Privacy Policy

1. Who we are (Data Controller)

KiqIQ ("KiqIQ", "we", "us", "our") is the data controller responsible for personal data processed via kiqiq.com. For all data protection matters, contact privacy@kiqiq.com.

For UK and EU users, KiqIQ has appointed an internal data protection point of contact reachable at the same address. KiqIQ is not currently required to appoint a formal Data Protection Officer (DPO) under GDPR Article 37, but voluntarily provides the same contact channel for all data subject rights requests.

2. Personal data we collect

2.1 Information you provide directly

• Account data — name, email, password (hashed by Clerk), optional profile information you choose to add
• Phone number — required for signup verification (one phone number = one free account, anti-fraud measure)
• Payment data — card number, billing address, country (collected and tokenised by Stripe; we never see raw card numbers)
• Communications — emails or messages you send to support, feedback you submit through the platform
• Bet tracker data — if you choose to log bets, the bet details (sport, market, stake, odds, outcome) are stored in your account
• AI prompts — questions you ask the KiqIQ AI assistant are processed to generate responses and may be stored against your account for chat history (paid plans)

2.2 Information collected automatically

• Usage data — pages visited, features used, time spent, click paths, referrer URL, device type, browser, screen size
• IP address — used for security, fraud prevention, and jurisdictional compliance (geo-IP gating where required by law)
• Cookies and similar technologies — see our Cookie Policy for the full breakdown
• Device fingerprint — anonymised device characteristics used by PostHog for analytics and abuse detection

2.3 Information from third parties

• Authentication providers — if you sign in via Google, Apple, or another social provider, we receive the basic profile information you authorise (typically name, email, profile picture)
• Payment processor — Stripe shares transaction outcomes, partial card data (last 4 digits, brand), and risk signals with us

2.4 Special category / sensitive data

KiqIQ does not knowingly collect special category data as defined under GDPR Article 9 (e.g. health, biometric, religious, political data). We do not collect data from anyone under 18 — see Section 12.

3. How we use your data and lawful bases

For users in the UK / EU / EEA, the following GDPR lawful bases apply:

4. Who we share your data with

We share data only with the processors listed at kiqiq.com/subprocessors. Each processor is bound by a Data Processing Agreement (DPA) with appropriate technical and organisational measures. Categories:

• Authentication — Clerk (USA, with EU data residency available)
• Database & backend — Supabase (EU region for EU users)
• Payments — Stripe (USA / Ireland; PCI-DSS Level 1 certified)
• Hosting — Vercel (USA / global edge network)
• Product analytics — PostHog (USA / EU available)
• AI processing — OpenAI (USA; prompts processed to generate responses, not used for model training under our zero-retention API setup)
• Error monitoring — Sentry (USA / EU available)
• Email delivery — provider TBD (will be added to subprocessor list when selected)
• Legal & compliance — auditors, lawyers, tax advisers under professional confidentiality
• Authorities — if required by valid legal process (court order, subpoena, regulator request)

We do not sell your personal data. Under California CCPA/CPRA we do not sell or share data for cross-context behavioural advertising. Under EU GDPR we do not transfer data to advertisers, brokers, or any third party for marketing purposes.

5. International transfers

Some processors are based outside the UK / EEA (notably in the USA). Where data is transferred outside your home jurisdiction, we rely on:

• EU-US Data Privacy Framework — for processors certified under the framework
• Standard Contractual Clauses (SCCs) — EU Commission-approved 2021 clauses
• UK International Data Transfer Addendum (IDTA) — for UK transfers
• Adequacy decisions — where the destination jurisdiction has an adequacy ruling

For EU users, our database (Supabase) is configured to store data in an EU region. Authentication metadata may be processed in Clerk's US infrastructure subject to the safeguards above.

