Legal Document

Privacy Policy

Name: NIL Pipeline — Enterprise
Brand: NIL Pipeline
Availability: InStock

Last updated: April 7, 2026

1Introduction

NIL Pipeline, Inc. (“NIL Pipeline,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our web application, mobile applications, and related services (collectively, the “Service”).

NIL Pipeline provides a Name, Image, and Likeness (NIL) deal management platform designed for college athletes, universities, and their authorized representatives. We understand the sensitive nature of the data entrusted to us, including student records subject to federal protections, and we take our responsibility to protect that data seriously.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not access or use the Service.

2Information We Collect

We collect information in several ways depending on how you interact with our Service. The categories of information we collect include the following:

2.1 Account Information

When you register for an account, we collect personal information necessary to create and maintain your account. Authentication is managed through our identity provider, Clerk. Information collected includes:

Full name and display name
Email address
University or organizational affiliation
Role within the platform (athlete, compliance officer, coach, administrator, or agent)
Profile photograph (optional)
Sport and position (for athlete accounts)
Social media handles (optional, used for deliverable tracking)

2.2 NIL Deal Data

The core function of our Service is to help you manage NIL deals. In the course of using the Service, you may provide or we may process:

Contract documents and agreements (uploaded as PDFs, images, or entered manually)
Deal financial terms, including compensation amounts, payment schedules, and payment status
Brand and company information associated with your deals
Deliverable requirements, deadlines, and completion status
Compliance review notes and risk assessments
Communication records related to deal management within the platform

2.3 Payment Information

For university subscription billing, payment processing is handled by our PCI-compliant third-party payment processor. We want to be clear about what we do and do not store:

We do NOT store credit card numbers, bank account numbers, or other sensitive financial instrument details on our servers
We do store payment-processor customer identifiers, subscription status, plan type, billing cycle dates, and transaction history (amounts and dates only)
Billing contact name and billing email address

2.4 Usage Data

We automatically collect certain information about how you interact with the Service to improve functionality and user experience:

Features accessed and frequency of use
Pages viewed and navigation patterns
Search queries within the platform
Time spent on various sections of the Service
Error logs and performance data

Error monitoring is provided by Sentry (listed as a sub-processor in §4.2 below). Error payloads captured by Sentry may include PII such as email addresses, user IDs, or request parameters present at the time of an error. We apply Sentry's PII scrubbing configuration to minimize unnecessary data capture and have entered into a Data Processing Agreement with Sentry.

2.5 Device and Browser Information

When you access the Service, we may automatically collect technical information including:

IP address and approximate geographic location
Browser type and version
Operating system and device type
Screen resolution and viewport size
Referring URL and exit pages
Cookies and similar tracking technologies (see our Cookie Policy for details)

3How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

Creating and managing your account
Enabling deal tracking, pipeline management, and contract storage
Processing university subscription payments
Delivering notifications about deadlines, payments, and deal status changes
Facilitating communication between athletes, compliance officers, and other authorized users within an organization

3.2 Compliance Monitoring and Risk Scoring

We analyze deal data to provide automated compliance risk scoring based on NCAA guidelines, applicable state NIL laws, and university-specific policies. This includes flagging potential issues related to prohibited industries, unusual deal structures, and deadline compliance. Risk scores are informational tools and do not constitute legal or compliance advice.

3.3 AI-Powered Contract Analysis

When you upload a contract or agreement, we use artificial intelligence (powered by Anthropic's Claude API) to extract key terms, dates, financial details, and deliverables. This AI processing is designed to assist you in understanding your contracts and is not a substitute for professional legal review. Contract content sent for AI analysis is processed in accordance with our data processing agreements with our AI service providers and is not used to train third-party AI models.

3.4 Communications

Sending transactional emails (account verification, password resets, deal notifications)
Providing service updates, security alerts, and administrative messages
Sending product updates and feature announcements (you may opt out at any time)
Responding to your support requests and inquiries

3.5 Analytics and Service Improvement

We use aggregated and anonymized usage data to understand how the Service is used, identify areas for improvement, develop new features, monitor and analyze trends, and ensure the technical performance and security of the platform. We do not use individually identifiable student data for product development without explicit consent.

4Information Sharing

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes. We never have and never will.

We may share your information only in the following limited circumstances:

4.1 With Your University

If you are an athlete affiliated with a university that subscribes to NIL Pipeline, certain deal information (including deal status, brand names, compensation amounts, compliance risk scores, and deliverable status) may be visible to authorized compliance officers and administrators at your institution. This sharing is necessary to support the compliance monitoring function required by NCAA rules and institutional policy. The specific data shared with your institution is governed by the data processing agreement between NIL Pipeline and your university.

