Privacy Policy

Effective April 20, 2026 · Last updated April 20, 2026

The short version: We collect the minimum we need to run the Service — your email, hashed password, billing info (stored by Stripe, not us), and the scores you enter during your hosted games. We don't sell your data. We don't track players across the internet. Team names and PINs stay inside the single game session and are deleted after.

1. Who We Are

Heat Trivia is operated by Ikon Marketing Group LLC ("we", "us", "our"). Our contact for privacy questions is craig@heateg.com.

2. Information We Collect

Category	What	Why
Host account	Email address, hashed password (bcrypt), optional display name, Stripe customer ID	Sign you in, send receipts / password resets / game notifications, bill you
Billing	Handled by Stripe. We store only the Stripe customer ID and subscription ID — never card numbers.	Process payments
Session activity	Game ID, title, host name, venue name, scores, team names, team captain names, chosen bonus round, submitted wagers, scrolling announcement text, session start/end time	Run the live game, persist state across browser reloads, show analytics on your own dashboard
Player data (team-entered)	Team name, captain first name, 4-digit PIN (hashed in transit), chosen bonus round, wager submissions	Tie a phone to a team; protect wager submissions with a PIN
Technical logs	IP address (SHA-256 hashed with a site salt for rate-limit counters), user-agent hash, timestamps, webhook payloads	Security, rate limiting, webhook reconciliation, fraud detection
Referral program	Referrer name, email, payout preference (check address or PayPal email), W-9 form (stored encrypted), click/conversion attribution cookie	Attribute referrals and pay commissions

3. What We Do NOT Collect

We do not collect phone numbers or birthdates from players.
We do not use third-party advertising trackers, ad networks, or cross-site analytics that profile visitors.
We do not store card numbers, CVVs, or bank account details. Stripe handles payment data directly.
We do not sell, rent, or trade data to third parties. Period.
We do not scrape or profile player social media.

4. Cookies & Similar Tech

We use a minimal set of cookies — all first-party, necessary for the Service:

Session cookie (heat_session): keeps you logged in for up to 7 days.
Referral attribution cookie (heat_ref): remembers a referral code for 30 days so referrers get credit when you eventually purchase. Cleared automatically after.
CSRF token (session-scoped): protects form submissions from cross-site forgery.

We use Google reCAPTCHA v3 invisibly on the player join page to deter abuse. reCAPTCHA is governed by Google's Privacy Policy and Terms of Service.

5. Where Your Data Lives

Subscriber + business data: stored in MariaDB on our U.S. web host.
Live game state: stored in Google Firebase Realtime Database (U.S. region) — tied to a specific Game ID with security rules restricting access.
Payment data: stored by Stripe (PCI-DSS Level 1 certified).
Email delivery: transactional mail sent via Google Workspace (Gmail SMTP).
W-9 tax forms (referrers only): stored outside the web root with filesystem permissions restricting access to the server process and site admins.

6. How Long We Keep It

Live session data (teams, scores, PINs in Firebase): purged when you End Game or when stale for 6+ hours. We keep the high-level session record (Game ID, title, start/end, aggregate scores) on your account for historical reference for 12 months, then anonymize.
Webhook logs: 12 months then purged.
Account data: kept while your account is active; up to 30 days after you delete the account, excluding records we must retain for tax or legal compliance (e.g., referrer 1099-NEC, payment receipts: 7 years).
IP/UA hashes: 24 hours for rate-limit table; then auto-pruned.

7. How We Share Data

We share data only when necessary to run the Service:

Service providers: Stripe (billing), Google Firebase (realtime DB), Google Workspace (email), our web host. Each operates under its own terms and is bound to process data only on our instructions.
Legal compliance: if required by subpoena, court order, or to protect our rights or the safety of users.
Business transfer: if Ikon Marketing Group LLC is ever sold or merged, your data may transfer to the acquirer under the same privacy commitments (we'll notify you).

8. Your Rights

Regardless of where you live, you may:

Access a copy of the data we have about you — email us.
Correct inaccurate account info from your account settings, or by emailing us.
Delete your account. Email us and we'll delete within 30 days (minus anything tax/legal requires us to retain — we'll tell you what.)
Export your session history in a portable format.
Opt out of marketing: we don't send marketing unless you explicitly ask. Transactional mail (receipts, password resets, referral payouts) is not opt-out.

California (CCPA/CPRA): California residents have additional rights, including the right to know categories of data collected and shared (see Section 2 above), the right to opt out of "sale" or "sharing" (we don't do either), and the right not to be discriminated against for exercising these rights. EU / UK (GDPR): our lawful bases are contract performance (running the Service you paid for), legitimate interests (security, fraud prevention), and consent (referral cookie). Email craig@heateg.com for data access, portability, restriction, or erasure requests.

9. Age Restriction

Heat Trivia is an 18+ platform. Hosting accounts and player registration both require the user to confirm they are 18 years of age or older. The Service is designed for use at bars, restaurants, and event venues where adult attendance is the norm, and some hosted content may be age-gated accordingly.

We do not knowingly collect personal information from anyone under 18. If we learn that personal data was submitted by someone under 18, we'll delete it promptly. In accordance with the U.S. Children's Online Privacy Protection Act (COPPA), we also do not knowingly collect information from children under 13. If you believe a minor has submitted data to us, email craig@heateg.com and we will remove it.

10. Security

We use HTTPS for all traffic, bcrypt for password hashes, CSRF tokens on all state-changing forms, Firebase security rules to prevent cross-game data access, rate limiting on login endpoints, session regeneration on sign-in, and restrictive filesystem permissions for credentials and W-9 uploads. No system is perfectly secure; if we ever detect a breach affecting your data, we'll notify you in accordance with applicable law.

11. Changes to This Policy

We'll update this page when our practices change and note the effective date at the top. Material changes will be announced by email to active accounts or in an in-dashboard banner at least 14 days before taking effect.

12. Contact

Ikon Marketing Group LLC
Privacy questions, access requests, deletion requests: craig@heateg.com
Physical mail:
Ikon Marketing Group LLC
2034 Blue Ave
Richland, WA 99354