Skip to main content

Company

Security

How we protect your account, your data, and — critically — your Betfair connection.

Your Betfair credentials are never stored by us

Horse Racing Trader connects to Betfair Exchange using Betfair's own OAuth authentication system. When you authorise the connection, Betfair issues an API session token directly to Horse Racing Trader. Your Betfair username and password are entered only on Betfair's own login page — they never pass through Horse Racing Trader infrastructure.

We store only the Betfair session token, not your credentials.
Session tokens are stored server-side in Supabase with Row Level Security — they are never exposed client-side.
You can revoke Horse Racing Trader's Betfair access at any time from your Betfair account settings (My Account → API Access).

Account security

Passwords are hashed by Supabase Auth using industry-standard algorithms. We never store plain-text passwords.
All data transmitted between your browser and our servers is encrypted over HTTPS/TLS.
Database access is restricted via Supabase Row Level Security — users can only access their own data.
Service role database keys are never exposed client-side or in public code repositories.
We recommend enabling two-factor authentication (2FA) on your Betfair account independently of Horse Racing Trader.

Payment security

Payment processing is handled entirely by Stripe. Horse Racing Trader never stores, transmits, or has access to your payment card number, CVC, or full card details. Stripe is PCI-DSS Level 1 certified — the highest standard for payment security.

Infrastructure security

Application hosted on Vercel with automatic HTTPS, DDoS protection, and edge security.
Database hosted on Supabase with UK/EU infrastructure, automated backups, and encryption at rest.
AI processing via Anthropic Claude API — only de-identified market data is sent; no personal account data is included in AI prompts.
Security and access logs retained for 90 days for incident investigation.

Data breach notification

In the event of a personal data breach affecting your rights, we will notify you and the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33.

Responsible disclosure

If you discover a security vulnerability in Horse Racing Trader, please report it responsibly before public disclosure. Contact us at security@horseracingtrader.com. We aim to acknowledge security reports within 48 hours and provide a timeline for resolution.

Please do not access, modify, or exfiltrate any data beyond what is necessary to demonstrate the vulnerability.