Privacy Policy

This Privacy Policy explains what information OverOwned LLC ("OverOwned," "we," "us," or "our") collects, how we use it, and the choices you have regarding your information when you use the OverOwned Service ("Service"), located at overowned.io and app.overowned.io.

1. Information We Collect

We collect only what's necessary to operate the Service.

Information you provide directly:

• Your email address, when you purchase a Season Pass or claim a Day Pass.
• Payment information, when you purchase a Season Pass. Payment details (credit card numbers, billing address) are collected and stored by Stripe — OverOwned does not see, store, or have access to your payment card data.

Information collected automatically:

• Basic technical metadata: IP address, browser type, device type, referring URL, and pages visited. Used for security, fraud prevention, and aggregate analytics.
• Authentication session tokens, stored in cookies on your device, to keep you signed in to the Service.

Information we do NOT collect:

• Your name (unless you voluntarily provide it via support email).
• Your physical address (other than for tax purposes via Stripe, where required by law).
• Your phone number.
• Your social security number, government IDs, or financial account numbers.
• Your contacts, location data beyond IP, or device identifiers beyond what your browser provides.

2. How We Use Your Information

• To provide the Service. We use your email to send sign-in links (magic links) and to associate your account with your active Season Pass or Day Pass.
• To process payments. Stripe processes payments and is contractually bound by Stripe's own privacy and security obligations.
• To send transactional and product communications. Including sign-in links, purchase receipts, and (for Season Pass holders) occasional product updates and Season 2 announcements. You may opt out of non-essential communications at any time.
• To prevent fraud and abuse. We may review IP addresses and email patterns to detect duplicate-account creation or unauthorized access attempts.
• To comply with law. Where required, we will disclose information in response to lawful legal processes.

3. Sub-Processors and Third-Party Services

OverOwned uses the following service providers ("sub-processors") to operate the Service. Each is contractually obligated to handle data securely.

Provider	Purpose	Data Shared
Stripe, Inc.	Payment processing	Email, payment details, billing address
Supabase, Inc.	User authentication & database	Email, session tokens, account metadata
Resend, Inc.	Transactional email delivery	Email address, message content
Netlify, Inc.	Web hosting & serverless functions	IP address, basic request metadata

4. Cookies and Local Storage

The Service uses cookies and browser local storage for authentication (keeping you signed in) and basic operation. We do not use third-party advertising cookies or analytics trackers that profile you across sites. You may clear cookies via your browser settings, but doing so will sign you out of the Service.

5. Data Retention

We retain your account information for as long as your access is active and for a reasonable period after expiration to support tax, accounting, fraud-prevention, and legal-defense obligations. Specifically:

• Email and account records: Retained for the duration of your active access plus seven (7) years for tax and dispute-resolution purposes, then deleted.
• Payment records: Retained per Stripe's standard retention policies and applicable financial-record-keeping law.
• Day Pass records: Retained indefinitely (without ongoing access) so we can prevent duplicate redemptions across seasons.

6. Your Rights

Depending on where you live, you may have the right to:

• Request a copy of the personal information we hold about you;
• Request correction of inaccurate information;
• Request deletion of your information, subject to legal-retention obligations;
• Opt out of non-essential communications at any time;
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@overowned.io with a clear description of your request. We will respond within 30 days.

7. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the rights described in Section 6 above. We do not sell or share personal information for cross-context behavioral advertising. To submit a verifiable consumer request, email the address above.

8. EU/UK Residents (GDPR)

If you are in the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation, including the rights to access, rectification, erasure, restriction, portability, and objection. The lawful basis for our processing is contract performance (providing the Service you purchased) and legitimate interest (security and fraud prevention).

9. Security

We use industry-standard security measures including HTTPS encryption in transit, encrypted database storage at rest (via Supabase), and least-privilege access controls. No system is perfectly secure, however. If you become aware of a security issue, please email us immediately at the address above.

10. Children

The Service is not directed to anyone under 18. We do not knowingly collect information from anyone under 18. If you believe a minor has provided information to us, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted at this URL with an updated effective date. For significant changes, we will also email Season Pass holders.

12. Contact

Questions about this Privacy Policy or your information? Email support@overowned.io.