Privacy Policy

Last Updated: February 9, 2026

Data Controller. The data controller responsible for the processing of personal data described in this Privacy Policy is Estep Tech, LLC, a limited liability company organized under the laws of the State of Ohio, with its principal place of business in Columbus, Ohio, USA. Estep Tech, LLC operates the website EstepSports.com and the EstepSports platform (collectively, "EstepSports," and referred to herein as "the Company," "we," "us," or "our"). This Privacy Policy describes how the Company collects, uses, discloses, and safeguards information in connection with the EstepSports platform, including integrations with Instagram (via Meta's Graph API) and TikTok (via TikTok's Login Kit and Display API).

1. Information the Company Collects

EstepSports is a creator analytics and management platform built for sports content creators. The platform allows creators to connect their social media accounts so that the Company can retrieve, display, and analyze performance data on their behalf. The nature of the information we collect depends on how you interact with the platform and which accounts you choose to connect.

When you create an EstepSports account, we collect your name, email address, and password. We also collect information generated through your use of the platform, including pages visited, features accessed, and the time and duration of your sessions. Your browser type, operating system, and IP address are recorded automatically by our hosting infrastructure (Google Firebase).

1a. Data Collected Through Instagram (Meta Graph API)

If you connect an Instagram account, the Company accesses your data through Meta's Instagram Graph API using the permissions you explicitly authorize during the OAuth consent flow. The specific permissions we request, and the data associated with each, are as follows:

• instagram_business_basic / instagram_basic: Your Instagram username, display name, profile picture, biography, account type (Business, Creator, or Personal), and follower and following counts.
• instagram_business_manage_insights / instagram_manage_insights: Performance metrics for your published content, including views, reach, impressions, shares, saves, likes, and comments.
• pages_show_list / pages_read_engagement: Required by Meta to facilitate the connection between your Facebook Page and linked Instagram Professional account.
• instagram_manage_comments: Access to comment data on your posts for display within the analytics dashboard.
• public_profile / business_management: Basic Facebook profile information and business asset access required by Meta's API architecture.

We also store the OAuth access token issued by Meta, which is necessary to maintain your connection. These tokens are stored server-side in a separate, encrypted data store (Google Cloud Firestore) using AES-256 encryption, isolated from other user data.

1b. Data Collected Through TikTok (Login Kit and Display API)

If you connect a TikTok account, the Company accesses your data through TikTok's Login Kit and Display API. The specific scopes we request are limited to user.info.basic and video.list. No additional scopes are requested. The data associated with these scopes is:

• user.info.basic: Your TikTok open_id, display name, and avatar URL.
• video.list: A list of your published videos, including each video's title, description, cover image URL, share URL, embed link, and creation timestamp.

The Display API does not provide per-video engagement metrics (such as view counts, likes, or shares). The Company does not collect or have access to TikTok engagement metrics through this integration. TikTok OAuth tokens are stored using the same encrypted, server-side infrastructure described in Section 1a above.

2. How the Company Uses Your Information

The Company uses information collected through EstepSports for the following purposes, and for no other purposes:

• To operate and maintain the EstepSports platform and your account;
• To retrieve, display, and analyze your social media performance data within your analytics dashboard;
• To display aggregated creator performance data on public-facing leaderboards within the platform;
• To generate performance reports for agency partners and brand collaborations in which you participate;
• To calculate and track payments between creators, agencies, and brands under active partnership arrangements;
• To communicate with you regarding your account, service updates, or support requests;
• To detect and prevent fraud, abuse, or unauthorized access to the platform; and
• To comply with applicable legal obligations, including responding to lawful requests from public authorities.

Data obtained through TikTok's developer tools is used solely for the purpose of providing EstepSports' analytics and creator management services, as described above. Data obtained through Meta's Instagram Graph API is used solely for the same purpose. The Company does not use data from either platform for any purpose unrelated to the operation of the EstepSports platform.

3. Information Sharing and Disclosure

The Company does not sell your personal information. The Company does not share your personal information with third parties for their own marketing or advertising purposes. The Company does not use data obtained from TikTok or Instagram for cross-context behavioral advertising. The Company does not combine data collected from TikTok with data from other sources for the purpose of building advertising profiles.

We may disclose your information in the following limited circumstances:

• With your consent. When you explicitly authorize disclosure — for example, by opting into an agency partnership or brand campaign within the platform.
• Agency and brand partners. If you participate in a partnership or campaign through EstepSports, your performance metrics may be shared with the relevant agency or brand, but only to the extent necessary to fulfill the terms of that arrangement.
• Public leaderboards. Aggregated performance data (such as total views and engagement metrics) may be displayed on public-facing leaderboards within the EstepSports platform. This data is derived from the social media accounts you have connected.
• Service providers. The Company uses Google Firebase (including Firestore, Realtime Database, Cloud Functions, and Hosting) for data storage, processing, and hosting. Firebase processes data on the Company's behalf and is subject to Google's data processing terms.
• Legal obligations. We may disclose your information if required to do so by applicable law, regulation, legal process, or enforceable governmental request.

