NuroPicks.com
Join Discord

Security & privacy

Honest answers to the questions a security-conscious user should ask before installing a browser extension that touches sportsbook accounts. If something here is unclear, open an issue on the GitHub repo.

What the extension CAN see

  • The HTML of the bet-history page on the 10 supported books, but only when you click the Sync button (no background scraping).
  • The NuroPicks API token you paste into the popup (stored in chrome.storage.local; only this extension can read it).
  • The URL of your active tab when you click Sync (used to verify you're on a supported book before scraping).

What the extension CANNOT see

  • Your sportsbook password, 2FA code, saved cards, or banking info. Chrome's extension API does not give us access to login forms.
  • Other tabs you have open. We requested only `activeTab` and the 10 host permissions you see in the manifest.
  • Browsing history, bookmarks, downloads, or cookies for any other site.
  • Your IP address (the extension never makes a network call from your context that exposes it differently than normal browsing already does).

What goes over the wire

Per bet, the extension POSTs tonuropicks.com/api/account/booksync/importwith a body containing:

  • book_source (e.g. "draftkings")
  • book_external_id (the book's own bet/entry/ticket id, used for dedup)
  • stake (in cents)
  • odds_american
  • market, pick_text, sport, game
  • result (win/loss/push/pending), settled_at
  • potential_win (in cents)
  • placed_at

That's it. No browser metadata, no device fingerprint, no cookies, no IP-based tracking, no session token from the book. The HTTP request is signed with your NuroPicks token in the Authorization header.

Token: what it is, what it can do

  • Issued at /account/booksync, shown exactly once, then only the SHA-256 hash is persisted server-side.
  • Scope: append bets to YOUR ledger only. Cannot read other users' data, cannot mint other tokens, cannot place real-money bets.
  • Per-device labels (e.g. "home laptop", "work"). Revoke any one without affecting the others.
  • Lost a device? Revoke the token. The thief now holds an inert string.

What happens during a NuroPicks breach

Worst-case scenario, an attacker gains read access to our Postgres:

  • They DO see: the hashed (SHA-256) form of your tokens, your imported bet rows, your discord_id linkage.
  • They DO NOT see:your sportsbook credentials (we never had them), your actual token (only the hash), your funding sources, or the token of any other user.

Recovery posture: bulk token rotation via a one-line UPDATE on np_booksync_keys.revoked_at. Users mint fresh tokens, paste them into the extension popup, sync continues.

Audit it yourself

Mint your token →Install guide →FAQ →

Must be 21+. Gambling problem? Call 1-800-GAMBLER. NJ/PA: 1-800-GAMBLER · MI: 1-800-270-7117 · VA: 1-888-532-3500 · CO: 1-800-522-4700 · NY: 877-846-7369 (HOPENY).

NuroPicks LLC · 30 N Gould St Ste R, Sheridan, WY 82801