Privacy Policy
Effective Date: May 7, 2026
Last Updated: May 7, 2026
ParlayAPI ("ParlayAPI," "we," "our," or "us") is operated by Jacob Galperin, a sole proprietor based in New Jersey, United States. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the ParlayAPI service available at parlay-api.com (the "Service"), a business-to-business application programming interface that aggregates publicly available sports betting odds and player prop data for developers, operators, analysts, and software companies.
We are committed to protecting the privacy of our customers, prospective customers, and visitors to our marketing website. This policy is written in plain language wherever possible, but it is also intended to satisfy our disclosure obligations under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); the Colorado Privacy Act ("CPA"); the Connecticut Data Privacy Act ("CTDPA"); the Texas Data Privacy and Security Act ("TDPSA"); the Utah Consumer Privacy Act; the EU General Data Protection Regulation ("GDPR"); the UK GDPR; and other applicable privacy laws.
If you have questions about this policy, please contact us at the address in Section 19.
1. Scope of This Policy
This policy applies to information we collect or process:
- When you create an account, log in, or otherwise interact with the ParlayAPI dashboard at parlay-api.com.
- When you make API requests to our endpoints using credentials we have issued to you.
- When you visit any page on our marketing website.
- When you click an outbound link to a sportsbook partner from one of our affiliate placements.
- When you contact us by email regarding billing, support, or privacy requests.
This policy does not cover:
- The privacy practices of sportsbooks, exchanges, or other third-party data sources whose publicly available odds we aggregate. ParlayAPI does not operate any sportsbook and we are not a licensed gaming operator.
- The privacy practices of Stripe, our payment processor, which is governed by Stripe's own published privacy notice.
- The privacy practices of any sportsbook you choose to sign up with after clicking an affiliate link. Once you leave parlay-api.com, you are subject to the destination operator's own terms and privacy policy.
- Your use of any open-source code we publish on GitHub or elsewhere.
2. Information We Collect
We have intentionally designed ParlayAPI to collect a narrow set of information. We do not run targeted advertising, we do not embed third-party trackers, and we do not maintain consumer profiles for marketing purposes.
2.1 Account Information
When you register for a ParlayAPI account, we collect:
- A working email address.
- An optional display name or company name.
- A password, which we store only as a hash generated using PostgreSQL's SCRAM-SHA-256 mechanism. We never store, log, or transmit your plaintext password.
- The API key or keys associated with your account. API keys are random strings generated at issuance; they are not derived from any personal identifier.
If you contact us for support, we may also collect any information you voluntarily include in that correspondence (for example, the contents of an email).
2.2 Payment Information
Billing for paid plans is handled exclusively by Stripe, Inc. ("Stripe"). When you enter card or banking information on a Stripe-hosted form or via Stripe Elements, that information goes directly to Stripe. ParlayAPI does not receive, store, or process your full card number, CVC, or bank account number.
What we do receive and retain from Stripe is limited to:
- A Stripe customer identifier.
- Your subscription status (active, past due, canceled, etc.).
- The last four digits and brand of the card on file (for display in your dashboard so you can confirm which card is being charged).
- Invoice IDs, payment timestamps, and amounts charged.
- Country of issuance, which Stripe returns for tax and fraud purposes.
For complete information on how Stripe handles cardholder data, please see Stripe's privacy notice at stripe.com/privacy.
2.3 API Usage Information
For every authenticated request to our API, we record:
- The API key or account identifier used.
- The endpoint requested (for example, /v1/odds or /v1/props).
- Query parameters (which may include sport, league, market, or event identifiers, but do not by design include personal information about end users).
- The HTTP status code returned and the response size.
- The originating IP address.
- The User-Agent header sent by your client.
- A timestamp.
- A small amount of latency and error metadata used for capacity planning.
We use this information for billing (request counts against your plan), rate limiting, abuse detection, capacity planning, and debugging. We do not use API logs to build behavioral profiles for advertising.
2.4 Affiliate Click Logs
Some pages on parlay-api.com include outbound links to licensed sportsbook operators with whom we have an affiliate relationship. When you click one of these links, we record:
- A truncated, salted hash of your IP address (we do not store the full IP for this purpose).
- The User-Agent header.
- The HTTP referrer (the page on parlay-api.com that you clicked from).
