NBA Top Shot


NBA Top Shot


Privacy Policy


Last Updated: June 29, 2023

NBA Top Shot is an application that provides users with the opportunity to purchase, collect, and showcase digital blockchain collectibles containing exclusive content from the National Basketball Association (the “NBA”) and its current and former players (collectively, the “App”).  The App is proprietary to Dapper Labs, Inc. (referred to in this privacy policy as “DLI”, “we”, “us”, or “our”).

DLI is committed to protecting and respecting your privacy. This privacy policy (this “Policy”) sets out how we collect and process personal information about you when you visit our website at, when you sign up for or use the App, or when you otherwise do business or make contact with us.  

1. What information do we collect?


DLI collects data to enable us to operate the App effectively, and to provide you with the best experience on the App. You provide some of this data to us directly, such as when you register to use the App, subscribe to a newsletter, respond to a survey, make an enquiry through our website, contact us for support, or contact us as a prospective user, vendor, supplier, or consultant. We get some of your data by recording how you interact with the App by, for example, using technologies like cookies. We also obtain and process data in the context of making the App available to you. In limited circumstances we may require you to share your Geo-Location as described in this Policy to access certain features, or to allow us to perform geo-specific services that you request.


You have choices about the data we collect. When you are asked to provide personal data, you may decline. But if you choose not to provide data that is necessary to enable us to make the App available to you, you may not be able to sign up for or use the App. The data we collect depends on the context of your interactions with DLI, and the choices you make (including your privacy settings). The data we collect can include the following:

Email and Electronic Wallet Address. We may collect your email address and your electronic wallet address.

Device and Usage information. We may collect data about your device and how you and your device interact with DLI and our App. For example, we may collect your interactions on our website, your feature usage patterns, location data, and your interactions with us. We may also collect data about your device and the network you use to connect to our App; this may include data such as your IP address, browser type, operating system, and referring URLs.

2. What do we use your information for?


We use the data we collect to operate our business and to make the App available to you. This includes using the data to improve our App and to personalize your experiences. We may also use the data to communicate with you to, among other things, inform you about your account, provide security updates, and give you information about the App. We may also use the data to manage your email subscriptions, improve the relevance and security of our website, respond to user enquiries, and send you periodic marketing communications about our App.


We use data to provide the App to you, to improve the App, and to perform essential business operations. This includes operating the App, maintaining and improving the performance of the App, developing new features, conducting research, providing customer support, and to enforce our Terms of Use. Examples of such uses include the following:

Providing the App. We use data to carry out your transactions with us and to make the App available to you. In certain cases, the App may include personalized features, geo-specific services and recommendations to enhance your enjoyment, and automatically tailor your experience based on the data we have about you (and your location, if required to perform geo-specific services).

Technical support. We use data to diagnose problems, and to provide customer care and other support services.

Improving the App. We use data to continually improve the App, including system administration, system security, and adding new features or capabilities.

Business Operations. We use data to develop aggregate analyses and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.

Promotions. We may use your data to administer contests, promotions, surveys, or other site features.

Improving Advertising Campaigns. We may use your data to improve our advertising campaigns, primarily in an effort to prevent targeting you with advertisements that are not relevant to you.

Sending Periodic Emails. We may use your data to send you periodic emails. Depending on the marketing preferences you select on your privacy dashboard, we may send you occasional marketing emails about our App, which you can unsubscribe from at any time using the link provided in the message.

Communications. We use data we collect to communicate with you, and to personalize our communications with you. For example, we may contact you to discuss your account, to remind you about features of the App that are available for your use, to update you about a support request, or to invite you to participate in a survey. Additionally, you can sign up for email subscriptions, and choose whether you want to receive marketing communications from us.

3. How do we protect your information?

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. We offer the use of a secure server. All supplied sensitive information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential. If we collect your geo-location information, such information will be secured, de-identified and disassociated with your personal information upon our collection.

4. How do we ensure that our processing systems remain confidential, resilient, and available?


We implement a variety of measures to ensure that our processing systems remain confidential, resilient, and available. Specifically, we have implemented processes to help ensure high availability, business continuity, and prompt disaster recovery. We commit to maintaining strong physical and logical access controls, and conduct regular penetration testing to identify and address potential vulnerabilities.


High Availability. Every part of the App utilizes properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in case of failure. We take servers out of operation as part of regular maintenance, without impacting availability.

Business Continuity. We keep encrypted backups of data daily in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores loss), we will restore organizational data from these backups.

