COLESALGOPICKS

Privacy Policy

ColesAlgoPicks ("the site," "we") operates colesalgopicks.com, hrk.colesalgopicks.com (The Home Run King), and related subdomains. This page describes what data we collect, why, and what your rights are.

Short version: we don't sell your data, we don't run ads, we don't share with third parties. We collect the minimum needed to run the product, and you can delete your account anytime.

What we collect

• Anonymous browsing: by default, nothing personal — we use your browser's localStorage for app state (watchlist, parlay slip, tracker bets, reactions). That data lives on your device only.
• If you sign in with Discord (optional): we receive and store your Discord user ID, username, display name, and avatar URL — solely to identify you across devices. We use the identify scope only — no access to your servers, friends, messages, or anything else.
• Account data: your synced localStorage contents (watchlist, slip, bets, reactions, comments), session tokens (hashed), and any profile fields you explicitly set (display name override, bio, avatar URL).
• Server logs: standard Cloudflare HTTP logs (IP, user-agent, request URL, timestamp) used for abuse detection and uptime monitoring. Retained for 30 days max, then auto-deleted by Cloudflare.

What we don't collect

• No payment data. The site is free during launch; no checkout, no card numbers.
• No third-party trackers. No Google Analytics, no Facebook Pixel, no advertising SDKs.
• No location data beyond what your IP address implies for server logs.
• No background telemetry. We don't track your browsing on other sites.

How we use it

• To deliver the product: cross-device sync of your saved state, signed-in personalization, account-level features (My Account, profile, etc.).
• To detect abuse: rate limiting, blocking malicious bots, investigating suspicious sign-in patterns.
• To improve the product: aggregate, non-identifying patterns (e.g., "X people signed in today") — never individual behavior.

Who we share it with

Nobody, with two unavoidable exceptions:

• Discord when you sign in — they validate your identity and return your user info to us via OAuth. Their privacy policy: discord.com/privacy.
• Cloudflare hosts the site and processes every HTTP request. Their privacy policy: cloudflare.com/privacypolicy.

Your rights

• Delete your account anytime from /app/account.html — wipes your profile, sessions, synced state, and any stored history.
• Export your data — request a copy of everything we have via the email below.
• Stay anonymous — the site works fully without sign-in. The sign-in CTA is dismissible.

Cookies

We set exactly two cookies, both first-party:

• hrk_sess — your session token (HttpOnly, Secure, 30 day expiry) — only set if you sign in.
• hrk_oauth_state — short-lived (10 min) CSRF token used during the Discord sign-in flow.

No third-party cookies. No tracking cookies.

Contact

Questions, data requests, or concerns: open a ticket in our Discord at discord.gg/uGGdkcewYe, or reply to the morning post.

Changes to this policy

We'll update the "Last updated" stamp at the top of this page and post a notice in Discord if anything material changes. We won't retroactively reduce protections on data you've already shared.