Legal · Privacy

Privacy Policy

Effective May 2, 2026

NTScore ("NTScore," "we," or "us") builds tools that help college athletes measure and share their on-platform reliability — and that help local businesses find athletes to work with. This policy describes what personal data we collect, how we use it, who we share it with, and what choices you have.

Who we are

NTScore is operated by NTScore, based in Hartford, Connecticut, USA. For any privacy question or to exercise the rights described below, write to legal@ntscore.com.

Data we collect

We collect this information from three sources: directly from you when you create an account, fill in your profile, or participate in a deal; automatically when you use the service, such as session and security data; and from public Instagram profiles for handles you ask us to look up. We collect only what we need to operate the product. Specifically:

Account
  • Email address, used as your login identifier and for transactional email.
  • A bcrypt hash of your password — we never store the password itself in plaintext and cannot recover it.
  • Email-verification status and timestamp.
Profile (athletes)
  • Full name, sport, position, university, year, city/state, an optional bio, and an avatar image.
  • Avatars are stored on our managed object storage; the URL is referenced from your athlete profile.
Instagram
  • Your Instagram handle and Instagram numeric user ID.
  • Public profile data fetched through a third-party scraper: follower count, engagement rate, post count, public biography, profile picture, post cadence, and an estimate of local audience.
  • We never receive your Instagram password and we cannot post from your account.
  • A short verification code we ask you to place temporarily in your bio when you claim ownership of a handle.
Score & deals
  • Your computed NIL Trust Score (300–850) and its component breakdown (deal history, engagement & reach, consistency, momentum, diversification).
  • Records of deals you participate in: counterparty, deal type, amount, status, date, and any rating/review left after the deal closes.
Referrals
  • A referral code we issue to you and the relationship between accounts that signed up through one another.
Sessions & security
  • Session cookie (first-party only), creation IP address, last-seen IP address, and the user-agent string of the browser you logged in from.
  • IP and timestamp of when verification or magic-link tokens were issued and consumed.
Telemetry
  • Funnel events (e.g. signup started, score saved, share clicked) with timestamp, IP, and user agent. We use this to understand the conversion funnel; we do not build advertising profiles from it.

We do not knowingly process sensitive categories of data — race, religion, biometric data, precise geolocation, financial account numbers, government identifiers, or health data. If a deal requires tax forms (e.g. a W-9 for U.S. payouts), the form is handled by our payment processor and not stored in our own database.

How we use it

  • Authenticating you and keeping your session secure.
  • Computing and updating your NTScore.
  • Showing your athlete profile to businesses on the marketplace.
  • Sending transactional email — verification, password resets, deal status, security notices.
  • Detecting abuse, fraud, fake handles, and policy violations.
  • Understanding which parts of the product work and which don't (product analytics).
  • Complying with legal obligations and responding to lawful requests.

Third-party processors

We rely on a small number of service providers to run the product. Each receives only the minimum data needed to perform its function and is bound by its own privacy commitments. We use providers in the following categories:

  • Hosting and content delivery — runs the application, terminates HTTPS, and stores uploaded files such as profile pictures.
  • Database — managed PostgreSQL that stores accounts, profiles, scores, and deals.
  • Transactional email delivery — sends verification, password reset, deal status, and security messages to your email address.
  • Public social-media data — fetches public Instagram profile data for handles you submit; we send only the public handle and never your password.
  • Optional AI services — when an AI-powered feature is enabled, processes the specific text needed for that feature.
  • Web fonts — typefaces loaded directly by your browser; the font provider sees the originating IP, as is standard for any web font.

The vendor stack may evolve as the product grows. The current list of named sub-processors in each category is available on request from legal@ntscore.com.

Sharing & disclosure

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). There is nothing for you to opt out of. We disclose data only:

  • To the service providers listed above, strictly to operate the product on our behalf.
  • To a counterparty in a deal you have agreed to participate in (e.g. a business sees the athlete profile they are about to book).
  • When required by law, valid legal process, or to protect the rights, property, or safety of users, the public, or NTScore.
  • In a merger, acquisition, or asset sale — in which case the successor inherits this Policy and we will notify you in advance.

Cookies & tracking

We use a small number of first-party cookies. We do not use third-party advertising or analytics trackers.

  • Session cookie — keeps you logged in. Required for the product to work.
  • Referral cookie — set when you arrive via a ?ref= link, so we can credit the inviting account if you sign up.

Data retention

We keep each category of personal information only as long as we need it for the purpose for which it was collected, or as required by law:

  • Account, profile, and score data — for the life of your account.
  • Deal records — for the life of your account and for as long as required to meet tax, accounting, and dispute-resolution obligations (typically up to 7 years after the deal closes).
  • Cached Instagram data — refreshed regularly; older versions are overwritten, not archived.
  • Unverified signup attempts — automatically deleted within 24 hours.
  • Sessions and security events — until the session expires or you sign out; security logs kept for a limited investigation window.
  • Telemetry events — retained no longer than reasonably necessary to understand product usage, then deleted or aggregated beyond personal identifiers.

When you ask us to delete your account, we remove your personal data within 30 days, except where applicable law requires us to retain specific records (for example, deal-related tax records).

Your rights

Subject to your local law, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and the data tied to it.
  • Receive a copy of your data in a portable format.
  • Withdraw consent for any optional processing, without affecting processing already done before the withdrawal.
  • Object to or restrict certain types of processing.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, write to legal@ntscore.com. We will respond within the timeframe required by applicable law, generally 30–45 days. Before fulfilling a request we may need to verify your identity — typically by confirming you can access the email address on the account. California residents may designate an authorized agent to make a request on their behalf; we may ask the agent for written permission and may contact you directly to confirm. California residents have additional rights under the CCPA/CPRA, including the right not to be discriminated against for exercising those rights.

Minors

NTScore is intended for athletes age 16 and older. We do not knowingly accept signups from anyone under 16. Athletes between 16 and 18 must have permission from a parent or legal guardian before creating an account; by signing up you confirm that permission has been granted. If you believe a child under 16 has given us personal data, write to legal@ntscore.com and we will delete it.

Security

We hash passwords with industry-standard one-way functions, serve all traffic over HTTPS, and limit access to production data to the people who need it. No online service can promise absolute security; you are responsible for keeping your account password and any device you use to log in private.

Changes to this policy

We may update this policy as the product and the law evolve. The effective date at the top of this page reflects the latest revision. For material changes, we will email registered users and post a notice in the product before the change takes effect.

Contact

For any question about this policy or your data, write to legal@ntscore.com. Mail can be addressed to NTScore, Hartford, Connecticut, USA.

Last updated May 2, 2026.