Disaster Recovery. In the event of a region-wide outage, we will bring up a duplicate environment in a different Google Cloud Platform region. Our operations team has extensive experience performing full region migrations.

Physical Access Controls.  The App is hosted on Google Cloud Platform, whose data centers feature a layered security model, including extensive safeguards such as custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. DLI employees do not have physical access to these data centers, servers, network equipment, or storage.

Logical Access Controls. Only designated, authorized operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

5. Do we use cookies?


Yes. Cookies are small files that a site or its service provider transfers to your computers hard drive through your Web browser (if you allow) that enables the sites or service providers systems to recognize your browser and capture and remember certain information. You can choose to disable cookies, but if you do, your ability to use or access certain parts of the App may be affected.


We use cookies and other similar identifiers to understand and save your preferences for future visits, to advertise to you on other sites, and to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

You may refuse to accept cookies by activating the setting on your browser that allows you to refuse the setting of cookies. You can find information on popular browsers and how to adjust your cookie preferences at the following websites:

Microsoft Internet Explorer

Mozilla Firefox

Google Chrome

Apple Safari

However, if you choose to disable cookies, you may be unable to access certain parts of our website. A banner asking you to accept our cookies policy will be displayed upon the first visit to our website (or the first visit after you delete your cookies). Unless you have adjusted your browser setting so that it will refuse cookies and/or you have not accepted our cookies policy, our system will issue cookies when you log on to our site.

Our web pages may contain electronic images known as web beacons (also called single-pixel gifs) that we use to help deliver cookies on our websites and to count users who have visited those websites. We may also include web beacons in our promotional email messages or newsletters, to determine whether and when you open and act on them.

In addition to placing web beacons on our own websites, we sometimes work with other companies to place our web beacons on their websites or in their advertisements. This helps us to develop statistics on how often clicking on an advertisement on a DLI website results in a purchase or other action on the advertiser's website.

Finally, our App may contain web beacons or similar technologies from third-party analytics providers that help us compile aggregated statistics about the effectiveness of our promotional campaigns or other operations. These technologies enable the analytics providers to set or read their own cookies or other identifiers on your device, through which they can collect information about your online activities across applications, websites or other products.

6. Do we use your location information?


For limited purposes (including our geo-specific services, to the extent that you request them), it may be necessary for us to collect geo-location information related to our performance of such services. If collected, we may also analyze such geo-location information on an aggregated and anonymized basis to gain insights into user behavior and practices. This information helps us enhance and optimize our services to provide a better user experience. Geo-location information may also assist us in detecting and preventing unauthorized access, fraud, or other security risks to help protect our uses and maintain the integrity of our services.


We do not automatically collect geo-location information. We will only collect such information if it is necessary to perform our geo-location-required services, and only after you have approved our collection of such data. Please note that there is a likelihood that our geo-location services will not be available if you do not opt-in to share your geo-location data with us. We will de-identify and anonymize your geo-location data, to disassociate your location information with your personal data/information. We may share your geo-location on an anonymized basis to third-party service providers who assist us with performance of our geo-location services. We will retain your geo-location data only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. You have the right to control the collection and use of your geo-location data. Most mobile devices and web browsers provide options to disable or limit geo-location services.

7. Do we disclose any information to outside parties?


We share your personal data with your consent, or as necessary to make the App available to you. We also share your data with the NBA and the NBA Players’ Association; vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security and integrity of our App; and to protect our rights or our property.


We share your personal data with your consent, or as necessary to make the App available to you. We share your data with the NBA and the NBA Players’ Association, since they are some of the major content providers for the App. You will be asked to agree to their terms of service and privacy policies as well when you sign up to use the App.  You have the right to refuse, but if you do refuse, you may not be able to complete your registration or use the App. 

We also share personal data with vendors or agents working on our behalf for the purposes described in this Policy. For example, companies we have hired to provide cloud hosting services, off-site backups, and customer support may need access to personal data to provide those functions. In such cases, these companies are required to abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose.  If you have questions or concerns about any of our vendors, feel free to contact us at

We may disclose your personal data as part of a corporate transaction such as a corporate sale, merger, reorganization, dissolution, or similar event. Finally, we will access, transfer, disclose, and/or preserve personal data, when we have a good faith belief that doing so is necessary to:

(1) comply with applicable law or respond to valid legal process, judicial orders, or subpoenas;

(2) respond to requests from public or governmental authorities, including for national security or law enforcement purposes;

(3) protect the vital interests of our users, customers, or other third parties (including, for example, to prevent spam or attempts to defraud users of our products, or to help prevent the loss of life or serious injury of anyone);

(4) operate and maintain the security or integrity of our App, including to prevent or stop an attack on our computer systems or networks;

(5) protect the rights, interests or property of DLI or third parties;

(6) prevent or investigate possible wrongdoing in connection with the App; or

(7) enforce our Terms of Use.

