Privacy & Security

How we protect your data.

MLB Intelligence is a small, independently operated platform. We collect only what's necessary to run the service and take concrete steps to protect every piece of information you provide.

Authentication

Password security

Passwords are never stored in plain text. Every password is hashed using bcrypt with a unique per-user salt before it touches the database. Even in the event of a database breach, passwords cannot be recovered from the stored hashes.

Encryption

API keys encrypted at rest

Sensitive credentials like Kalshi API keys are encrypted using Fernet (AES-128-CBC) before being written to the database. Keys are decrypted only in application memory when needed for API calls and are never logged, cached, or exposed through any endpoint.

Sessions

Secure session management

Sessions use cryptographically random 256-bit tokens. Cookies are set with HttpOnly, SameSite=Lax, and Secure flags (when served over HTTPS). Sessions expire automatically and stale sessions are purged on every server restart.

Transport

HTTPS & security headers

All traffic is served over HTTPS via Cloudflare Tunnel with HSTS enforced. Responses include security headers: X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy, and a restrictive Permissions-Policy that disables camera, microphone, and geolocation access.

Rate Limiting

Brute-force protection

Login and registration endpoints are rate-limited to prevent credential stuffing and brute-force attacks. API endpoints have per-IP rate limits. Repeated failed attempts are throttled automatically.

Access Control

Approval-based access

New accounts require manual admin approval before accessing the private dashboard. Admin-only endpoints are protected by role checks at every layer. Private key files on the server are restricted to owner-only read permissions (mode 600).

Data collection

What we store and why.

Account infoEmail, name, and hashed password for authentication. No data is sold or shared with third parties.

Kalshi credentialsRecommended setup: API key ID and private key file, encrypted at rest, used solely to place bets on your behalf when you enable live betting.

Self-custody optionIf you'd rather not store Kalshi credentials on our server, you can run a local follower that places bets from your own machine via our Signal API. In this mode we store only an API token hash (not the token itself) plus optional heartbeat/status for reliability.

Session metadataIP address and user agent stored per session for security auditing. Purged when sessions expire.

No trackingNo analytics scripts, no third-party trackers, no advertising pixels. We don't use cookies for anything other than authentication.

Questions

Something not covered here?

If you have questions about how your data is handled, want to request data deletion, or want to report a security concern, reach out directly.