Privacy Policy
Last updated: 12 June 2026
Effective from: 12 June 2026
1. Data Controller
TrapStats
Registered in CEIDG (Poland), NIP: 9592064173
REGON: 525970500
CEIDG registration date: 01.08.2023
Data protection enquiries: privacy@trapstats.co.uk
2. What Data We Collect
We collect and process the following categories of personal data, each with a specific lawful basis under UK GDPR / EU GDPR:
| Data Type | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Email address | Account creation, service delivery | Contract (Art. 6(1)(b)) | Account lifetime + 6 months |
| Name | Personalisation, communication | Contract | Account lifetime + 6 months |
| Payment information | Subscription billing | Contract | Processed by Stripe — we never store card details |
| IP address (server logs) | Security, rate limiting | Legitimate Interest (Art. 6(1)(f)) | 90 days |
| Authentication & billing events (IP, device, timestamp at sign-up, login, checkout, payment) | Fraud prevention, defence of legal claims (incl. payment disputes) | Legitimate Interest (Art. 6(1)(f)) | Account lifetime + 2 years |
| Usage aggregates (per-day session counts, time on site, sections used) | Fraud prevention, defence of legal claims | Legitimate Interest (Art. 6(1)(f)) | Account lifetime + 2 years |
| Usage data (pages viewed, features used) | Service improvement | Legitimate Interest | 12 months (anonymised) |
| Device/browser type | Technical compatibility | Legitimate Interest | 90 days |
| Betting preferences (selected tracks, alerts) | Feature personalisation | Contract | Account lifetime |
| Email marketing preferences | Newsletter, promotions | Consent (Art. 6(1)(a)) | Until consent withdrawn |
| Support correspondence | Customer service | Contract | 3 years |
| Financial records (invoices) | Legal/tax compliance | Legal Obligation (Art. 6(1)(c)) | 7 years (HMRC requirement) |
Fraud prevention and defence of legal claims
When you create an account, accept our Terms, log in, start a checkout or a payment succeeds or fails, we record the event together with your IP address, device/browser identifier and a timestamp. We also keep daily usage aggregates (number of sessions, time on site, sections used) and archived, integrity-hashed copies of the legal pages you accepted. We use this information solely to prevent fraud and to establish, exercise or defend legal claims — in particular to respond to payment disputes (chargebacks) with documentary evidence of contract formation and service delivery.
The lawful basis is our legitimate interest (UK GDPR / EU GDPR Art. 6(1)(f)) in protecting our business from fraudulent payment reversals; this processing is limited to the minimum necessary and does not involve profiling or marketing. These records are kept for the lifetime of your account and for 2 years after its deletion, as permitted for the establishment, exercise or defence of legal claims (Art. 17(3)(e)), after which they are permanently erased.
You may object to this processing at any time by contacting privacy@trapstats.co.uk; we will assess your objection against the compelling-grounds test in Art. 21(1).
3. Analytics — Privacy-First Approach
We use Plausible Analytics, a privacy-focused analytics service that does NOT use cookies, does NOT collect personal data, and does NOT track individual users across websites. Plausible is hosted in the EU and is fully GDPR compliant. No cookie consent is required for Plausible.
4. Third-Party Data Sharing
We share data with the following third parties, each under appropriate safeguards:
| Provider | Purpose | Data Shared | Location | Safeguards |
|---|---|---|---|---|
| Stripe Inc. | Payment processing | Email, name, payment details | USA/EU | EU-US Data Privacy Framework + SCCs |
| Plausible Analytics | Anonymous site analytics | None (no personal data) | EU (Germany) | N/A — no personal data |
| Hetzner | Server hosting | All platform data | EU (Finland) | DPA + adequate safeguards |
We do not sell your personal data to any third party.
5. International Data Transfers
Our servers are located in the EU (Finland, Hetzner). For users in Ireland (EU), data transferred to the UK is protected by the European Commission's adequacy decision for the United Kingdom (adopted 28 June 2021). For transfers to the United States (Stripe), we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable.
6. Your Rights
Under UK GDPR and EU GDPR, you have the following rights:
- Right of access (Subject Access Request) — obtain a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your data
- Right to restrict processing — limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw marketing consent at any time
- Right not to be subject to automated decision-making — request human review
To exercise any of these rights, email: privacy@trapstats.co.uk. We will respond within 30 days (UK GDPR) / 1 month (EU GDPR).
UK residents: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk — Tel: 0303 123 1113
Irish residents: You have the right to lodge a complaint with the Data Protection Commission (DPC) — dataprotection.ie — Tel: +353 (0)761 104 800
EU residents (other): You may lodge a complaint with your local supervisory authority.
7. Children's Privacy
TrapStats is intended for users aged 18 and over only. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it immediately.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS 1.3), encryption at rest, access controls, regular security reviews, and incident response procedures.
Payment data is handled exclusively by Stripe, a PCI-DSS Level 1 certified payment processor. We never see, store, or process your full card number.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email (if you have an account) and by posting the updated policy on this page with a new "Last updated" date.
10. Contact
Data Protection Officer: privacy@trapstats.co.uk
General enquiries: support@trapstats.co.uk
Postal address: Poland