- Any UTM parameters in the URL.
- A timestamp.
- The destination partner identifier.
We use this information to substantiate affiliate commissions, prevent click fraud, and understand which content is useful to our audience. We do not associate affiliate click logs with your ParlayAPI account.
2.5 Self-Hosted Analytics
Our marketing website uses Umami, a privacy-respecting analytics tool, hosted on infrastructure we control. Umami collects aggregate page-view information including:
- The page URL.
- The referring URL.
- A coarse approximation of country, derived from IP and discarded after country lookup.
- The browser, operating system, and device type strings.
- A daily-rotating, salted hash that lets us approximate "unique sessions" without storing a persistent user identifier.
Umami does not set persistent cookies, does not use cross-site identifiers, and does not transmit data to Google, Facebook, or any other third-party advertiser. We do not run Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or any comparable third-party tracking technology on parlay-api.com.
2.6 Server Logs
Our web servers generate operational logs (for example, request paths, response codes, and IP addresses) for the purpose of detecting attacks, debugging outages, and meeting basic operational obligations. These logs are retained on a short rolling window and are not used for marketing.
2.7 Information We Do Not Collect
To make this concrete, ParlayAPI does not collect or process:
- Government identifiers, Social Security numbers, driver's license numbers, or passport numbers.
- Precise geolocation data.
- Biometric identifiers.
- Health information.
- Information about the religious, political, sexual, or union-related views of any individual.
- Information about end users of your applications. We have no relationship with, and receive no information about, the people who ultimately use products you build with ParlayAPI.
3. How We Collect Information
We collect information through:
- Account forms on parlay-api.com (registration, login, password reset, billing).
- API requests that you or your application send to our endpoints, which necessarily include the metadata described in Section 2.3.
- Stripe webhooks, which deliver subscription and invoice events back to us.
- Server access logs generated automatically by our web infrastructure.
- First-party session cookies as described in Section 5.
- Self-hosted Umami analytics on the marketing site.
- Email correspondence that you initiate with us.
We do not buy personal information from data brokers, list providers, or any other third party.
4. How We Use Information
4.1 Providing and Maintaining the Service
We use account information and API keys to authenticate your requests, route them to the right backend, enforce your plan limits, and return data to you. Without this information, the Service cannot function.
4.2 Billing
We use your Stripe customer identifier and our internal API usage logs to generate invoices, charge subscription fees, calculate overage fees if applicable, and confirm payment.
4.3 Abuse Detection and Security
We use IP addresses, User-Agent strings, request patterns, and authentication logs to detect credential sharing, abuse outside of our terms, denial-of-service attempts, brute-force attacks against our login endpoints, and other abusive behavior. We may temporarily or permanently block requests that we reasonably believe are abusive.
4.4 Product Improvement
We use aggregate, non-identifying analytics to understand which endpoints are most useful, where the Service has performance issues, and which marketing pages are most informative. Where possible, we work from aggregate counts rather than per-account data.
4.5 Communicating With You
We may use your email address to send you transactional messages (account confirmations, billing receipts, security notices, material changes to this policy, and outage notifications). We may also send occasional product update emails. You may opt out of non-transactional emails at any time by replying with the word "unsubscribe" or by contacting privacy@parlay-api.com.
4.6 Legal Compliance
We may use and retain information as necessary to comply with applicable law, respond to lawful requests from public authorities, enforce our Terms of Service, and protect our rights and the rights of our customers.
4.7 Affiliate Program Operations
We use affiliate click logs to confirm commissions earned, audit partner reporting, and prevent fraudulent click activity.
5. Cookies and Similar Technologies
ParlayAPI uses a deliberately small set of cookies. We use only first-party cookies set by parlay-api.com itself.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your login session in the dashboard. | Session |
| Auth/CSRF token | Protects against cross-site request forgery on dashboard forms. | Session |
| Umami daily hash | Allows our self-hosted analytics to approximate unique visits without persistent tracking. | 24 hours |
We do not use cookies for advertising, retargeting, cross-site tracking, or building profiles of you or any visitor. We do not allow third-party advertising networks to set cookies on parlay-api.com.
You can disable cookies in your browser settings. If you disable session cookies, you will not be able to log in to the dashboard, but the public marketing site will continue to function.
