Privacy Policy

Effective Date: March 21, 2026

Table of Contents

1. Introduction2. Information We Collect3. Legal Basis for Processing4. How We Use Information5. Information Sharing6. Service Providers7. Cookies & Tracking8. Data Retention9. Your Rights10. California Privacy Rights11. Children's Privacy12. International Data Transfers13. Data Security14. Additional State Privacy Rights15. Changes to This Policy16. Contact Us

1. Introduction

This Privacy Policy explains how Data Flow, LLC dba Cogs and Roses ("Company," "we," "us," or "our"), operating as Perennial Metrics, collects, uses, discloses, and safeguards your information when you visit our website perennialmetrics.com (the "Site") or use our services, including our developer API (collectively, the "Services").

By accessing or using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not access or use the Services.

We do not sell your personal information. We do not use your data for profiling or targeted advertising. We do not share your information with data brokers.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (hashed). If you subscribe to Pro, we collect billing information processed through Stripe (we do not store credit card numbers directly).

2.2 Usage Data

We automatically collect information about how you interact with the Services, including pages viewed, features used, API endpoints called, timestamps, IP address, browser type, device type, and referring URL.

2.3 API Usage Data

For Pro subscribers using the developer API, we log API requests including endpoint, timestamp, response status, and API key identifier for rate limiting and abuse prevention purposes.

2.4 Communication Data

If you contact us via email or through the Site, we collect the content of your message, your email address, and any information you voluntarily provide.

2.5 Information We Do Not Collect

  • We do not collect social security numbers, government IDs, or biometric data
  • We do not collect location data beyond IP-based geolocation
  • We do not collect data from third-party social media accounts
  • We do not use third-party advertising trackers or pixels

3. Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Processing ActivityLegal BasisGDPR Article
Account creation and managementPerformance of contractArt. 6(1)(b)
Payment processingPerformance of contractArt. 6(1)(b)
Service delivery and API accessPerformance of contractArt. 6(1)(b)
Security, fraud prevention, abuse detectionLegitimate interestArt. 6(1)(f)
Service improvement and analyticsLegitimate interestArt. 6(1)(f)
Legal complianceLegal obligationArt. 6(1)(c)
Marketing communicationsConsentArt. 6(1)(a)

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting us at contact@perennialmetrics.com.

You also have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/.

4. How We Use Information

We use collected information for the following purposes:

  • Authentication and Account Management: To create and manage your account, verify your identity, and provide access to the Services
  • Billing and Payments: To process subscription payments, manage billing cycles, and handle refunds through Stripe
  • Service Delivery: To provide analytics, visualizations, API access, and other features of the Services
  • Rate Limiting and Security: To enforce API rate limits, prevent abuse, detect fraud, and protect the integrity of the Services
  • Communication: To respond to your inquiries, send service-related notifications, and provide customer support
  • Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the Services
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes

AI-Assisted Content and Data Enhancement

We use the Anthropic Claude API to generate editorial content such as game recaps, player profiles, analytical narratives, and data stories using NHL statistical data as input. We also use AI for data enhancement, including entity extraction from NHL news sources and structured data processing. No personal user data is transmitted to Anthropic for these purposes. AI-generated or AI-assisted content is identified with a disclosure label on the Services.

We do not use your personal information for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

5. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

  • Service Providers: We share information with third-party service providers who perform services on our behalf, subject to confidentiality obligations (see Section 6)
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request
  • Protection of Rights: We may disclose information to protect our rights, privacy, safety, or property, or that of our users or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction

6. Service Providers

We use the following third-party service providers to operate the Services:

ProviderPurposeData Shared
Authentication Provider (TBD)Authentication & user sessionsEmail, name, login activity
StripePayment processing & billingPayment method, billing address, transaction history
Amazon Web ServicesCloud infrastructure (us-east-1)All service data (encrypted at rest and in transit)
SnowflakeData warehouseAnalytics data (no personal user data)
AnthropicAI content generation and data enhancement (Claude API)NHL statistical data, game event data, and news text for entity extraction (no personal user data)

Each provider is bound by their own privacy policy and data processing agreements. We do not share more information than necessary for each provider to perform its designated function.

7. Cookies and Tracking Technologies

We use only essential cookies required for the functioning of the Services:

  • Authentication Cookies: To maintain your login session (managed by our authentication provider)
  • Security Cookies: To prevent cross-site request forgery and other security threats
  • Preference Cookies: To remember your display preferences and settings

We do not use:

  • Third-party advertising cookies or tracking pixels
  • Cross-site tracking technologies
  • Fingerprinting techniques
  • Social media tracking widgets

We use server-side analytics (request logs) rather than client-side tracking scripts to understand usage patterns. We do not use Google Analytics, Facebook Pixel, or similar third-party analytics services.

Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry consensus on how to respond to DNT signals, we do not currently alter our data collection practices in response to DNT signals. If an industry standard is adopted, we will update this policy accordingly.

Cookie Consent

For users in the European Economic Area, United Kingdom, or Switzerland, we will present a cookie consent mechanism before placing any non-essential cookies on your device. Essential cookies required for authentication and security do not require consent under the ePrivacy Directive.

8. Data Retention

  • Account Data: Retained for the duration of your account. Deleted within 30 days of account closure upon request.
  • Usage and API Logs: Retained for 12 months for security and service improvement, then automatically purged.
  • Billing Records: Retained for 7 years as required by tax and financial regulations.
  • Communication Records: Retained for 2 years from the date of last communication.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to certain processing of your personal information
  • Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at contact@perennialmetrics.com. We will respond within 30 days of receiving your request.

Data Portability

Upon request prior to account deletion, we will provide an export of your account data (account information, usage history, saved configurations) in a machine-readable format (JSON) within 30 days.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information
  • Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Information: We do not collect sensitive personal information as defined by the CPRA

Categories of Personal Information

CategoryExamplesCollectedPurposeShared With
IdentifiersName, email, IP addressYesAccount management, service deliveryAuth provider, AWS
Commercial InformationSubscription history, transaction recordsYesBilling, account managementStripe
Internet ActivityPages viewed, API calls, browser typeYesSecurity, service improvementAWS
GeolocationIP-based approximate locationYesSecurity, complianceAWS

Right to Opt-Out of Sharing

We do not sell or share (as defined by the CPRA) your personal information for cross-context behavioral advertising. No opt-out is necessary.

Authorized Agents

You may designate an authorized agent to submit privacy requests on your behalf. The agent must provide proof of authorization (written permission signed by you or power of attorney). We may contact you directly to verify the request.

Verification

To protect your privacy, we will verify your identity before processing any rights request. We may ask you to confirm your account email address or provide additional identifying information.

Financial Incentives

The free tier of the Services is not a financial incentive program as defined by the CPRA. Access to free features is not conditioned on the collection or sale of personal information beyond what is necessary for service delivery.

To submit a request, email contact@perennialmetrics.com with the subject line "California Privacy Request." We will respond to verifiable requests within 45 days, with a possible 45-day extension if reasonably necessary. We will verify your identity before processing the request.

11. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you believe we have collected information from a child under 16, please contact us at contact@perennialmetrics.com.

12. International Data Transfers

The Services are hosted in the United States (AWS us-east-1). If you access the Services from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we transfer personal data to the United States using the following safeguards:

  • Standard Contractual Clauses (SCCs). We rely on European Commission-approved Standard Contractual Clauses as the primary legal mechanism for data transfers. Our service providers (AWS, Stripe, and our authentication provider) maintain SCCs as part of their data processing agreements.
  • Supplementary Measures. We implement supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and data minimization to ensure an adequate level of protection.
  • Data Processing Agreements. We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data, as required by GDPR Article 28.

If you have questions about international data transfers, contact us at contact@perennialmetrics.com.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Secure password hashing via our authentication provider's infrastructure
  • API key authentication with scoped permissions
  • Rate limiting and abuse detection on all endpoints
  • Regular security reviews and infrastructure monitoring
  • Access controls limiting employee access to personal data on a need-to-know basis
  • AWS security best practices including VPC isolation, security groups, and IAM policies

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. Liability related to data security is governed by our Terms of Service.

Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay, and in any event within 72 hours of becoming aware of the breach where feasible. We will also notify the relevant supervisory authority as required by applicable law.

14. Additional State Privacy Rights

In addition to California (Section 10), residents of certain states have specific privacy rights:

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, and Montana residents may have the right to: access their personal data; correct inaccuracies; delete personal data; obtain a copy in a portable format; and opt out of the sale of personal data, targeted advertising, and certain profiling.

We do not sell personal data, engage in targeted advertising, or profile users for decisions that produce legal or similarly significant effects. To exercise any state privacy right, contact us at contact@perennialmetrics.com. If we decline a request, you may appeal by emailing the same address with "Privacy Appeal" in the subject line. We will respond to appeals within 60 days.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Site with a new effective date. For significant changes, we will provide notice via email (if you have an account) at least 30 days before the changes take effect.

Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the updated terms.

16. Contact Us

If you have questions or concerns about this Privacy Policy, or wish to exercise your privacy rights, please contact us:

Data Flow, LLC dba Cogs and Roses
Operating as Perennial Metrics
Email: contact@perennialmetrics.com

We will respond to all privacy-related inquiries within 30 days.