1. Data Controller
BonusBrain Ltd ("we", "us", "our") is the data controller for the personal data collected through the BonusBrain service. You can contact us at privacy@bonusbrain.ai.
2. What Data We Collect
We collect the following personal data:
- Account data: email address, username, and password (hashed).
- Profile data: experience level and challenge preferences.
- Usage data: challenge progress, bookmaker account status, bet calculations, and AI conversation history.
- Affiliate tracking data: clicks on affiliate links, including a hashed IP address and user agent for fraud prevention.
- Technical data: browser type, device information, and authentication cookies.
3. How We Use Your Data
We use your data to:
- Provide and personalise the BonusBrain service, including AI guidance tailored to your experience level and progress.
- Track your challenge progress and calculate profits.
- Process affiliate referrals and attribute conversions to your account.
- Improve the quality of our AI models using anonymised conversation data.
- Send you service-related communications (e.g. challenge reminders, offer updates).
- Prevent fraud and ensure the security of our service.
4. Legal Basis for Processing
We process your data under the following legal bases (GDPR Article 6):
- Contract: processing necessary to provide the Service you signed up for.
- Legitimate interest: improving our AI models, fraud prevention, and affiliate attribution.
- Consent: analytics cookies (where applicable).
5. Third Parties We Share Data With
We share data with the following categories of third parties:
- Supabase Inc. — database hosting and authentication (EU region, Frankfurt).
- Anthropic — AI model provider. Conversation data is sent to Anthropic's API to generate responses. See Anthropic's Privacy Policy.
- Affiliate networks — we share a pseudonymous SubID (not your email) with affiliate networks to track conversions and earn commission.
- Hetzner Online GmbH — server hosting (Germany).
We do not sell your personal data to third parties.
6. Data Retention
We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (e.g. affiliate commission records may be retained for up to 7 years for tax compliance).
7. Your Rights (GDPR)
Under the UK GDPR, you have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: request your data in a machine-readable format.
- Restriction: request that we limit processing of your data.
- Object: object to processing based on legitimate interest.
To exercise any of these rights, email us at privacy@bonusbrain.ai. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
We use the following cookies:
| Cookie | Purpose | Type |
|---|
| sb-*-auth-token | Supabase authentication session | Strictly necessary |
| bb_cookie_consent | Stores your cookie preferences | Strictly necessary |
Strictly necessary cookies do not require consent. If we introduce analytics cookies in the future, we will ask for your consent before setting them.
9. Data Location
Your data is stored within the European Union:
- Application server: Hetzner, Germany.
- Database: Supabase, EU West (Frankfurt).
AI conversation data is processed by Anthropic (USA). This transfer is covered by Standard Contractual Clauses (SCCs) under GDPR Article 46.
10. Children
BonusBrain is not intended for anyone under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service.