Privacy Policy

1. Data Controller

The entity responsible for processing your personal data is:

[YOUR FULL LEGAL NAME / COMPANY NAME]
[Street Address]
[Postal Code] [City], Germany
Email: privacy@Vantix.io
[Optional: VAT ID / Handelsregisternummer]

2. Data We Collect

2.1 Account Data

When you create an account, we collect your email address and a hashed password. We do not store your password in plain text.

2.2 Usage & Prediction Data

When you use the analysis features, we store your prediction requests including player names, odds inputs, the model's output probability, and the resulting signal. This data is linked to your account.

2.3 Payment Data

Payment processing is handled entirely by Stripe. Vantix stores only your Stripe Customer ID and subscription status. We never see or store your full card number, CVC, or banking details.

2.4 Technical Data

Our servers and third-party infrastructure may collect standard technical log data, including IP addresses, browser type, referrer URLs, and timestamps. This data is used for security and performance monitoring only.

3. Legal Basis for Processing

Processing Activity	Legal Basis (GDPR Art.)
Creating and managing your account	Art. 6(1)(b) — Performance of a contract
Processing subscription payments	Art. 6(1)(b) — Performance of a contract
Storing prediction history	Art. 6(1)(b) — Performance of a contract
Sending transactional emails	Art. 6(1)(b) — Performance of a contract
Security logging and fraud prevention	Art. 6(1)(f) — Legitimate interests
Marketing emails (if opted in)	Art. 6(1)(a) — Consent

4. How We Use Your Data

We use your data exclusively for the following purposes:

Providing and improving the Vantix service
Authenticating your identity and managing your subscription tier
Processing payments and issuing receipts via Stripe
Displaying your personal prediction history and accuracy statistics
Sending account-related emails (registration confirmation, password reset, billing receipts)
Ensuring the security and stability of the platform

We do not sell your personal data to third parties. We do not use your data for automated profiling or advertising targeting.

5. Third-Party Services

We use the following third-party sub-processors to deliver our service:

Service	Purpose	Data Location
Supabase	Database, authentication, and backend infrastructure	EU (Frankfurt, Germany)
Stripe	Payment processing and subscription management	EU / USA (Standard Contractual Clauses)
Render	Machine learning API hosting (prediction engine)	EU / USA (Standard Contractual Clauses)
Vercel	Frontend hosting and CDN	EU / USA (Standard Contractual Clauses)

Where sub-processors are located outside the EU/EEA, data transfers are governed by Standard Contractual Clauses (SCCs) as required by GDPR Art. 46.

6. Data Retention

We retain your personal data only as long as necessary:

Account data: Kept for the duration of your account. Deleted within 30 days of account deletion request.
Prediction history: Kept for the duration of your account. Deleted on request or account closure.
Payment records: Retained for 10 years as required by German commercial law (§ 257 HGB).
Technical logs: Retained for a maximum of 90 days.

7. Your Rights (GDPR)

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15) — Request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — Request correction of inaccurate data.
Right to erasure (Art. 17) — Request deletion of your personal data ("Right to be forgotten").
Right to restriction (Art. 18) — Request that we limit the processing of your data.
Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
Right to object (Art. 21) — Object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@Vantix.io. We will respond within 30 days.

You also have the right to lodge a complaint with the relevant supervisory authority. The competent authority for Germany is:

[Relevant State Data Protection Authority — e.g. Der Berliner Beauftragte für Datenschutz und Informationsfreiheit]
[Address and website of your state's DPA]

8. Cookies

Vantix uses the minimum necessary cookies to operate the service:

Cookie	Purpose	Duration
`sb-access-token`	Supabase authentication session token	Session / 1 hour
`sb-refresh-token`	Supabase session refresh token	60 days

We do not use tracking, advertising, or analytics cookies. No cookie consent banner is required for strictly necessary cookies.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

All data in transit is encrypted via TLS 1.2+
Passwords are hashed using bcrypt (managed by Supabase Auth)
Row-Level Security (RLS) enforced at the database level — users can only access their own data
API keys and secrets are stored exclusively in environment variables and never exposed to the client

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Art. 33–34.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

Continued use of Vantix after a policy update constitutes acceptance of the new terms.

11. Contact

For any questions regarding this Privacy Policy or your personal data, please contact:

[YOUR NAME / COMPANY NAME]
Email: privacy@Vantix.io
[Mailing address, Germany]

We aim to respond to all privacy-related requests within 30 days.