4.2 Service Providers

We work with carefully selected third-party service providers who process data on our behalf to operate the Service. These providers are contractually obligated to protect your information and may only use it to perform services for us. Our key service providers include:

Clerk — Authentication and identity management (US)
PCI-compliant payment processor — Billing and payment processing for university subscriptions. The specific provider is disclosed to institutional customers under the Data Processing Agreement (DPA).
Neon — PostgreSQL database hosting and management (US, with EU regions available on request)
Railway — Application hosting and infrastructure (US)
Anthropic — AI-powered contract analysis via the Claude API (US). Per Anthropic's policy, prompts and completions sent through the API are not used to train models.
Resend — Transactional email delivery (US/EU)
Sentry — Error monitoring and performance tracing (US). Error payloads may include PII present in requests at the time of an error. See Sentry's Privacy Policy and DPA.
Upstash — Rate limiting and caching (multi-region)
UploadThing — Contract and document file storage (US)
Svix — Outgoing webhook delivery (US)

Sub-processor change notice: EU/EEA customers receive 30 days' advance notice before we add or replace a sub-processor that processes personal data, in accordance with GDPR Art. 28(2). To object, email privacy@nilpipeline.com. The current list above is the authoritative version.

Data Processing Agreement (DPA): Educational institutions can request a copy of our DPA template by emailing legal@nilpipeline.com. The DPA describes our obligations as a processor under FERPA, GDPR Art. 28, and the CPRA service-provider rules, including breach notification timelines, security measures, sub-processor obligations, and data return / deletion at termination.

4.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Where permitted by law, we will attempt to notify you before disclosing your information in response to such requests.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

5FERPA Compliance

NIL Pipeline recognizes that certain information processed through the Service on behalf of educational institutions may constitute “education records” as defined by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. We are committed to maintaining compliance with FERPA and supporting our university partners in meeting their FERPA obligations.

When NIL Pipeline processes student data on behalf of a university, we act as a “school official” with a “legitimate educational interest” under FERPA. Specifically:

We limit access to student education records to those individuals within the university's authorized personnel who have a legitimate educational interest
We do not use education records for any purpose other than providing the contracted services to the university
We do not disclose education records to third parties without proper authorization, except as permitted or required by law
We maintain reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of education records
We enter into written agreements with educational institutions that specify our obligations under FERPA, as required by 34 CFR § 99.31(a)(1)(ii)

Universities partnering with NIL Pipeline may request a copy of our FERPA compliance documentation and data processing agreement by contacting us at privacy@nilpipeline.com.

A note on NIL data and FERPA scope

Not all NIL-related information is necessarily an “education record” under FERPA. Whether a specific deal, contract, payment, or compliance flag qualifies depends on how your institution classifies NIL data and how it was collected. Directory information (name, sport, team affiliation) may be treated differently from protected education records (GPA, eligibility status, student ID numbers).

We recommend that your compliance office and general counsel review how your institution categorizes NIL data under FERPA before using NIL Pipeline. Your institution's annual FERPA notice is the authoritative source for your rights regarding education records; for questions specific to your records, contact your university's registrar or FERPA coordinator.

Student rights under FERPA

If your data is classified as an education record, FERPA guarantees you the following rights:

The right to inspect and review your education records
The right to request the amendment of records you believe are inaccurate or misleading
The right to consent to disclosure of personally identifiable information in your education records, except where FERPA authorizes disclosure without consent
The right to file a complaint with the U.S. Department of Education's Family Policy Compliance Office concerning alleged failures to comply with FERPA

To exercise any of these rights with respect to records your institution maintains, contact your university's registrar. For records NIL Pipeline processes on your institution's behalf, your institution remains the controller under FERPA and the rights above should be exercised through them.

6Data Security

We take the security of your information seriously and implement industry-standard measures to protect it against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
Encryption at Rest: All stored data, including database records and uploaded documents, is encrypted using AES-256 encryption
Access Controls: We implement role-based access controls (RBAC) to ensure that users can only access data appropriate to their role within the platform. Internal access to production systems is limited to authorized engineering personnel and requires multi-factor authentication
Infrastructure Security: Our infrastructure is hosted on SOC 2-compliant platforms (Neon, Railway) featuring regular security audits, automated vulnerability scanning, and intrusion detection. Our own formal SOC 2 Type II audit is on our roadmap and we will update this page when it is completed.
Incident Response and Breach Notification: We maintain a documented incident response plan. In the event of a personal data breach, we will notify the relevant data protection authority within 72 hours of discovery (as required by GDPR Art. 33) and affected users without undue delay, in accordance with US state breach-notification laws and applicable international requirements. Notifications will describe the nature of the breach, the data affected, steps we are taking to mitigate harm, and what you can do to protect yourself.
Audit Logging: All access to sensitive data is logged for compliance and security monitoring purposes

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining industry best practices to minimize risk.

7Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Active Account Data: Retained for the duration of your active account, plus 90 days following account closure to allow for reactivation
Deal and Contract Data: Retained for 7 years after a deal is marked as completed or cancelled, consistent with standard business record retention practices and potential audit requirements
Payment Records: Transaction records are retained for 7 years as required by tax and financial regulations
Audit Logs: Security and compliance audit logs are retained for 3 years; FERPA-style data-access logs are retained for 5 years
Application Logs (errors, IP addresses, request metadata): Retained for 30 days then automatically purged. Sensitive fields are redacted by our logger before storage.
Database Backups: Encrypted point-in-time backups are retained for 30 days, then deleted. We do not maintain long-term backup archives outside of those required by legal hold.
Legal Holds: Records subject to a legal hold (litigation, regulatory request, or subpoena) are retained until the hold is released, regardless of the periods above.
Usage Analytics: Aggregated and anonymized usage data may be retained indefinitely for product improvement purposes

You may request deletion of your personal data at any time by contacting us at privacy@nilpipeline.com. Please note that certain data may be retained as required by law or for legitimate business purposes, such as audit trail records required for FERPA or NCAA compliance. We will inform you if we are unable to fully comply with a deletion request and the reasons why.

8Your Rights

Depending on your location, you may have certain rights regarding your personal information under applicable data protection laws, including the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and other state or national privacy laws.

8.1 Rights Available to All Users

Access: You may request a copy of the personal information we hold about you
Correction: You may request that we correct inaccurate or incomplete personal information
Deletion: You may request that we delete your personal information, subject to certain legal exceptions
Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV)
Opt-Out of Marketing: You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or adjusting your notification preferences in your account settings

8.2 Additional Rights for California Residents (CCPA / CPRA)

Right to know what personal information we have collected, used, and disclosed about you, including the categories and specific pieces of personal information collected in the prior 12 months
Right to delete personal information we have collected from you, subject to legal exceptions (for example, records we must keep for audit, tax, or fraud-prevention purposes)
Right to correct inaccurate personal information
Right to limit the use and disclosure of sensitive personal information (which for our service includes financial-account identifiers, precise geolocation if collected, and student education records)
Right to opt out of the sale or sharing of personal information. We do not sell personal information and we do not share for cross-context behavioral advertising, but you can formally exercise this right via our Do Not Sell or Share form and we will email you a written confirmation.
Right to non-discrimination — we will never charge you more or provide a lesser quality of service because you exercised a privacy right

8.3 Additional Rights for EU/EEA Residents (GDPR)

The right to restrict processing of your personal data
The right to object to processing based on legitimate interests
The right to withdraw consent at any time (where processing is based on consent)
The right to lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us at privacy@nilpipeline.com or submit a request through our Do Not Sell or Share form. We may need to verify your identity before processing your request.

Response timelines:

California (CCPA/CPRA): we confirm receipt within 10 business days and substantively respond within 45 days. We may extend once by an additional 45 days for complex requests, with notice.
EU/EEA (GDPR): we respond without undue delay and in any event within one month of receipt. We may extend by up to two additional months for complex or numerous requests, and we will notify you within the first month of any extension.
Other jurisdictions: we aim to respond within 30 days or within the timeframe required by applicable local law, whichever is shorter.

9Children's Privacy

NIL Pipeline is designed for use by college athletes and university personnel. Our Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

Users must be at least 13 years of age to create an account. The vast majority of our users are 18 years of age or older, as the Service is primarily designed for college-level student-athletes. If you are between the ages of 13 and 18, you must have the consent of a parent or legal guardian to use the Service.

If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible. If you believe a child under 13 has provided us with personal information, please contact us at privacy@nilpipeline.com.

For users aged 13–17, we require verifiable parental consent before account creation. Consent is collected via a magic-link email sent to the parent's or legal guardian's email address provided at signup. The consent link expires after 7 days; if consent is not received within that window, the account will not be activated. A parent or guardian may revoke previously granted consent at any time by contacting privacy@nilpipeline.com. Upon revocation, we will promptly deactivate the account and, at the parent's or guardian's request, delete the minor's personal information consistent with our legal obligations.

10Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will:

Update the “Last Updated” date at the top of this page
Notify you via email (sent to the email address associated with your account)
Display a prominent notice within the Service at least 30 days before the changes take effect
Where required by applicable law, obtain your consent to the updated terms

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated terms.

11Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

NIL Pipeline, Inc.

Privacy Team

privacy@nilpipeline.com

For university-specific data processing inquiries, please contact your institution's NIL Pipeline administrator or reach out to us directly. We aim to respond to all privacy inquiries within 5 business days.

Also see our Terms of Service for additional information about using NIL Pipeline.