← Stat Notes / Privacy Policy

Privacy Policy

How Stat Notes collects, uses, stores, and protects personal data. Written to answer the questions an enterprise procurement team and a GDPR data subject will actually ask.

Last updated: April 15, 2026 · Owner: Colin DeFord, Founder · [email protected]

Draft notice

This is a working draft of the Stat Notes Privacy Policy. Final legal text will be reviewed by counsel before any production contract is signed. The substance below accurately describes current practice; the phrasing is subject to legal review.

1. Introduction — who we are

Stat Notes is a software-as-a-service (SaaS) product that delivers real-time statistical notes from a broadcast stats desk to on-air talent monitors. It is operated by Fat Brain Group, LP ("Stat Notes," "we," "us"). The founder and operator of record is Colin DeFord.

This Privacy Policy describes how we collect, use, disclose, and protect personal data when you or your organization use the Stat Notes service at statnotes.app and any tenant subdomain (e.g. customer.statnotes.app). It applies to tenant administrators, end users within a tenant, and visitors to the marketing site.

For the avoidance of doubt: we are a data processor with respect to the content a customer's users place inside their workspace (notes, user accounts, audit log entries), and a data controller with respect to the account and billing information we collect directly from a tenant administrator.

2. Information we collect

We collect only the information we need to operate the service. No marketing profiles. No device fingerprints. No behavioral tracking.

Account information

Email address — used as the primary user identifier and for authentication (magic-link or SSO).
Name — first name, and optionally last name. Used to display "who sent a note" inside the workspace.
Tenant slug — the short identifier chosen by a tenant administrator (e.g. acme for acme.statnotes.app).
Role assignment — whether a user is a standard user, admin, or super-admin within their tenant.

Authentication and session data

Bcrypt-hashed password — only if the tenant chooses to use password authentication. Magic-link and SSO tenants store no password.
SSO configuration — OIDC client IDs, SAML entity IDs, IdP metadata URLs, signing certificates. Secrets are AES-256-GCM encrypted at rest.
Session cookie — a server-side session record keyed to a signed, HTTP-only, Secure, SameSite=Lax cookie scoped to the tenant subdomain.

Technical and audit data

IP address — recorded against each authentication event and each note send.
User-agent string — recorded against each authentication event.
Audit log entries — actor, event, metadata, IP, user-agent, and timestamp for every login, note send, admin configuration change, role grant, billing event, and SSO round-trip. See the Security Overview, §7.
Application logs — standard server logs retained for operational troubleshooting. These contain IPs and request paths but are not used for analytics.

Customer content

Notes — the text and simple HTML content a tenant's operators send to their talent monitors during a broadcast.
Display token metadata — labels, CIDR allowlists, and revocation status for each display endpoint the tenant has configured.

Billing information

Stripe customer ID, subscription ID, invoice history — stored on our side to link a tenant to its Stripe records.
Payment card details — never touch our servers. They are collected and stored by Stripe under its PCI-DSS Level 1 certification. We only receive a token reference and non-sensitive metadata (brand, last four, expiration month/year) from Stripe for display in the admin page.

What we do not collect

No third-party analytics (no Google Analytics, no Segment, no Mixpanel, no Amplitude, no Plausible, no Fathom).
No advertising identifiers, no cross-site trackers, no device fingerprints.
No marketing profiles, no inferred demographics, no lead-scoring.
No audio, no video, no webcam, no microphone, no location services.
No content of any kind from browsers that are not logged in to a Stat Notes tenant.

3. How we use information

We use the information described in §2 only for the following purposes:

Authentication — verifying that a user requesting access to a tenant is actually a member of that tenant.
Providing the service — routing a note from an operator's keyboard to the correct talent monitor on the correct tenant subdomain within a fraction of a second.
Billing — invoicing, subscription management, renewal processing, and dunning, executed by Stripe on our behalf.
Security and abuse prevention — rate-limiting, audit logging, incident response, and investigating suspected unauthorized access.
Service communication — sending transactional emails (magic links, billing receipts, trial expiry reminders, security alerts, and material policy changes). We do not send marketing email.
Legal compliance — responding to valid legal process and honoring data subject requests.