We may use and share aggregated non-personal information with third parties for marketing, advertising, and analytics purposes. We do not sell or trade your personal information to third parties.

8. How to Access and Control Your Personal Data


You can view, access, edit, delete, or request a copy of your personal data for many aspects of the App via your user dashboard. You can also make choices about DLI’s collection and use of your data. You can always choose whether you want to receive marketing communications from us. You can also opt out from receiving marketing communications from us by using the opt-out link on the communication, or by visiting your user dashboard.


Data Access. You can access your personal data on your account’s user dashboard.

Data Portability. You can request a copy of your personal data by submitting an email to us at and including “Please send me a copy of my personal data” in the “Subject” line. DLI will verify your ability to access that email, then send you a digital export of the data we hold that is associated with your email address. We will use reasonable efforts to respond to your request within 30 days of our receipt of verification of the request. DLI may be limited in its ability to send certain personal data to you (e.g., the identification of your electronic wallet).

Data Erasure. You may request that DLI delete your personal data by submitting an email to us at and including “Please delete my personal data” in the “Subject” line. DLI will verify your ability to access that email, then delete the personal data associated with your email address. We will use reasonable efforts to respond to your request within 30 days of our receipt of verification of the request.

Data Correction. You can modify your personal data via your account’s user dashboard. Note that since some of the data we collect is specific to you – for example, your electronic wallet address – you may not be able to modify this data without needing to create a new user profile.

Your Communications Preferences. You can choose whether you wish to receive marketing communications from us. If you receive marketing communications from us and would like to opt out, you can do so by following the directions in that communication. You can also make choices about your receipt of marketing communications by signing into your account, and viewing and managing your communication permissions in your account’s user dashboard, where you can update contact information, manage your contact preferences, opt out of email subscriptions, and choose whether to share your contact information with DLI and our partners. Alternatively, you can request that we withdraw your consent to use your personal data by submitting an email to us at and including “Please withdraw my consent for marketing communications” in the “Subject” line. DLI will verify your ability to access that email, then update our systems to remove your email address from the system we use to send marketing communications. We will use reasonable efforts to respond to your request within 30 days of our receipt of verification of the request. Please note that these choices do not apply to mandatory communications that are part of the App, or to surveys or other informational communications that have their own unsubscribe method.

8. Third Party Links

Occasionally, at our discretion, we may include or offer third party products or services on our website or through our App. If you access other websites using the links provided, the operators of these websites may collect information from you that will be used by them in accordance with their privacy policies. These third party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

9. Where we Store and Process Personal Data; International Transfers

Personal data collected by DLI may be stored and processed in the United States, Canada, or in any other country where DLI or its affiliates, subsidiaries or service providers maintain facilities. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem. We take steps to ensure that the data we collect is processed according to the provisions of this Policy and the requirements of applicable law wherever the data is located.

We transfer personal data from the European Economic Area and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we engage in such transfers, we use a variety of legal mechanisms, including contracts, to help ensure your rights and protections travel with your data. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where DLI processes personal data, please visit:

10. Data Retention


We may retain your personal information as long as you continue to use the App, have an account with us, or for as long as is necessary to fulfill the purposes outlined in this Policy. You can ask to close your account by contacting us as described above, and we will delete your personal information on request. We may, however, retain personal information for an additional period as is permitted or required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.


We will retain your personal data for as long as necessary to make the App available to you, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different types of data, actual retention periods can vary significantly. The criteria we use to determine the retention periods include:

How long is the personal data needed to make the App available to you and/or operate our business? This includes such things such as maintaining and improving the performance of the App, keeping our systems secure, and maintaining appropriate business and financial records. This is the general rule that establishes the baseline for most data retention periods.

Is there an automated control, such as in your user dashboard, that enables you to access and delete the personal data at any time? If there is not, a shortened data retention time will generally be adopted.

Is the personal data of a sensitive type? If so, a shortened retention time would generally be appropriate.

