Privacy Policy

Last updated: April 28, 2026

X Games Legends Portal ("we," "us," or "our") is a private community platform for X Games alumni athletes. This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information. We are committed to protecting your privacy and being transparent about our practices.

This policy applies to residents of the European Union (GDPR) and California (CCPA), as well as all other users of the platform.

1. What Information We Collect

When you sign up and complete your profile, we collect:

  • Identity information: First name, last name, competition name, profile photo
  • Contact information: Email address, phone number, home address (street, city, state, zip, country)
  • Athletic history: Sports competed in, years competed, X Games medalist status
  • Social media: Instagram, TikTok, YouTube, Facebook, LinkedIn handles and approximate follower counts
  • Professional information: Agent name, program interests, how you'd like to give back to the community
  • Comments and freeform responses you choose to provide
  • Location coordinates (latitude/longitude) derived from your address. We convert your address to geographic coordinates to enable location-based features, including connecting you with opportunities and events in your area.

When you use the platform, we also automatically collect:

  • Session data: A session cookie that keeps you logged in
  • Usage data: Pages visited, date and time of visits, browser type, IP address, and referring URL
  • IP-based location data: Your IP address is sent to ip-api.com, a third-party geolocation service, to derive approximate location information (city, region, ISP). This helps us understand where our members are located and detect unusual access patterns.
  • Device fingerprint: A browser fingerprint (via a script on the site) used to recognize returning visitors for security and analytics purposes. This does not identify you personally — it identifies your device/browser combination.

2. How We Use Your Information

We use your information to:

  • Operate and maintain the X Games Legends Portal
  • Verify your identity as a former X Games athlete
  • Display your profile in the athlete directory to other approved members
  • Connect you with events, brand opportunities, and discounts
  • Send you transactional emails (login links, platform announcements, event updates)
  • Allow you to communicate directly with other alumni via messaging
  • Send you targeted communications relevant to your sport, location, or program interests
  • Improve the platform through usage analytics
  • Maintain platform security

We do not sell your personal information. We do not share your data with third parties for their marketing purposes.

3. Who Can See Your Information

  • Other approved athletes can see your profile in the directory, including your name, photo, sport, location (city/state), and social media handles — but only if you have an approved account.
  • X Games Legends administrators can see your full profile including contact information, for the purpose of managing the platform and verifying eligibility.
  • Your home address and phone number are only visible to administrators unless you explicitly opt in to sharing contact information with other athletes.
  • Brand partners do not have direct access to the athlete directory. When you respond to a brand opportunity posted on the platform, only the information you choose to include in that response is shared with the brand. Brand partners do not receive any other personal information about you without your explicit consent.

4. Cookies and Tracking

Cookies set in your browser:

  • Session cookie: Required for you to stay logged in. Without it, the platform cannot function.
  • Fingerprint cookie (_fp): A short device-fingerprint identifier used for security monitoring (e.g., detecting unusual login patterns) and analytics. Like all cookies, it is scoped to this domain and is not read by other websites.

Server-side visitor tracking:

In addition to the cookies above, our server logs each request you make to the platform to a separate analytics database. Each entry includes the IP address, URL path, HTTP method, response status, browser/user-agent string, referring URL, the fingerprint identifier (if present), and — if you are signed in — your email address and name. IP-derived approximate location (see §1) is added to these records.

This analytics database is shared with other websites operated by the same operator. If you visit another website that uses the same logging system, activity on this platform may be correlated with that other activity through your IP address, fingerprint, or email. We use this data only for security monitoring and internal analytics — not for advertising, and not to share with unaffiliated third parties.

You can disable cookies in your browser settings, but doing so will prevent you from logging in to the platform. Disabling cookies does not stop server-side request logging, which is required for security and is retained as described in §5.

5. How Long We Keep Your Data

We retain your profile data for as long as your account is active. Server-side visitor-tracking records (see §4) are retained for up to 12 months for security and analytics purposes.

When you delete your account, the following data is permanently erased immediately: your profile and profile photo; your sent and received direct messages (deletion removes both your copy and the recipient's copy); your community-board posts and likes (replies left by you are removed; replies left to you by others are kept but unlinked from the deleted thread); your event, discount, and opportunity participation records; any proposals you submitted; your unused login tokens; your entry on the athlete allowlist; and your visitor-tracking records (best-effort, removed from the analytics database).

We retain only what we are required to keep by law (for example, certain financial or compliance records, if applicable).

Email send records held by our email service provider (SendGrid) are subject to their own retention policy and are outside our direct control. We do not store the body of sent emails ourselves once delivery is confirmed.

6. Your Rights

Depending on where you live, you have the following rights:

  • Right to access: Request a copy of the personal data we hold about you
  • Right to correction: Update or correct your information at any time via your profile settings
  • Right to deletion: Delete your account and all associated personal data immediately via your profile page
  • Right to portability: Request your data in a portable format
  • Right to object: Object to how we process your data
  • California residents (CCPA): You have the right to know what personal information is collected, the right to delete it, and the right to opt out of its sale (we do not sell personal information)

To exercise any of these rights, use our Privacy Request form. We will respond to general privacy requests within 30 days. CCPA-specific requests from California residents are subject to the 45-day response time set by California law (see §7).

If you are a resident of the European Union or European Economic Area, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal information in accordance with applicable law.

7. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom it is shared.
  • Right to delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale: We do not sell your personal information.
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

Categories of personal information we collect include: identifiers (name, email, IP address); personal information (address, phone number); professional information (athletic history, social media handles, agent name); internet activity (pages visited, device fingerprint); and geolocation data (derived from address and IP address).

We collect this information directly from you when you register and use the platform, and automatically through usage tracking. We use it to operate the platform, verify athlete eligibility, and connect members with opportunities.

To exercise your California privacy rights, use our Privacy Request form. We will respond within 45 days as required by law.

8. Data Security

Your data is stored in a secured, encrypted PostgreSQL database hosted on DigitalOcean with SSL required for all connections. Access is restricted to authorized administrators only. Login is handled via one-time magic links — we never store passwords. While we take reasonable measures to protect your information, no system is 100% secure, and we cannot guarantee absolute security.

9. Service Providers and Sub-Processors

We rely on the following service providers to operate the platform. Each is bound by their own privacy policy and processes data only on our behalf for the purposes described.

  • DigitalOcean, Inc. (United States) — application hosting and PostgreSQL database storage. All data described in §1 is stored on infrastructure operated by DigitalOcean.
  • Twilio SendGrid (United States) — delivery of transactional emails (login links, account notifications) and announcement emails sent by administrators.
  • ip-api.com (United States) — IP-address geolocation lookups used to derive approximate location (city, region, ISP) from your IP address as described in §1. Your IP address is sent to ip-api.com; no other personal information is sent.
  • Cloudflare (United States) — content delivery, DDoS protection, and TLS termination for the platform's domain. Cloudflare may process your IP address and request headers in transit.

All of these providers are based in the United States. If you are accessing the platform from the European Union or European Economic Area, your personal information will be transferred to and processed in the United States. We rely on standard data-transfer protections (such as Standard Contractual Clauses, where applicable) to safeguard such transfers; specific transfer mechanisms are confirmed with each provider as part of our agreements with them.

10. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you. Decisions about account approval are reviewed by a human administrator. The platform uses simple matching logic (such as comparing your name and email to the X Games athlete allowlist) to assist administrators, but no automated decision is final without human review.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify active members via email if the changes are material.

12. Contact Us

For any privacy-related questions or requests:

X Games Legends Portal

Submit a Privacy Request