6. How We Share Information With Third Parties
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under California, Virginia, Colorado, Connecticut, Texas, or any other applicable US state privacy law.
We share information only in the limited circumstances below.
6.1 Stripe (Payment Processing)
We share the information necessary to provision your account and charge for subscriptions with Stripe, which acts as our payment processor. The categories of information Stripe receives directly from you (card number, etc.) are governed by Stripe's privacy notice.
6.2 Cloud Infrastructure Providers
We use commercial cloud hosting providers (including, at the time of this writing, Cloudflare for edge networking and a US-based virtual private server provider for application hosting) to operate the Service. These providers process limited information on our behalf, under written agreements that restrict their use of the data to providing services to us.
6.3 Email Delivery
If we send you transactional or product-update email, the message will pass through a commercial email-sending provider that operates under standard data-processing terms. The provider does not use your email address for its own marketing purposes.
6.4 Affiliate Partners
When you click an outbound affiliate link, the destination sportsbook receives standard HTTP referral information, including any UTM parameters and our affiliate identifier. We do not pass them your name, email address, or any other information from your ParlayAPI account.
6.5 Legal Disclosures
We may disclose information in response to a valid subpoena, court order, or other lawful request from a government authority, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud. Where legally permissible, we will attempt to notify you before disclosing your information.
6.6 Business Transfers
If ParlayAPI is acquired, merged, reorganized, or sold (in whole or in part), customer information may be transferred as part of that transaction. We will require any successor entity to honor the commitments in this policy or notify you of any material changes.
6.7 No Sale, No Share, No Targeted Advertising
To restate clearly: ParlayAPI does not sell personal information for monetary or other valuable consideration, does not share personal information for cross-context behavioral advertising, does not engage in profiling that produces legal or similarly significant effects, and does not allow third parties to use information collected through the Service for their own marketing.
7. International Data Transfers
ParlayAPI is operated from the United States, and our infrastructure is hosted in the United States. If you access the Service from outside the United States, including from the European Economic Area, the United Kingdom, Switzerland, Canada, or Australia, your information will be transferred to and processed in the United States.
Where required by GDPR or UK GDPR, transfers from the EEA, the United Kingdom, or Switzerland to the United States are made under the European Commission's Standard Contractual Clauses or the equivalent UK Addendum, as updated. By using the Service from outside the United States, you acknowledge that the United States may have data protection laws that differ from those in your jurisdiction.
8. Data Retention
We retain personal information only as long as we have a legitimate purpose for keeping it.
- Active accounts: We retain account information, API keys, and billing records for the life of the account, plus any period required to satisfy tax, accounting, or legal obligations.
- Closed or canceled accounts: When you delete your account, we purge identifying account information from production systems within 90 days. Some information (for example, paid invoices) may be retained longer where required by law (typically up to seven years for tax and accounting records).
- API request logs: We retain detailed per-request logs for a rolling window appropriate to billing and abuse detection. Older logs are aggregated or anonymized.
- Affiliate click logs: We retain click logs in identifiable form for the period required to substantiate commissions to our partners, after which they are aggregated.
- Self-hosted analytics: Aggregate, non-identifying analytics may be retained indefinitely.
- Backups: Encrypted backups are kept on a rolling schedule. Information removed from production may persist in backups until those backups age out, after which it is overwritten.
If you would like a more specific retention period for a category of information that affects you, please contact us at the address in Section 19.
9. Security Practices
We take security seriously and apply commercially reasonable safeguards to protect personal information. These include:
- Encryption in transit: All connections to parlay-api.com and to our API endpoints are served over HTTPS using modern TLS configurations.
- Encryption at rest: Our application database and our backup volumes are encrypted at rest using disk-level encryption provided by our hosting infrastructure.
- Password hashing: User passwords are stored only as SCRAM-SHA-256 hashes generated by PostgreSQL. Plaintext passwords are never logged or stored.
- Access control: Production database credentials, API keys, and infrastructure access are restricted to the founder. We use least-privilege access for any operational tooling.
- Network controls: API and dashboard endpoints are fronted by a commercial edge network that performs basic DDoS mitigation, bot filtering, and TLS termination.
- Periodic security review: We periodically review our application dependencies, secret rotation practices, and access logs.
