Privacy Policy

1. Information We Collect

We collect only the information necessary to operate the platform and support institutional compliance workflows: Account Information — name, email address, institutional affiliation, and user role. Deal Information — NIL agreement data, including athlete information, sponsor details, and contract terms submitted for evaluation. Usage Data — platform interactions, evaluation history, and feature usage. Technical Data — IP address, browser type, device information, and access timestamps. Audit Records — SHA-256 hashed audit trails and provenance records for all evaluations and system actions. We do not collect sensitive personal information such as Social Security numbers or financial account data unless explicitly included within submitted NIL agreements.

2. How Information Is Used

We use collected information to: (a) operate and provide compliance evaluation services; (b) generate assessment scores, regulatory citations, and supporting evidence; (c) maintain tamper-evident audit trails and provenance records; (d) communicate with users regarding platform activity and updates; (e) improve system performance, reliability, and security; and (f) comply with legal and regulatory obligations.

3. FERPA Compliance and Data Processing Role

nilportal.io is designed to operate in compliance with FERPA. Student-athlete information is treated as protected education records. When processing data on behalf of Subscribing Institutions, nilportal.io acts as a data processor under the institution's direction and control, consistent with the "school official" exception under FERPA. We do not use student-athlete data for any purpose outside the scope of providing compliance services to the Subscribing Institution.

3a. Data Processing Agreement

nilportal.io provides a Data Processing Agreement (DPA) upon request. The DPA defines: scope and purpose of processing; security and incident response obligations; subprocessor usage and notification; data return and deletion procedures; and audit and inspection rights. Current Subprocessors: Google Cloud Platform (hosting and infrastructure), Firebase Authentication (identity management), and Google Vertex AI (regulatory retrieval only).

4. Artificial Intelligence and Data Processing

nilportal.io uses Google Vertex AI exclusively for regulatory language retrieval and policy analysis. Data sent to AI services includes public regulatory content (NCAA rules, state laws, institutional policies) and de-identified deal parameters required for rule matching. Data NOT sent to AI services includes student-athlete names or identifiers, personally identifiable information (PII), and uploaded documents in original form. All compliance scoring is performed by nilportal.io's deterministic Explain–Reason–Verify™ (ERV) system. AI services are not used to make decisions. No customer data is used to train or improve third-party AI models.

5. Multi-Tenant Data Isolation

nilportal.io uses a multi-tenant architecture with strict logical separation between institutions. Each institution's data is accessible only to authorized users within that institution. Cross-tenant access is not permitted. Administrative access is restricted, logged, and monitored.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect information, including: encryption at rest and in transit; role-based access controls (RBAC); secure authentication via Firebase; continuous monitoring and logging; and SHA-256 hash-chain audit trails for tamper-evident records.

7. Security Incidents and Notifications

In the event of a confirmed security incident that materially affects the confidentiality, integrity, or availability of personal information, nilportal.io will notify the affected Subscribing Institution without undue delay and, where applicable, within seventy-two (72) hours of confirmed discovery. Notifications will be directed to the Subscribing Institution as the primary data controller, unless otherwise required by law. Where legally required, nilportal.io will support or issue notifications to affected individuals in coordination with the institution. Notification will include, to the extent known: nature of the incident, categories of data involved, mitigation actions taken, and recommended institutional response steps. All incidents are evaluated against nilportal.io audit and provenance records to support institutional review, forensic analysis, and regulatory response. This section does not apply to unsuccessful security events such as failed login attempts or network scans.

8. Data Sharing

nilportal.io does not sell, rent, or trade personal information. We share data only as necessary: with Subscribing Institutions for compliance operations; with infrastructure providers required to operate the platform; to comply with legal obligations; and to protect the safety, rights, or integrity of the platform and users.

9. Data Retention

Data is retained for the duration of the subscription. Certain records are retained for a reasonable period to support audits and legal obligations. Institutions may request deletion subject to regulatory requirements.

10. Cookies and Analytics

nilportal.io uses essential cookies for authentication and platform functionality. We may use first-party analytics tools to improve performance and usability. No advertising cookies or third-party tracking for marketing purposes are used.

11. California Privacy Rights (CCPA)

California residents have the right to: (a) request access to collected personal information; (b) request deletion of personal information; (c) opt out of the sale of personal information (not applicable, as we do not sell data); and (d) receive equal service regardless of privacy requests. Requests can be submitted to privacy@nilportal.io. We respond within 30 days.

12. Children's Privacy

nilportal.io does not knowingly collect personal information directly from individuals under the age of 13. For minor student-athletes (ages 13-17), data is: provided solely by Subscribing Institutions; processed as education records under FERPA; and used only for institutional compliance purposes. We do not use minor data for marketing or profiling.

13. International Data Transfers

nilportal.io operates in the United States. Information may be processed and stored in the United States. When processing personal data on behalf of Subscribing Institutions, nilportal.io acts as a data processor. Transfers from the European Economic Area or United Kingdom are conducted using Standard Contractual Clauses (SCCs) or equivalent safeguards.

14. Governing Law and Venue

This Privacy Policy is governed by the laws of the State of Utah. Any disputes arising from this Policy shall be brought exclusively in the state or federal courts located in Salt Lake County, Utah. Parties consent to jurisdiction and venue in those courts.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or via email. Continued use of the platform constitutes acceptance of the updated policy.

16. Contact

For questions or requests, contact: privacy@nilportal.io.

nilportal.io provides automated compliance analysis for institutional review. This platform does not provide legal advice. Final decisions remain the responsibility of the Subscribing Institution.