We do not use personal data for advertising. We do not sell personal data. We do not share personal data with data brokers. We do not use customer content to train machine-learning models, ours or anyone else's.

4. Legal basis for processing (GDPR)

For individuals in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the GDPR / UK-GDPR:

Purpose	Legal basis
Providing the contracted SaaS to the tenant	Contract — Art. 6(1)(b). Necessary to perform our agreement with the customer.
Billing and subscription management	Contract — Art. 6(1)(b).
Security, audit logging, fraud prevention	Legitimate interest — Art. 6(1)(f). Necessary to secure our service and protect customers; balanced against the minimal data retained.
Transactional service communication	Contract — Art. 6(1)(b) for magic links and receipts; legitimate interest for security alerts.
Responding to data subject requests and legal process	Legal obligation — Art. 6(1)(c).
Any future optional feature requiring consent	Consent — Art. 6(1)(a). Withdrawable at any time; we have none of these today.

5. Sub-processors

We use the following sub-processors to deliver the service. Each has been selected for its security posture and its willingness to sign a Data Processing Addendum. We do not add sub-processors without updating this list.

Sub-processor	Role	Data processed	Privacy policy
Cloudflare, Inc.	CDN, DNS, WAF, DDoS protection, TLS termination at the edge for every tenant subdomain	IP addresses, request metadata, TLS handshake data	cloudflare.com/privacypolicy
Stripe, Inc.	Payment processing, subscription management, invoicing	Billing email, card details (held by Stripe only), subscription status, invoice history	stripe.com/privacy
Hostinger International Ltd.	VPS hosting (origin server) and transactional email (SMTP) for magic links and service notifications	Email addresses, magic-link bodies (in transit only), application and database files on the VPS	hostinger.com/privacy-policy

We do not use any analytics, tag manager, marketing automation, advertising, A/B testing, session-replay, or behavioral-tracking vendor. The list above is the complete list.

6. Data retention

Tenant workspace data (users, notes, display tokens, SSO configuration) — retained for the lifetime of the subscription plus 30 days after cancellation, then deleted. The 30-day grace period exists so that a customer who cancels in error can be restored.
Audit log entries — retained for the full lifetime of the subscription, then deleted along with the rest of the workspace at the end of the 30-day grace period. Audit logs are retained in full (rather than rolled up) because our customers' security teams may need to reconstruct a past incident.
Billing records — retained for as long as required by tax, accounting, and anti-fraud obligations under applicable law, typically seven years, even after the workspace itself is deleted.
Server and application logs — retained for a short operational window (typically 30 days) for troubleshooting, then rotated out.
Backups — encrypted nightly backups that contain deleted data are rotated out within 30 days of the deletion.
Deletion on request — a tenant administrator can request immediate deletion at any time; we will process the request within 7 business days and purge backups on the normal 30-day rotation.

7. Your rights as a data subject

If you are in the European Economic Area, the United Kingdom, Switzerland, California, or another jurisdiction with equivalent data protection law, you have the following rights with respect to the personal data we hold about you. We honor these rights for every data subject regardless of location.

Right of access (GDPR Art. 15) — you may request a copy of the personal data we hold about you and information about how it is processed.
Right to rectification (Art. 16) — you may request that we correct inaccurate or incomplete personal data.
Right to erasure / "right to be forgotten" (Art. 17) — you may request deletion of your personal data, subject to exceptions for data we are legally required to retain (e.g. billing records).
Right to restriction of processing (Art. 18) — you may ask us to stop processing your data while a request is being resolved.
Right to data portability (Art. 20) — you may request a machine-readable export of your data. We provide audit logs, notes history, and user lists as JSON or CSV.
Right to object (Art. 21) — you may object to processing based on legitimate interest; we will honor the objection unless we demonstrate compelling legitimate grounds.
Right not to be subject to automated decision-making (Art. 22) — we do not make any automated decisions with legal or similarly significant effects. This right is trivially satisfied because no such processing occurs.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — with your local supervisory authority (e.g. the ICO in the UK, the CNIL in France, your state DPA in the EU).

California residents have parallel rights under the CCPA/CPRA (right to know, delete, correct, and opt out of "sale" or "sharing"). We do not sell or share personal information as those terms are defined by the CCPA/CPRA.