6. Data retention

7. Your rights

7.1 GDPR (UK / EU / EEA users)

• Right to access the personal data we hold about you (Article 15)
• Right to rectification of inaccurate data (Article 16)
• Right to erasure / right to be forgotten (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability in a machine-readable format (Article 20)
• Right to object to processing based on legitimate interests or for direct marketing (Article 21)
• Right to withdraw consent at any time without affecting prior lawful processing
• Right to complain to a supervisory authority — UK ICO (ico.org.uk), Irish DPC, or your local DPA

7.2 CCPA / CPRA (California residents)

• Right to know what personal information we collect, use, share, and sell
• Right to delete personal information we have collected
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing — KiqIQ does not sell or share personal information for cross-context behavioural advertising, so this right is satisfied by default
• Right to limit use of sensitive personal information — KiqIQ does not use sensitive PI for purposes beyond providing the service
• Right to non-discrimination — exercising rights does not result in degraded service or higher prices

7.3 LGPD (Brazil)

Brazilian users have rights under the Lei Geral de Proteção de Dados (LGPD) including access, rectification, anonymisation, deletion, portability, and information about sharing with third parties. Contact privacy@kiqiq.com to exercise.

7.4 PIPEDA (Canada)

Canadian users have rights under the Personal Information Protection and Electronic Documents Act including access, correction, and the ability to challenge our compliance with the federal Privacy Commissioner.

7.5 Australian Privacy Act / Privacy Principles (APPs)

Australian users have rights to access and correct their personal information and to complain to the Office of the Australian Information Commissioner (OAIC) if dissatisfied with our handling.

7.6 POPIA (South Africa), PDPA (Singapore), APPI (Japan), and others

KiqIQ recognises analogous rights under the Protection of Personal Information Act (South Africa), Personal Data Protection Act (Singapore), Act on the Protection of Personal Information (Japan), and comparable laws worldwide. Contact us with any data subject rights request and we will respond within the applicable statutory timeframe (typically 30 days).

7.7 How to exercise your rights

Email privacy@kiqiq.com with your request. We may ask you to verify your identity to prevent unauthorised access. We respond within 30 days (extendable by a further 60 days for complex requests, with notice).

8. Security

We use industry-standard technical and organisational measures to protect your data:

• HTTPS / TLS 1.2+ for all data in transit
• Encryption at rest for database storage (AES-256 via Supabase / Stripe / Clerk)
• Password hashing via Clerk (bcrypt or equivalent)
• PCI-DSS Level 1 compliance via Stripe (we never store card numbers)
• Access controls: principle of least privilege, role-based access
• Regular security reviews of dependencies and infrastructure
• Sentry-based error monitoring with PII filtering

9. Cookies and tracking

See our dedicated Cookie Policy for the full breakdown of cookies, similar technologies, and how to manage preferences. EU users see a consent banner on first visit; non-essential cookies are not set without explicit opt-in.

10. Automated decision-making and profiling

KiqIQ does not make automated decisions with legal or similarly significant effects on you under GDPR Article 22. The AI assistant generates probabilistic football analysis but does not make decisions about your account, eligibility, or financial standing.

11. Marketing communications

We send marketing emails only with your explicit consent (opt-in). Every marketing email includes a one-click unsubscribe link. Transactional emails (receipts, account notices, password resets) are sent regardless of marketing consent because they relate to the service contract.

12. Children's privacy

KiqIQ is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. Our content covers football betting analysis which is not appropriate for minors. If you believe a minor has provided us personal data, contact privacy@kiqiq.com and we will delete it immediately.

For US users, KiqIQ is not directed at children under 13 and complies with COPPA. We do not knowingly collect data from anyone under 13.

13. Geographic restrictions

Some KiqIQ features (notably the value bet feed and odds aggregation) may be unavailable in jurisdictions that require licensing for such services. Geo-IP gating is implemented at the middleware layer; restricted users see a notice and are not served the regulated feature. See kiqiq.com/licensing-jurisdictions for the current jurisdiction list.

14. Changes to this Policy

We may update this Privacy Policy as our services evolve or as required by law. Material changes will be notified to registered users by email at least 14 days before taking effect. The "last updated" date and version number above always reflect the current version.

15. Contact

• Privacy queries: privacy@kiqiq.com
• General support: hello@kiqiq.com
• UK ICO complaints: ico.org.uk/make-a-complaint
• EU DPAs directory: edpb.europa.eu