4. Platform-Specific Terms and Obligations

4a. Instagram (Meta) Integration

The Company's access to Instagram data is governed by Meta's Platform Terms and the Meta Developer Policies. In compliance with these terms, the Company: (i) requests only the permissions necessary to provide its analytics services; (ii) does not post content to your Instagram account unless you explicitly initiate such an action; (iii) stores access tokens in an encrypted data store separate from other user data; and (iv) deletes stored tokens immediately upon account disconnection. You may disconnect your Instagram account at any time through your EstepSports account settings, at which point the Company will cease collecting new data from that account.

4b. TikTok Integration

The Company's access to TikTok data is governed by TikTok's Developer Terms of Service. In accordance with these terms: the Company requests only the scopes necessary for its analytics services (user.info.basic and video.list); the Company does not post, modify, or delete content on your TikTok account; access tokens are stored in an encrypted data store on the Company's servers; and tokens are deleted immediately if you disconnect your TikTok account. You may revoke the Company's access at any time through your EstepSports account settings or directly through TikTok's authorized app management. The Company does not use TikTok data for purposes other than those described in Section 2 of this Privacy Policy.

5. Data Retention

The Company retains your personal information for as long as your EstepSports account remains active, or as otherwise needed to provide the services described in this Privacy Policy. Historical performance data — including view counts, engagement metrics, and content metadata — is retained for the duration of your account to support ongoing analytics and reporting.

If you delete your account or submit a data deletion request, the Company will remove your personal information from its active systems within thirty (30) days of the request. Authentication tokens for connected social media accounts are deleted immediately upon disconnection. Certain information may be retained beyond this period where required by applicable law, or where necessary for the Company to resolve disputes, enforce its agreements, or comply with its legal obligations. Data obtained through TikTok's and Meta's APIs is not retained longer than necessary to fulfill the purposes described herein.

6. Data Security

The Company maintains technical, administrative, and organizational measures designed to protect the confidentiality, integrity, and availability of your personal information. These measures include, but are not limited to: encryption of data in transit using TLS/SSL; encryption of data at rest through Google Firebase's built-in encryption; server-side storage of OAuth access tokens in Google Cloud Firestore, encrypted using AES-256 and isolated from other application data; role-based access controls that restrict data access to authorized personnel; and periodic review of access controls and security configurations.

Despite these measures, no method of electronic transmission or storage is completely secure. The Company cannot guarantee the absolute security of your data. In the event of a data breach affecting your personal information, the Company will notify affected users and relevant authorities as required by applicable law.

7. Your Rights Regarding Your Personal Information

Depending on your jurisdiction, you may have certain rights with respect to the personal information the Company holds about you. These rights may include the right to access your data, to correct inaccurate data, to request deletion of your data, to export your data in a portable format, to object to certain processing activities, and to withdraw your consent at any time. To exercise any of these rights, contact the Company at mason@estepsports.com. The Company will respond to verified requests within thirty (30) days.

You may also disconnect your social media accounts from EstepSports at any time, which will immediately stop the collection of new data from those accounts and trigger the deletion of stored authentication tokens.

7a. Additional Rights for California Residents (CCPA/CPRA)

If you are a resident of California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with additional rights regarding your personal information. You have the right to request that the Company disclose the categories and specific pieces of personal information it has collected about you, the categories of sources from which that information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom the Company shares the information. You also have the right to request deletion of your personal information, subject to certain exceptions under the CCPA. The Company does not sell personal information as defined by the CCPA. The Company does not share personal information for cross-context behavioral advertising. The Company will not discriminate against you for exercising your rights under the CCPA.

7b. Additional Rights for EEA and UK Residents (GDPR/UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (EU) 2016/679 and the UK GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and the right to object. The legal basis for the Company's processing of your personal data is your explicit consent, which you provide when you create an account and connect your social media accounts. You may withdraw consent at any time by disconnecting your accounts, deleting your EstepSports account, or contacting the Company. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

8. Children's Privacy

EstepSports is not directed at, and is not intended for use by, individuals under the age of eighteen (18). The Company does not knowingly collect personal information from anyone under the age of 18. If the Company becomes aware that it has collected personal information from a person under 18, it will take steps to delete that information promptly. If you believe a minor has provided personal information to the Company, please contact us at mason@estepsports.com.

9. Third-Party Services

The EstepSports platform integrates with third-party services whose own terms and privacy policies govern their handling of your data independently of this Privacy Policy. The Company encourages you to review these policies:

• Instagram (Meta): Instagram Privacy Policy; Meta Platform Terms
• TikTok: TikTok Privacy Policy; TikTok Developer Terms of Service
• Google Firebase: Firebase Privacy and Security Documentation

The Company's obligations as a developer utilizing these platforms' APIs are governed by each platform's developer terms, which impose specific requirements on how data obtained through their services may be collected, stored, used, and disclosed. This Privacy Policy is intended to be read in conjunction with those developer terms.

10. Changes to This Privacy Policy

The Company may update this Privacy Policy from time to time to reflect changes in its practices, applicable law, or the features of the EstepSports platform. When changes are made, the Company will post the revised Privacy Policy on this page and update the "Last Updated" date above. If the Company makes material changes that affect how your personal information is handled, it will use reasonable efforts to notify you (such as by email or through the platform). Your continued use of EstepSports after the effective date of any revised Privacy Policy constitutes your acceptance of the changes.

11. Contact Information

If you have questions or concerns about this Privacy Policy, wish to exercise your rights under applicable data protection law, or need to report a data-related issue, please contact the Company:

For data deletion requests specifically, you may also visit estepsports.com/data-deletion.html.