8. How to exercise your rights

Email [email protected] with the subject line "Data Subject Request" and a short description of what you are asking for. You do not need a template; a plain-English request is fine.

We will acknowledge receipt within 5 business days and respond substantively within 30 days (or within the shorter period required by applicable law). If we need to extend the response window because of the complexity or volume of a request, we will tell you why and when to expect a response.

If you are an end user within a tenant (for example, a user at an ESPN-run workspace), your tenant administrator is your first point of contact for access, correction, and deletion — they can do all of those things directly in the admin page. If they are unable to help, we will route a request through them to preserve the customer relationship.

We will verify the identity of the requestor before fulfilling a request. For tenant users, verification is typically done by confirming the request from the email address on file. For larger requests, we may ask for additional verification.

9. International data transfers

Stat Notes hosts all production data in the United States, single region, no cross-border replication (see the Security Overview, §8). Cloudflare operates a global edge network and may terminate TLS and serve cached assets from points of presence outside the United States, but the origin database and application server are US-based.

For customers and data subjects in the European Economic Area, the United Kingdom, or Switzerland, we are happy to enter into the Standard Contractual Clauses (SCCs) published by the European Commission (Module 2: controller-to-processor) as part of a Data Processing Addendum. The UK IDTA and the Swiss addendum are available on the same basis. Email [email protected] to request a DPA.

We have performed a transfer impact assessment aligned with the Schrems II framework. Our technical safeguards (TLS 1.3 in transit, AES-256-GCM for secrets at rest, strict tenant isolation, minimal data collection) are designed to provide protection equivalent to EU standards against unauthorized access, including government access requests. We will notify affected customers of any government request for their data to the extent legally permitted.

10. Security

The technical and organizational measures we use to protect personal data are described in detail on the Security Overview. The summary:

TLS 1.3 end-to-end, browser to database.
Secrets AES-256-GCM encrypted at rest, with a Key Encryption Key held out-of-band.
Multi-tenant isolation enforced at the row, session, and route layers.
Append-only audit logging of every security-relevant event.
OIDC and SAML SSO with full protocol-level controls.
Cloudflare WAF/DDoS protection on every tenant subdomain.
Breach notification within 72 hours of confirmation, per our standard DPA.

No security program is perfect, and we are honest about the gaps we have not yet closed — see the Compliance posture and known gaps section of the Security Overview.

11. Cookies

Stat Notes uses the smallest set of cookies that a functional web application can use. We do not use advertising cookies, analytics cookies, or tracking cookies of any kind.

Cookie	Purpose	Lifetime	Type
`connect.sid` (or equivalent session cookie)	Authenticated session, scoped to the tenant subdomain	Session / short absolute timeout	Strictly necessary
CSRF token cookie	Prevents cross-site request forgery on state-changing requests	Session	Strictly necessary
Cloudflare operational cookies (e.g. `__cf_bm`)	Bot management and edge performance, set by Cloudflare	Up to 30 minutes	Strictly necessary

Because we only use strictly-necessary cookies, we do not display a cookie consent banner. No analytics, advertising, or tracking cookies are set on any page, authenticated or public. Talent monitor display endpoints are entirely cookie-free.

12. Children

Stat Notes is a business-to-business tool for professional broadcast operations. It is not directed at children and is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, email [email protected] and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time — for example, to reflect a new sub-processor, a new feature, or a change in applicable law. When we make a material change, we will:

Update the "Last updated" date at the top of this page.
Notify tenant administrators via email at the address on file.
For changes that expand the ways we process personal data, give customers a reasonable window to object before the change takes effect.

Historical versions of this policy are available on request.

14. Contact

Privacy questions, data subject requests, DPAs, SCCs, or anything else in this policy:

Email: [email protected]
Subject line: "Privacy" or "Data Subject Request"
Owner: Colin DeFord, Founder
Legal entity: Fat Brain Group, LP
Response target: acknowledgment within 5 business days, substantive response within 30 days

If your organization requires an EU or UK representative under GDPR Article 27, contact us to discuss — we will appoint one as part of the DPA process where required.