Legal

Privacy Policy

Last updated: May 2026

1.Data controller

Bug Hutch Ltd is the data controller for personal data processed through Horse Racing Trader. Registered in England and Wales, company number [BUG_HUTCH_COMPANY_NUMBER]. Registered office: [BUG_HUTCH_REGISTERED_OFFICE]. Contact: privacy@horseracingtrader.com

2.Data we collect

We collect the following categories of personal data:

—Account data: email address, full name, hashed password (via Supabase Auth)

—Profile data: subscription status, user preferences and settings

—Trade data: trades placed via the Service, market data at time of trade, session timing

—Trading DNA data: derived patterns and performance metrics generated from your trade history

—Technical data: IP address, browser type, device type, timestamps

—Billing data: subscription status and history (payment card details are handled entirely by Stripe — we never store card numbers)

—Cookie data: session cookies and your consent preference (see Section 10)

3.Data we do NOT collect

—Betfair login credentials — Betfair's OAuth system handles authentication; your Betfair password never touches our systems

—Payment card details — handled entirely by Stripe

—Browsing history outside Horse Racing Trader

—Precise location data (only IP-derived country for geo-compliance)

4.Lawful basis for processing

—Contract: providing the Service requires processing your account, subscription, and trade data

—Legitimate interests: improving the Service, fraud prevention, security monitoring

—Consent: marketing communications (opt-in only); analytics cookies

—Legal obligation: financial records, fraud reporting where required by law

5.How we use your data

—Authenticating your account and maintaining your session

—Providing the trading interface, AI engines, and analytics

—Generating Trading DNA and Session Reviews from your trade history

—Processing your subscription and billing via Stripe

—Sending transactional emails (account confirmation, password reset, billing notices)

—Sending marketing emails — only if you have given explicit consent; opt out any time

—Fraud prevention, security monitoring, and abuse detection

—Service improvement using aggregated and anonymised data

6.Data sharing and processors

We share data only with third-party processors required to provide the Service:

—Stripe: payment processing — GDPR-compliant data processor

—Anthropic: AI processing via Claude API — market data and de-identified user actions are sent for AI engine outputs. No personally identifiable information is included in AI prompts.

—Supabase: database and authentication — UK/EU data centres

—Vercel: hosting and edge delivery — EU/UK regions

—Email delivery provider: transactional and marketing emails

We do not sell, rent, or share your data with advertisers, data brokers, or any third party not listed above.

7.International data transfers

We store data in EU/UK regions wherever possible. Anthropic operates Claude API infrastructure in the United States. Data transfers to the US are covered by appropriate Standard Contractual Clauses (SCCs) or equivalent legal mechanisms under UK GDPR.

8.Data retention

—Account data: retained while your subscription is active, plus 12 months after cancellation

—Trade data and Trading DNA: retained for 24 months for performance continuity, then anonymised

—Marketing consent records: retained until consent is withdrawn

—Financial and billing records: retained for 7 years per UK statutory requirements

—Security and access logs: retained for 90 days

9.Your rights under UK GDPR

You have the right to:

—Access your personal data (subject access request)

—Correct inaccurate or incomplete data

—Erasure ("right to be forgotten") — subject to legal retention obligations

—Restrict processing of your data

—Data portability — download your data in a machine-readable format

—Object to processing based on legitimate interests

—Withdraw consent for marketing at any time

—Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

To exercise your rights, email privacy@horseracingtrader.com. We respond within 30 days.

10.Cookies

We use essential cookies (required for authentication and cannot be disabled) and optional analytics cookies (require your consent via the cookie banner). We do not use advertising or tracking cookies. See the Cookie Policy for full details.

11.Security

—All data transmitted over HTTPS/TLS

—Passwords hashed via Supabase Auth (industry-standard hashing)

—Database access restricted via Row Level Security

—Service role keys never exposed client-side

—Betfair credentials handled exclusively by Betfair OAuth — never stored by us

In the event of a personal data breach affecting your rights, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33.

12.Children

The Service is for users aged 18 and over only. We do not knowingly collect personal data from anyone under 18. If we discover such data has been collected, we will delete it immediately.

13.Changes to this policy

We may update this Privacy Policy. Material changes will be communicated by email with at least 30 days notice. The current version is always available at horseracingtrader.com/privacy.

14.Contact

Privacy queries and data requests: privacy@horseracingtrader.com

UK Information Commissioner's Office: ico.org.uk