Privacy Policy

Draft pending legal review. This policy describes our current practices but has not yet been reviewed by a Finnish lawyer.

1. Who is the data controller

The data controller for personal data processed through Elyria Signal is {{TOIMINIMI_NAME}} (Y-tunnus {{Y_TUNNUS}}), registered at {{REGISTERED_ADDRESS}}. For any data-protection question, contact {{SUPPORT_EMAIL}}.

2. What we collect

Account data

• Email address (used as your login identifier)
• Hashed password (we never store your password in plaintext — bcrypt)
• Account creation timestamp, email-verification status
• Timestamps recording your acceptance of these terms

Usage data

• Bets you choose to log in your personal bet history
• Audit log entries for account security and abuse prevention (for example login, password change, and account deletion)
• Server access logs (IP address, request path, user-agent — kept for up to 30 days for security and abuse prevention)

What we do not collect

• Your bookmaker credentials. We never ask for or store passwords for any third-party bookmaker. Bet placement on third-party bookmakers happens entirely outside the Service and is done by you.
• Your bank or card details (no payment processing yet).
• Tracking cookies or third-party analytics scripts.

3. Why we process this data (legal basis)

• Contract (GDPR Art. 6(1)(b)): creating and maintaining your account, delivering arbitrage signals you have subscribed to, and providing customer support.
• Legitimate interest (Art. 6(1)(f)): security monitoring, abuse prevention, and basic service-health logging.
• Legal obligation (Art. 6(1)(c)): bookkeeping records required by Finnish accounting law.
• Consent (Art. 6(1)(a)): any future analytics cookies are loaded only after you have explicitly consented through the cookie banner.

4. How long we keep it

• Account data: until you delete your account. When you delete your account, we remove the account record itself together with your subscription and personal bet history.
• Personal bet log entries: until you delete them or delete your account, whichever happens first.
• Pricing discrepancy information: retained only for as long as the underlying opportunity is live. Once an opportunity expires, the information is removed from our active database. We do not maintain a historical archive of expired opportunities or odds snapshots.
• Audit logs: up to 24 months from creation, then deleted. Where an account is deleted, those logs are stripped of direct account identifiers before retention continues.
• Server access logs: up to 30 days.
• Bookkeeping records (invoices, payment history): retained for the period required by Finnish accounting law (currently 6 years).

5. Who we share it with (sub-processors)

We use the following service providers to operate the Service. Each is bound by GDPR-compliant data processing agreements:

• Hetzner Online GmbH (Germany / Finland) — server hosting and database storage.
• Vercel Inc. (USA / EU) — frontend hosting and CDN.
• Our transactional email provider — account verification and password-reset delivery.

We do not sell, rent, or trade your personal data with third parties for marketing purposes. Ever.

6. Where it is stored

Account data and bet history are stored on Hetzner servers located in Helsinki, Finland (within the EU/EEA). Frontend assets are served via Vercel’s global CDN.

7. Your rights (GDPR)

Under EU data-protection law you have the right to:

• Access a copy of the personal data we hold about you
• Rectify data that is inaccurate or incomplete
• Erase your data (“right to be forgotten”)
• Restrict or object to certain processing
• Data portability — receive your data in a machine-readable format
• Withdraw consent at any time, where processing is based on consent

You can exercise most of these rights from your account settings page directly for account deletion and password management. For access, export, rectification, or any other request, email {{SUPPORT_EMAIL}} and we will respond within 30 days.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi.

8. Cookies

We use a small number of strictly necessary cookies for authentication, session handling, and account security. These do not require consent under EU ePrivacy rules. We also store a local browser preference so the cookie banner does not reappear on every visit. We do not currently run analytics or advertising cookies. If we ever do, the cookie banner will ask for your explicit consent first.

9. Security

We protect your data with TLS in transit, bcrypt password hashing, HttpOnly authentication cookies, per-IP rate limiting, Content Security Policy, HSTS on HTTPS, X-Frame-Options, Referrer-Policy, and standard server hardening. No system is perfectly secure — if you suspect a security issue, please email {{SUPPORT_EMAIL}}.

10. Changes to this policy

We may update this policy from time to time. The effective date at the top reflects the most recent revision. Material changes will be announced by email and an in-app notice.

11. Contact

Privacy questions? Email {{SUPPORT_EMAIL}}.