Data Controller

FightEdge is owned and operated by Scene Zero LLC. All references to "FightEdge," "we," "us," or "our" in this policy refer to Scene Zero LLC. For privacy inquiries, contact us via our contact form.

1. Information We Collect

Account Data: When you create an account, we collect your username, email address, display/profile settings, and a securely hashed password. We never store plaintext passwords.

Profile, Community, and Referral Data: If you use profile customization, discussions, follows, reactions, shared slips, referrals, or similar community features, we store the content and activity needed to operate those features. Referral activity may include your referral code, referred signup status, non-cash Pro-day credits, and privacy-preserving duplicate/abuse checks.

Betting Data: If you use the bet tracker, parlay builder, CLV ledger, or ROI tools, we store your logged entries (fighter names, amounts, odds, results, notes, and related settings) to calculate your personal ROI and saved workflow. This data is tied to your account and not sold or shared for third-party marketing.

Payment Data: If you subscribe to FightEdge Pro, payment is processed by Stripe. We store your Stripe customer ID and subscription ID to manage your account. We never store credit card numbers, CVVs, or bank account details on our servers — Stripe handles all sensitive payment data under PCI-DSS Level 1 compliance.

Usage, Security, and Device Data: We log standard web server data (IP addresses, page views, timestamps, request IDs, device/browser metadata, and session records) for security, fraud prevention, support, and performance monitoring. Abuse-prevention records use hashes where possible, including hashed email, IP, user-agent, payment-card fingerprint, or device/fingerprint signals.

Notifications: If you enable browser push notifications, we store your browser push endpoint and public encryption keys so alerts can be delivered to that device. If you enable email alerts, we store your email preferences and send status receipts.

Optional Analytics: If you accept analytics cookies, we use Google Analytics (GA4) to understand how visitors use FightEdge. GA may collect usage data such as pages visited, time on site, device type, approximate location, browser identifiers, and cookie identifiers. We configure analytics not to intentionally send account email, passwords, payment data, bet notes, or other directly identifying account content to Google. If you decline analytics cookies, FightEdge keeps essential session/security cookies only and does not intentionally load GA4 for that browser unless you later change your cookie choice. You can also opt out using a browser extension.

2. How We Use Your Data

  • To provide and improve the FightEdge prediction service
  • To process and manage your subscription (if you subscribe to Pro)
  • To send email notifications you opted into (event alerts, accuracy reports)
  • To compute your personal betting ROI and track record
  • To operate community, referral, profile, push-notification, and onboarding features
  • To generate, cache, validate, and improve fight-card analysis using internal models and selected service providers
  • To prevent abuse and maintain service security

3. Data Sharing

We do not sell or rent your personal data, and we never share it with third parties for their own marketing purposes. We share data only with the service providers listed in Section 11, who process it on our behalf under their own privacy obligations. Your betting history, predictions, and account information are private.

4. Data Security & Protection

We take the protection of your data seriously. Here is exactly how your information is secured:

Password Protection

  • Passwords are hashed using PBKDF2 with SHA-256 (1,000,000 iterations, 16-byte random salt)
  • We never store plaintext passwords — even our team cannot see your password
  • If our database were ever compromised, your password would be computationally infeasible to reverse

Infrastructure Security

  • Hosted on Amazon Web Services (AWS) — the same cloud infrastructure used by Netflix, Airbnb, and NASA
  • Your data is stored on AES-256 encrypted disks (encryption at rest) — even if someone physically stole the hard drive, the data would be unreadable
  • All traffic is encrypted via HTTPS/TLS (encryption in transit) — powered by Cloudflare SSL
  • The application runs inside a Virtual Private Cloud (VPC) — the database is not accessible from the public internet
  • Daily automated backups to Amazon S3 with 30-day retention

Application Security

  • Session cookies are HttpOnly and SameSite protected — prevents cross-site attacks
  • All forms use CSRF (Cross-Site Request Forgery) protection
  • Rate limiting on login, registration, and sensitive endpoints prevents brute-force attacks
  • Security headers enforced: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin)
  • Email verification required for all new accounts — prevents spam registrations

Payment Security

  • All payment processing handled by Stripe (PCI-DSS Level 1 certified — the highest level of payment security)
  • Your credit card number, CVV, and billing details are never stored on our servers — they go directly to Stripe
  • We only store a Stripe customer ID to manage your subscription — this ID cannot be used to make charges
  • Stripe webhook communications are verified with cryptographic signatures to prevent tampering

What We Store vs What We Don't

What We Store
  • Username
  • Email address
  • Hashed password (irreversible)
  • Subscription status
  • Bet history (if you use the tracker)
  • Notification preferences
  • Referral and Pro-credit activity
  • Push subscription endpoints if enabled
  • Session/security logs and abuse-prevention hashes
What We Do Not Store
  • Credit card numbers
  • Bank account details
  • Plaintext passwords
  • Social Security numbers
  • Raw payment-card fingerprints from Stripe
  • Advertising or ad-tracking data

5. Data Retention

  • Active accounts: Your data is retained for the lifetime of your account.
  • Deleted accounts: Account deletion removes your user-owned account, bet, preference, notification, push, community, referral, and contact-submission data from active application stores. Some security, anti-abuse, moderation, Stripe/webhook, server-log, and legal records may be retained in de-identified or limited form where reasonably necessary to protect the Service, prevent fraud, resolve disputes, comply with law, or maintain required business records.
  • Cancelled subscriptions: Your account data (username, email, bet history, predictions) is preserved on the Free tier. Only billing data is removed.
  • Security logs: Operational server logs and stored session IP records are kept only as needed for security monitoring; stored FightEdge session IP records are automatically purged after 30 days.
  • Backups: Encrypted backups are retained on AWS S3 for up to 30 days. Deleted account data may remain in encrypted backups until those backups naturally expire or are overwritten within that retention window.