Has the user provided consent for a longer retention period? If so, we will retain the data in accordance with your consent.

Is DLI subject to a legal, contractual, or similar obligation to retain the data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of litigation.

11. Use of Generative Artificial Intelligence for Customer Support/Service Disclosure 

Dapper Labs would like to inform you that we may utilize generative artificial intelligence (AI) technology in our customer service and support operations. This technology allows us to provide faster and more efficient responses to your inquiries, but we also want to ensure that you are aware of its limitations and to disclose that your communications may be retained by the generative AI vendor only for limited purposes and only as otherwise allowed by applicable law.

Please note that while our AI system may be trained to handle a variety of customer issues, it is not perfect and may not always provide the most accurate or appropriate response. In some cases, our AI system may require human intervention to resolve a more complex issue or provide a personalized response.

Furthermore, we want to emphasize that any advice or suggestions provided by our AI system should not be considered a substitute for professional advice or consultation. We strongly recommend that you consult with a qualified professional for any matter that may require specialized knowledge or expertise.  Dapper Labs disclaims all liability associated with the generative AI responses and your use of information provided by such generative AI response.  The responses provided by our generative AI system is for informational use only.

Lastly, we want to assure you any data collected by our AI system is treated with the utmost care and only used to improve our services and support operations.  Data collected through our AI system will only be used in accordance with this privacy policy.  For more information regarding the generative AI system's collection, use and retention of your personal information please see the applicable AI system vendor's privacy policy. 

12. Changes to our Privacy Policy

We will update this Policy when necessary to reflect customer feedback and changes to our App. When we post changes to this statement, we will revise the "last updated" date at the top of the statement. If there are material changes to the Policy or in how DLI will use your personal data, we will notify you either by prominently posting a notice of such changes before they take effect or by sending you a notification directly. We encourage you to periodically review this privacy statement to learn how DLI is protecting your information.

13.  California Resident Rights

If you are a California resident, you have the rights set forth in this section. Please see the “Exercising Your Rights” section below for instructions regarding how to exercise these rights. If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident, the portion that is more protective of your personally-identifiable data will control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at

Exercising Your Rights

Please follow the instructions and requirements described below when submitting your requests. Requests that fail to comply with any of these instructions and requirements may result in delayed or no response.

To exercise the rights described below as a California resident, you must send us a request (1) that provides sufficient information to allow us to verify that (i) you are the person about whom we have collected personal data, (ii) you, as the requester, are the same person as the data subject for whose information you’re requesting (or such person’s parent/guardian), (2) that describes your request in sufficient detail to allow us to understand, evaluate and respond to it, (3) that declares, under the penalty of perjury, that you’re exercising your rights under the CCPA as a California resident solely for lawful purposes, and (4) in a way that does not and would not unduly burden or otherwise abuse our data request system and/or our App. Each request that meets all of these criteria, and which is confirmed via email verification, will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will use commercially reasonable efforts to determine whether a request may be for harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable purposes, and we reserve the right not to respond to such request. We will only use your personal data provided in a Valid Request to verify your identity and complete your request. You do not need an account on the App to submit a Valid Request.

We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request using the following methods:

Email us at:

Submit a form at this address:

You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.


You have the right to request certain information about our collection and use of your personal data over the past 12 months. In response to a Valid Request, we will provide you with the following information:

The categories of personal data that you requested and that we have collected about you.

The categories of sources from which that personal data was collected.

The business or commercial purpose for collecting your personal data.

The categories of third parties with whom we have shared your personal data.

The specific pieces of Personal Data that you explicitly requested and that we have collected about you.

If we have disclosed your personal data to any third parties for a business purpose over the past 12 months, we will identify the categories of personal data shared with each category of third party recipient. 


You have the right to request that we delete the personal data that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your personal data to provide you with access to the App or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request. 

We Do Not Sell Your Personal Data

In this section, we use the term ‘sell’ as it is defined in the CCPA. We do not sell your personal data. 

We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA

We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our products or services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates or levels of quality of the goods or services you receive related to the value of personal data that we receive from you. 

14. How to Contact Us

If you have a technical or support question, please send us an email at

If you have a privacy concern, complaint, or a question for the Data Protection Officer of DLI, please contact us by sending us an email at  We will respond to questions or concerns within 30 days.

Unless otherwise stated, DLI is a data controller for personal data we collect through the App subject to this statement. Our address is 600-565 Great Northern Way, V5T 0H8, Vancouver, BC, Canada.