Legal

PRIVACY POLICY

Last updated: March 6, 2026

Based Legends ("we," "us," or "our") operates the website basedlegends.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services. Please read this policy carefully. By using the Service, you consent to the practices described herein.

1. INFORMATION WE COLLECT

Information You Provide

When you create an account or use the Service, you may provide us with:

  • Account information: name, email address, and password
  • Profile information: display name, bio, and avatar/profile photo
  • Card content: crew member names, titles, photos, stats, badges, bios, and highlights
  • Communications: messages you send us via email or the contact form

Information Collected Automatically

When you access the Service, we may automatically collect:

  • Device information: browser type, operating system, device type
  • Usage data: pages visited, time spent on pages, referring URLs
  • Log data: IP address, access times, and error logs

Cookies & Tracking

We use essential cookies to maintain your authentication session (powered by Supabase). We do not use advertising cookies or third-party tracking pixels. We may use privacy-respecting analytics (such as Vercel Analytics) to understand aggregate usage patterns. These tools do not track individual users across websites.

2. HOW WE USE YOUR INFORMATION

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Create and manage your account
  • Display your trading cards according to your visibility settings
  • Respond to your inquiries and provide customer support
  • Send important service-related notices (e.g., security alerts, policy changes)
  • Monitor and analyze usage trends to improve the user experience
  • Detect, prevent, and address technical issues or abuse

We will never sell your personal information to third parties. We do not use your data for advertising purposes.

3. THIRD-PARTY SERVICE PROVIDERS

We use trusted third-party services to operate the platform. These providers process data on our behalf and are contractually obligated to protect your information:

  • Supabase — authentication, database, and file storage (photos/avatars). Data is stored in Supabase's cloud infrastructure with encryption at rest.
  • Vercel — website hosting and deployment. Vercel processes requests and may collect minimal server logs.
  • Google Fonts — font delivery. Google may collect anonymized usage data per their privacy policy.

We do not share your personal information with any other third parties except as required by law.

4. DATA STORAGE & SECURITY

We take the security of your data seriously and implement multiple layers of protection:

  • All data is encrypted in transit using TLS 1.3
  • Data at rest is encrypted using AES-256 encryption
  • Row Level Security (RLS) ensures users can only access their own data
  • Authentication tokens are securely managed via Supabase Auth
  • Passwords are hashed using bcrypt — we never store plaintext passwords

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

5. DATA RETENTION

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Account data: retained until you delete your account
  • Card content and photos: retained until you delete the card or your account
  • Server logs: retained for up to 30 days for debugging and security

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

6. YOUR RIGHTS

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of your personal data
  • Correction: update or correct inaccurate data via your Settings page
  • Deletion: delete your account and all associated data
  • Portability: request your data in a machine-readable format
  • Objection: object to certain processing of your data

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at hello@basedlegends.com.

European Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to lodge a complaint with your local data protection authority. Our legal basis for processing is your consent (provided at account creation) and our legitimate interest in operating the Service.

7. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers (Supabase, Vercel) maintain infrastructure. These countries may have different data protection laws. By using the Service, you consent to the transfer of your information to these countries. We ensure appropriate safeguards are in place through our providers' data processing agreements.

8. CHILDREN'S PRIVACY

The Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information. If you believe a child has provided us with personal data, please contact us at hello@basedlegends.com.

9. BREACH NOTIFICATION

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach. We will also notify relevant authorities as required by applicable law. The notification will include the nature of the breach, the data affected, and steps we are taking to address the situation.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide notice via email or a prominent notice on the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. CONTACT US

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: