Privacy & Data Policy

StatisBet ("we", "our" or "platform") values the privacy and protection of our users' personal data. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our sports statistical analysis platform.

This policy was drafted in compliance with Brazil's General Data Protection Law (LGPD - Law No. 13,709/2018), the European Union's General Data Protection Regulation (GDPR - Regulation EU 2016/679), Brazil's Internet Civil Framework (Law No. 12,965/2014), and other applicable data protection legislation.

The controller responsible for processing your personal data is:

We collect different categories of personal data, always limited to the minimum necessary for the purposes described in this policy (principle of data minimization):

We process your personal data based on the following legal grounds provided for in Art. 7 of the LGPD and Art. 6 of the GDPR:

• ●Consent (Art. 7(I), LGPD / Art. 6(1)(a), GDPR): for sending marketing communications, newsletters, and optional notifications
• ●Performance of contract (Art. 7(V), LGPD / Art. 6(1)(b), GDPR): to provide platform services, process subscriptions, and manage your account
• ●Legitimate interest (Art. 7(IX), LGPD / Art. 6(1)(f), GDPR): to improve our services, prevent fraud, ensure security, and perform aggregate usage analysis
• ●Legal obligation (Art. 7(II), LGPD / Art. 6(1)(c), GDPR): for maintaining access logs (Internet Civil Framework), tax obligations, and compliance with court orders

You may request detailed information about the legal basis used for each specific processing activity by contacting our Data Protection Officer.

Your personal data is processed exclusively for the following purposes:

• ●Creation, authentication, and management of your user account
• ●Provision of contracted services (predictions, radars, alerts, Research Lab)
• ●Processing of subscriptions and financial transactions via Pagar.me and PayPal
• ●Sending transactional notifications (confirmations, security alerts, service updates)
• ●Sending marketing communications (only with express consent, with opt-out option in each email)
• ●Continuous platform improvement and bug fixing through aggregate and anonymized usage data analysis
• ●Fraud and abuse prevention and platform security assurance

Your data may only be shared with:

• ●Pagar.me (domestic payment processing — Pix and credit card) and PayPal, Inc. (international payments) — both PCI-DSS certified
• ●Cloud infrastructure providers (data hosting and storage) — with active Data Processing Agreements (DPA) in place
• ●Transactional email services (sending notifications and account confirmations)
• ●Competent authorities, when required by law, court order, or to protect StatisBet's legitimate rights

All third parties with access to personal data are contractually required to respect data confidentiality and security, and may only process data according to our instructions and for the specific contracted purposes.

Your data may be transferred to and processed on servers located outside of Brazil, including in the United States and the European Union. In such cases, we adopt the following safeguards in accordance with Art. 33 of the LGPD and Chapter V of the GDPR:

Standard Contractual Clauses (SCCs) approved by the European Commission; verification of adequate protection levels in the destination country; specific Data Processing Agreements (DPA) with each provider; and adherence to recognized frameworks such as the EU-US Data Privacy Framework, where applicable.

Your personal data is retained for the time necessary to fulfill the purposes for which it was collected:

• ●Active account data: while your account remains active and up to 30 days after deletion (to allow recovery)
• ●Access logs: 6 months, as required by Art. 15 of Brazil's Internet Civil Framework
• ●Financial and tax data: up to 5 years after the transaction, per Brazilian tax legislation
• ●Anonymized and aggregated data: may be retained indefinitely, as it does not constitute personal data under the LGPD/GDPR

As a data subject, you have the following rights guaranteed by the LGPD (Art. 18) and the GDPR (Arts. 15 to 22):

• ●Confirmation and access: know whether we process your data and obtain a copy
• ●Correction: request updates to incomplete, inaccurate, or outdated data
• ●Anonymization, blocking, or deletion: of unnecessary, excessive, or non-compliantly processed data
• ●Portability: receive your data in a structured and interoperable format
• ●Deletion: request erasure of data processed based on consent
• ●Information about sharing: know which entities your data has been shared with
• ●Withdrawal of consent: revoke your consent at any time, without affecting the lawfulness of prior processing
• ●Objection: object to processing based on legitimate interest, if you believe your fundamental rights prevail

To exercise any of these rights, send a request to [email protected]. We will respond within 15 days, as required by the LGPD.

You also have the right to file a complaint with Brazil's National Data Protection Authority (ANPD) or the competent supervisory authority in your country.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, destruction, loss, alteration, or any form of improper processing:

• ●Encryption in transit (TLS 1.3) and at rest (AES-256) for all sensitive data
• ●Passwords stored with secure hashing (bcrypt/argon2) — never in plain text
• ●Role-based access control (RBAC) with the principle of least privilege
• ●Continuous security monitoring, audit logs, and intrusion detection
• ●Encrypted backups with periodic recovery testing

In the event of a security incident that may pose a risk or significant harm to data subjects, we will notify the ANPD and affected individuals within a reasonable timeframe, in accordance with Art. 48 of the LGPD.

We use cookies and similar technologies to improve your platform experience:

You can manage your cookie preferences through your browser settings. Note that disabling essential cookies may impact platform functionality.

We do not intentionally collect personal data from individuals under 18 years of age. If we become aware that data from a minor has been inadvertently collected, we will proceed with immediate deletion. If you believe a minor has used our platform, please contact us immediately.

This Privacy Policy may be updated periodically to reflect changes in our practices, technologies, or legal requirements. Significant changes will be communicated through platform notifications and/or email.

The "last updated" date at the top of this page indicates when the most recent version took effect. We recommend that you review this policy periodically.

For questions regarding this Privacy Policy, the processing of your personal data, or to exercise your rights as a data subject, please contact:

We are committed to responding to all requests within 15 business days, as established by the LGPD. For requests under the GDPR, the deadline is up to 30 days.