Privacy Policy

OddysAI is the data controller for personal data processed through this service. For data protection enquiries contact our DPO at privacy@oddysai.example.

• Account data — email address, display name, country, age confirmation, password hash, OAuth identifiers (if you sign in with Google).
• Subscription data — plan tier, billing status, customer/subscription IDs from our payment processor. We do not store full card numbers.
• Usage data — analyses requested, matches viewed, bankroll settings, bets you choose to log, AI quota counters, timestamps, IP address (kept short-term for security).
• Affiliate data — referral code, referred sign-ups, click counts (IPs are hashed), commission balances.
• Technical data — browser type, device type, error logs, anonymised analytics events.

• Contract — to provide the service you signed up for, run AI analyses, and manage your subscription.
• Legitimate interest — to detect abuse, enforce rate limits, prevent fraud, and improve model quality.
• Legal obligation — to keep tax and accounting records, respond to lawful requests, and verify age where required.
• Consent — for non-essential cookies, optional product emails and marketing communications. You can withdraw consent at any time.

When you generate a match analysis, the match metadata (teams, league, kickoff, public odds, optional bankroll size) is sent to our AI provider for inference. We do not send your email, real name or payment details to the AI provider, and we instruct providers not to use the data to train their public models.

We use a small number of carefully selected processors:

• Cloud hosting and database (EU/US regions, encrypted at rest).
• AI inference provider for analysis generation.
• Payment processor for subscription billing.
• Email delivery for transactional messages.
• Sports data providers for fixtures and odds.

We never sell your personal data and never share it with advertisers.

Some processors are based outside the EEA/UK. Where this happens we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision to ensure your data receives equivalent protection.

• Account data — while your account is active, plus up to 24 months after deletion.
• Billing records — 7 years to comply with tax law.
• Analyses cache — up to 30 minutes per match.
• API usage logs — 12 months for rate-limit and abuse detection.
• Hashed IPs in affiliate clicks — 12 months.

If GDPR or UK GDPR applies to you, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion ("right to be forgotten") subject to legal retention;
• restrict or object to certain processing;
• request a portable copy of your data in a machine-readable format;
• withdraw consent at any time where processing is based on consent;
• lodge a complaint with your local data-protection authority.

To exercise any right email privacy@oddysai.example. We respond within 30 days.

We use strictly necessary cookies for login and session management, and limited first-party analytics to understand how the product is used. We do not use third-party advertising cookies. You can control cookies through your browser settings.

We use TLS in transit, encryption at rest, hashed passwords, role-based database access and row-level security to protect your data. No system is perfectly secure; if we discover a breach affecting your data we will notify you and the relevant authorities as required by law.

OddysAI is for adults only. We do not knowingly process data of anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

We will notify you of material changes by email or in-app notice. The date at the top of this page reflects the latest version.

Privacy questions: privacy@oddysai.example. General support: Contact page.