse prevention, product analytics).

California residents: you have the additional rights described under the CCPA / CPRA, including the right to know, the right to delete, and the right not to be discriminated against for exercising those rights. We don't sell personal data for money. Serving personalized ads may count as "sharing" under CPRA — you can opt out by selecting "Essential only" on the cookie banner or by sending a Global Privacy Control signal from your browser; we honor both.

We disclose personal data only in these cases:

• To service providers we depend on (Vercel for hosting, Neon / Postgres for database, Resend for email, Stripe and Stripe Connect for payments and NIL payouts, Google for sign-in and ads, AdSense for ads), under contracts that limit their use to running our service.
• To Google AdSense, on free-tier pages, when you've accepted advertising cookies — limited to the signals AdSense reads directly from the browser (page URL, approximate location, device type). We do not push your account email, handle, or posted content to Google.
• To ticket and store vendors, when you click through to their site, the click is attributed to a school's NIL ledger via a referral code — we do not push your account email, handle, or posted content to the vendor.
• To verified NCAA schools' NIL collectives, the aggregate ledger total accrued on their behalf — never individual fan-level data.
• To comply with a valid legal request (subpoena, court order, etc.). We push back on overbroad requests where possible.
• To investigate or stop fraud, abuse, or safety threats.
• In the event of a merger or acquisition — to the successor, under terms at least as protective as this policy.

We encrypt data in transit (HTTPS everywhere) and at rest in our database. Passwords are not used (we use magic-link sign-in and Google OAuth); OAuth tokens are stored encrypted. Vendor OAuth access tokens and Stripe Connect account IDs are stored encrypted. We can't guarantee perfect security, but we maintain reasonable safeguards proportional to the sensitivity of the data we hold.

ZoneIN is not intended for children under 13 and we don't knowingly collect personal data from them. If you believe a child has created an account, contact us and we'll remove it.

We may update this policy. Material changes are announced in-app and the "Effective" date above moves. Continued use after a change is acceptance of the updated policy.

Privacy questions, data export requests, or account deletion assistance: zoneinhq.com/contact or email support@mail.zoneinhq.com.