- Incident response: We maintain an internal procedure for responding to suspected security incidents.
No system is perfectly secure, and we do not represent that the Service is invulnerable to attack. We commit to operating in good faith, applying patches in a timely manner, and notifying affected users when notification is required by law.
10. Your Privacy Rights
Subject to verification of your identity and to the limits permitted by applicable law, you may have the following rights regarding personal information we hold about you. Some of these rights are granted by all major US state privacy laws and the GDPR; others are jurisdiction-specific and are described in Sections 13 and 14.
10.1 Right to Know / Right of Access
You may request confirmation that we are processing personal information about you, a description of the categories of personal information we collect, the sources of that information, the business purpose for collecting it, the categories of third parties with whom we share it, and a copy of the specific pieces of personal information we hold about you.
10.2 Right to Delete
You may request deletion of personal information we have collected from you, subject to exceptions for information we are required to retain to provide the Service to you, complete a transaction, detect fraud, comply with law, or exercise legal rights.
10.3 Right to Correct
You may request that we correct inaccurate personal information that we maintain about you.
10.4 Right to Data Portability
You may request a copy of your personal information in a portable, machine-readable format (such as JSON or CSV) where technically feasible.
10.5 Right to Opt Out of Selling and Sharing
We do not sell personal information and we do not share it for cross-context behavioral advertising, so there is nothing for you to opt out of. We provide this disclosure for clarity.
10.6 Right to Limit the Use of Sensitive Personal Information
We do not collect "sensitive personal information" as that term is defined under the CCPA/CPRA for the purpose of inferring characteristics about you. To the extent that account credentials are treated as sensitive, we use them only to authenticate you and operate the Service; you may delete your account at any time to terminate that processing.
10.7 Right Against Automated Decision-Making and Profiling
We do not engage in solely automated decision-making that produces legal or similarly significant effects on you.
10.8 Right to Non-Discrimination
We will not deny you the Service, charge you a different price, provide a different level of quality, or retaliate against you for exercising any of your privacy rights.
10.9 Right to Appeal
If we deny a privacy request you have submitted, you have the right to appeal that decision. Instructions will be included in our response. If your appeal is unsuccessful, you may contact your state attorney general or applicable supervisory authority.
11. How to Exercise Your Rights
To exercise any of the rights described in Section 10, please email privacy@parlay-api.com from the email address associated with your account, and include:
- The right you are exercising (for example, "right to delete").
- A description of the information your request covers, where applicable.
- Enough detail for us to verify your identity. For most requests, replying from the registered account email is sufficient. For more sensitive requests, we may ask you to confirm specific facts about your account.
We will acknowledge receipt within 10 business days and will substantively respond within 45 days, with a possible extension of an additional 45 days where reasonably necessary, in which case we will tell you why we need more time. There is no fee for a request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline the request, with an explanation.
You may also designate an authorized agent to make a request on your behalf. We will require written authorization and may require you to verify your identity directly.
12. Children's Privacy
ParlayAPI is intended for adult developers and businesses. The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at the address in Section 19.
In addition, the Service is not intended for users under the age of 18, given that sports betting is restricted to adults in jurisdictions where it is legal. By creating an account, you represent that you are at least 18 years old (or 21 in jurisdictions where that is the legal sports-wagering age).
13. California-Specific Disclosures (CCPA/CPRA)
This section supplements the information above for California residents.
Categories of personal information we have collected in the past 12 months:
- Identifiers (name, email address, IP address, account identifier).
- Customer records information (billing details held by Stripe; last four digits of card stored by us for display).
- Commercial information (subscription plan, transaction history).
- Internet or electronic network activity (API request metadata, server logs, page views via self-hosted analytics).
- Geolocation, only at the level of country, derived and discarded as described in Section 2.5.
- Inferences: we do not draw inferences about individual consumers for marketing purposes.
Categories of sources are described in Section 3.
Business purposes for collection are described in Section 4.
Categories of third parties with whom information is disclosed for a business purpose are described in Section 6.
Sale and Sharing: We have not sold personal information and we have not shared personal information for cross-context behavioral advertising in the prior 12 months, and we do not intend to do so going forward.
