Privacy Policy
Last updated: 17 May 2026.
This policy explains what personal data BetProps (bet-props.com) collects, why, how long it is kept, and the rights you have under the EU General Data Protection Regulation (GDPR) and Swedish dataskyddslagen (2018:218).
1. Controller
BetProps is currently operated as a personal project by [FILL IN: Your full name], based in Sweden ([FILL IN: Street address, postcode, city, Sweden]). All privacy questions and rights requests: [email protected].
2. What we collect and why
| Data | Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Username, email, hashed password | Account creation and sign-in | Contract performance — Art. 6(1)(b) | Until you delete your account, then 30 days |
| Subscription status, Stripe customer/subscription IDs | Provide paid features, billing | Contract performance — Art. 6(1)(b) | While subscribed + 7 years for accounting (bokföringslagen) |
| Failed login attempts (IP, user agent, timestamp) via django-axes | Brute-force protection | Legitimate interest — Art. 6(1)(f) | 30 days |
| Contact / feedback messages | Respond to your message | Legitimate interest — Art. 6(1)(f) | 12 months after resolution |
| Server logs (IP, request path, status, timestamp) | Operations and abuse investigation | Legitimate interest — Art. 6(1)(f) | 14 days |
We do not use Google Analytics, advertising trackers, social login, or any third-party analytics. We do not sell or rent personal data.
3. Payments
Payments are processed by Stripe Payments Europe Ltd. Card details are entered directly into Stripe's checkout and never reach our servers. We store only the Stripe customer ID and subscription ID that Stripe gives us. See Stripe's privacy notice at stripe.com/privacy.
4. Subprocessors
We rely on the following service providers to run the Site:
- DigitalOcean, LLC — application hosting (EU region).
- Stripe Payments Europe Ltd. — payment processing.
- PingCAP (TiDB Cloud) — analytics databases for NHL odds and stats.
- One.com A/S — outgoing transactional email (e.g. password resets, contact replies).
Where a provider is outside the EU/EEA, transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF). On request we will provide a copy of the relevant transfer mechanism.
5. Cookies
We use only strictly necessary cookies (session, CSRF, cookie-consent). No analytics or advertising cookies are set. Full breakdown on the cookie policy page.
6. Your rights
Under GDPR you have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data erased (Art. 17), subject to legal retention obligations such as bookkeeping;
- restrict or object to processing (Art. 18, 21);
- receive your data in a portable, machine-readable format (Art. 20);
- withdraw any consent you have given, without affecting prior processing (Art. 7).
If you have an account, you can self-serve the two most common requests from the account page: export your data (Art. 20) or delete your account (Art. 17). For any other request, or if you don't have an account, email [email protected]. We respond within 30 days.
You also have the right to lodge a complaint with the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY) — imy.se.
7. Security
Passwords are stored hashed (Django default: PBKDF2-SHA256). Connections are served over HTTPS with HSTS. Database connections to subprocessors use TLS. Failed login attempts are rate-limited via django-axes. No system is perfectly secure — please notify us at [email protected] if you discover a vulnerability.
8. Children
The Site is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us and we will delete the account.
9. Changes to this policy
We may update this policy. Material changes will be announced on the Site at least 30 days before they take effect.
10. Contact
Privacy questions: [email protected].