TheOddsTracker

Privacy Policy

Last updated: 26 April 2026

1. Who we are

TheOddsTracker.com (“we”) operates an analytics platform for football signal analysis. This policy explains what data we collect, why, and how it is protected.

2. Data we collect

  • Account data: email address, password (stored as a bcrypt hash; we never see the cleartext), display name, optional avatar, account creation date, last sign-in time.
  • Subscription data: plan, status, period dates, public USDT wallet addresses you have paid from (visible on the Ethereum mainnet — we do not link them to off-chain identity).
  • Notification preferences: which channels (push, email) you opt in or out of, and per-device push subscription endpoints (if you enable web push).
  • Usage data: which signals you have viewed, request timestamps for rate limiting, and minimal browser metadata (user-agent for the device label in push settings).
  • Operational logs: server logs of API requests for debugging, with IP address truncated where not needed for security investigations.

3. What we do not collect

  • Card details or bank credentials. Payment is USDT-on-chain; we never see card data.
  • Real-name identity, address, or government ID, unless legally required.
  • Third-party tracking pixels or advertising cookies.

4. Why we hold this data

To run your account, deliver Signals, send notifications you have opted into, verify incoming USDT payments against your orders, prevent abuse, and comply with applicable law.

5. Third parties

We do not sell or rent personal data. We share the minimum necessary data with:

  • API-Sports (api-sports.io) — fixture, odds, and result data we ingest. They never receive your data.
  • Etherscan — for verifying inbound USDT transfers. They see only wallet addresses, which are already public on the blockchain.
  • Push provider(your browser's push service, e.g. Apple, Google, Mozilla) — receives only the encrypted payload of notifications you have opted in to. We never share your subscription endpoint with anyone else.

6. Cookies

We use one strictly-necessary cookie: the NextAuth session cookie that keeps you signed in. We do not use analytics, advertising, or tracking cookies.

7. Retention

Account data is retained while your account is active. Settled signal records are retained indefinitely for the public performance ledger but contain no personal identifiers. Server logs roll over after 30 days unless retained for an active security investigation.

8. Your rights

Where the GDPR or UK GDPR applies, you have the right to access, correct, or delete your personal data, to object to processing, and to lodge a complaint with the ICO. To exercise any of these, email us and we will respond within 30 days.

9. Security

Passwords are hashed with bcrypt (cost factor 12). Sessions are signed JWTs over HTTPS. The platform sits behind a Caddy reverse proxy with auto-renewed Let's Encrypt certificates. We treat any compromise of credentials we store as a notifiable incident.

10. Contact

Questions about this policy: [email protected].