6. Your Rights

Access: You can view all your data in your profile and bet tracker at any time.

Deletion: You can delete your account from your Settings page. This action is immediate for active application records and irreversible from the user interface, subject to the retention limits and legal/security exceptions described above. If you have an active subscription, cancel it first via the billing portal.

Subscription Management: You can cancel, upgrade, or downgrade your Pro subscription at any time through the Stripe billing portal (accessible from your Settings page). Cancellation takes effect at the end of your current billing period.

Data Export: You can download a JSON export from your Settings page, or contact us if you need help accessing your data.

Do Not Sell or Share My Information: We do not sell personal information and do not share it for cross-context behavioral advertising. Payment data handled by Stripe is governed by Stripe's privacy policy and is never sold by FightEdge.

7. California Privacy Rights (CCPA)

California residents have the following rights under the California Consumer Privacy Act:

  • Right to Know: You may request details about the personal information we collect, use, and disclose.
  • Right to Delete: You may request deletion of your personal information via the account deletion feature on your Settings page.
  • Right to Opt-Out: We do not sell personal information or share it for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not deny services, charge different prices, or provide different quality based on your exercise of privacy rights.

To exercise these rights, use the self-service tools on your Settings page or contact us via the Contact form. We will verify your identity before processing requests.

8. European Data Protection (GDPR)

If you are in the EEA or UK, our legal bases for processing your data are:

  • Consent: Account creation, optional marketing communications, optional push notifications, and optional analytics where required
  • Contract Performance: Providing subscription services you purchased
  • Legitimate Interest: Security, fraud prevention, service improvement, source verification, referral integrity, and privacy-bounded analytics

Your additional rights include: access, rectification, erasure, restriction of processing, data portability, and the right to object. Contact us via the Contact form to exercise any of these rights. We will respond within 30 days.

We do not have a Data Protection Officer as we are a small business, but all privacy inquiries are handled with the same level of care and legal compliance.

9. Automated Decision-Making

FightEdge uses statistical models (a proprietary rule + Elo predictor with isotonic calibration), Monte Carlo simulations, external source verification, and AI-assisted narrative generation to generate fight predictions and report explanations. These are statistical analyses provided for informational purposes — they do not make decisions that have legal or similarly significant effects on you. Your subscription status, account access, and billing are managed through standard authentication and payment processing, not automated profiling.

10. Cookies

We use essential cookies for session management, keeping you logged in, protecting your account, and preserving security controls. Optional Google Analytics (GA4) cookies (_ga, _ga_*) are loaded only after you accept analytics cookies. You can change your choice from Cookie choices in the footer, select Decline to keep essential cookies only, or opt out of GA via a browser extension. We do not use Facebook Pixel or ad-targeting cookies.

11. Third-Party Services

FightEdge uses the following external services:

  • Stripe — Payment processing for Pro subscriptions. Stripe receives your payment details (card number, billing address) directly — this data never touches our servers. See Stripe's Privacy Policy.
  • Google Analytics (GA4) — Optional usage analytics, loaded only after analytics-cookie acceptance, configured not to intentionally send account email, payment data, passwords, or user-entered betting notes. See Google's Privacy Policy.
  • Sentry — Error monitoring for application stability. May receive technical error data (stack traces, request URLs). No passwords or payment data is sent. See Sentry's Privacy Policy.
  • SendGrid — Email delivery for verification and notifications. Receives your email address when we send you emails. See Twilio/SendGrid Privacy Policy.
  • Amazon Web Services (AWS) — Cloud hosting and data storage. See AWS Privacy Policy.
  • Cloudflare — DNS, TLS/SSL, caching, and security/proxy services. Cloudflare may process IP addresses and request metadata as part of normal edge delivery.
  • Anthropic / Claude — AI-assisted fight narratives and selected admin/post-event diagnostic summaries. Fight/card/source context may be sent; passwords, payment card data, and private user betting logs are not intentionally sent.
  • CITO API — UFC event, fighter, rankings, and card-verification data. FightEdge sends event/fighter/card identifiers needed for verification; CITO odds endpoints are disabled by default because FightEdge uses The Odds API for odds.
  • The Odds API — Live sportsbook odds and market context. FightEdge sends sport/event/market identifiers, not private account data.
  • Browser push services — Browser/device push delivery providers such as Apple Push, Google/Firebase Cloud Messaging, and Mozilla Push may process push endpoints and encrypted notification delivery metadata when you enable push alerts.
  • Arctic Shift API — Public Reddit discussion threads for sentiment analysis. FightEdge sends public thread/search terms, not private account data.
  • MMA Intel / DRatings — Public prediction pages for expert consensus. FightEdge reads public page data and does not send private account data.
  • RapidAPI / Tapology wrapper — Optional camp/weight-cut and card-evidence enrichment when configured. FightEdge sends fighter or event identifiers needed for lookup.

12. Contact

For privacy questions or data requests, contact Scene Zero LLC via our contact form or by mail:

Scene Zero LLC
7901 4th N STE 300
St. Petersburg, FL 33702

13. Disclaimer

FightEdge is a product of Scene Zero LLC, provided for informational and entertainment purposes only. Predictions are not guaranteed and should not be the sole basis for betting decisions. Please gamble responsibly. If you or someone you know has a gambling problem, call 1-800-GAMBLER.