Security posture
What we store, what we deliberately do not, and the controls we run. Written in plain English. If you find a gap, email security@nuropicks.com.
What we store
Discord user ID + username
Needed for the bot to recognize you across commands and to link your profile to the web app.
Your tracked picks + bet history
Every pick you log via the bot or web app, with timestamps and closing-line references. Used to compute your CLV record.
Subscription state (if paid)
Whether you are on Free, Pro, or Elite. We do not store your card. Payments route through Whop and NOWPayments.
Self-exclusion status
A one-bit flag per user. Enforced across bot and web. Cannot be reversed inside a cooling-off window.
What we deliberately do NOT store
Your sportsbook login
We never ask for it. We do not hold credentials for DK, FD, MGM, or any book. Ever.
Your real-money balance
We are not a sportsbook. We do not accept deposits, hold balances, or pay out winnings. Your money lives at your licensed sportsbook.
Your card number
Subscription payments route through Whop (Stripe-backed) and NOWPayments (crypto). Neither sends your card number to us.
Your browsing history outside NuroPicks
We do not set tracking cookies on external sites. We do not buy data from ad networks. What happens off our domain stays off.
Controls we run
Webhook signature verification
HMAC-SHA256 on Whop. HMAC-SHA512 with canonical-sorted JSON on NOWPayments. Unsigned or bad-signature webhooks are rejected. See docs/API.md.
Rate limits on public endpoints
3 requests per 10 minutes per IP on /api/apply. Protects against signup floods and enumeration.
Age gate at signup
21+ self-certification. State-tied verification for real-money-adjacent surfaces is planned before we scale paid tiers.
CSP headers + modern TLS
Content Security Policy headers on every HTML response. TLS 1.2+ enforced. HSTS preload submitted.
Database access
Neon Postgres, connection over TLS, least-privilege role per service. Backups retained 7 days on Neon's built-in PITR.
Discord bot token hygiene
Bot token lives only in Railway secrets. Never in the repo. Rotated on any suspected exposure. 2FA on every account with Discord admin access.
Responsible disclosure
Found a vulnerability? Email security@nuropicks.com with a proof-of-concept and give us 90 days to fix before public disclosure. We do not currently run a paid bug-bounty; we will acknowledge reporters publicly in our security changelog with consent. Low-severity issues get a thank-you; high-severity issues we will work with you to remediate fast.
No threats of legal action for good-faith research. No enforcement against researchers who access only their own accounts and do not harm other users.