California residents may exercise the rights described in Section 10 by following the procedure in Section 11. We do not discriminate against California residents who exercise their rights under the CCPA/CPRA.
Notice of Financial Incentive: We do not offer financial incentives in exchange for personal information.
"Shine the Light" (Cal. Civ. Code 1798.83): California residents may request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information for third-party direct marketing.
14. EU, UK, and EEA Disclosures (GDPR / UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, ParlayAPI acts as the controller of personal information processed about you in connection with the Service.
Lawful bases for processing:
- Performance of a contract (Article 6(1)(b)) for processing necessary to provide the Service to you, including authentication, request handling, billing, and customer support.
- Legitimate interests (Article 6(1)(f)) for processing necessary for security, fraud prevention, abuse detection, aggregate analytics, and the operation and improvement of the Service. Our legitimate interests are balanced against your rights and freedoms; you may object to processing on this basis.
- Compliance with legal obligations (Article 6(1)(c)) for processing required to satisfy tax, accounting, or law enforcement obligations.
- Consent (Article 6(1)(a)) where we ask for it (for example, optional product update emails). You may withdraw consent at any time without affecting prior processing.
In addition to the rights in Section 10, EEA, UK, and Swiss residents have the right to object to processing based on legitimate interest, the right to restrict processing in certain circumstances, and the right to lodge a complaint with their local supervisory authority. We will not retaliate against you for exercising these rights.
International transfers from the EEA, UK, or Switzerland to the United States are made under appropriate safeguards as described in Section 7.
We do not currently have an EU representative because we are not subject to Article 27 GDPR (the Service is offered to businesses, not directed to consumers in the EEA, and our processing is limited). If this changes, we will appoint a representative and update this policy.
15. Affiliate Program Disclosures
Some content on parlay-api.com includes outbound links to licensed sportsbook operators with whom we have an affiliate relationship. If you click one of those links and subsequently sign up or transact with the destination operator, ParlayAPI may earn a commission. Affiliate relationships do not influence the technical data we publish through the API, which is sourced from each operator's public surfaces and presented as-is.
We are not a sportsbook, we do not accept wagers, and we do not control the offerings, terms, or privacy practices of any sportsbook. Once you click through to a sportsbook, you are subject to that operator's terms and privacy policy.
ParlayAPI promotes responsible play. If you or someone you know has a gambling problem, please contact the National Council on Problem Gambling helpline at 1-800-GAMBLER or visit ncpgambling.org.
16. Do Not Track and Global Privacy Control
Our website honors the Global Privacy Control ("GPC") browser signal. When we detect a GPC signal, we treat it as a valid request to opt out of any sale or sharing of personal information for the browser making the request, even though we do not engage in selling or sharing as defined under applicable law.
Because there is no consensus standard for the older "Do Not Track" header, we do not respond differently to a Do Not Track signal as a separate matter, but our practices already align with what most users intend by sending such a signal: we do not run third-party advertising trackers and we do not build cross-site profiles.
17. Data Breach Notification
If we discover a security incident that has compromised personal information in a manner that triggers notification obligations under applicable law, we will notify affected users and the appropriate regulators within the timeframes required by law. Where law does not specify a timeframe, we will aim to notify affected users without undue delay after we have confirmed the scope of the incident and consulted with counsel as necessary.
Notifications will describe, to the extent then known, the nature of the incident, the categories of information involved, the steps we have taken to contain and remediate it, and recommended steps you can take to protect yourself.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. If we make material changes, we will provide additional notice (for example, by emailing the address on file or by displaying a prominent notice in the dashboard) before the changes take effect. Your continued use of the Service after the effective date of an updated policy means that you accept the updated terms.
We will keep prior versions of this policy available on request.
19. How to Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact:
ParlayAPI
Attn: Privacy
c/o Jacob Galperin
New Jersey, United States
Email: privacy@parlay-api.com
For privacy requests, please use the email channel above so that we can verify your identity through the address on file. We aim to acknowledge inbound privacy correspondence within 10 business days and substantively respond within 45 days as described in Section 11.
If you are a California, Virginia, Colorado, Connecticut, Texas, Utah, or other US state resident and you believe we have not adequately addressed your privacy request, you may also contact your state attorney general. If you are an EEA, UK, or Swiss resident, you may lodge a complaint with your local data protection authority.