Privacy Policy
Last updated: 8 May 2026
1. What we collect
- Account data: email address (required for magic-link auth), optional name.
- Usage data: API requests (endpoint, timestamp, response code) — used for rate-limit enforcement and abuse detection. Not used for tracking or marketing.
- Billing data: processed by Lemon Squeezy, our Merchant of Record. We receive subscription status, plan, and customer-id; we never see card numbers.
- Webhook configuration: URLs and HMAC secrets you configure. We store these to deliver events.
2. What we don't collect
- No analytics scripts on app pages (Google Analytics, Hotjar, Mixpanel, etc. are not used).
- No tracking cookies. The only cookie is
atlas_session (server-side session) and cf_bm from Cloudflare (bot mitigation).
- No third-party advertising trackers.
3. Operator data
The Service crawls public operator pages and regulator registries. The data we expose to subscribers is about iGaming operators — not about end-users of those operators. We do not collect, process, or expose personal data of casino players.
4. Sub-processors
| Service | Purpose | Data shared |
|---|
| Lemon Squeezy | Payment processing | email, billing address |
| Resend | Transactional email (magic-link, billing notifications) | email |
| Cloudflare | CDN, DDoS protection | IP, request metadata |
| Self-hosted Postgres (Dubai, UAE) | Application data | all account data |
5. Data retention
- Account data: retained while subscription is active + 30 days after cancellation.
- Usage logs: retained 90 days for abuse detection, then aggregated.
- Magic-link tokens: 15 minutes (then deleted).
- Sessions: 90 days.
6. Your rights (GDPR / CCPA)
- Access: request a copy of your data.
- Correction: request edits to inaccurate data.
- Deletion: request account deletion (subject to legal retention requirements).
- Portability: data export available from
/app/billing on request.
- Objection: object to processing (will result in service termination).
Email team@dataglass.pro with the subject "GDPR request" for any of the above.
7. Security
- HTTPS everywhere (Let's Encrypt).
- API keys hashed (SHA-256), never stored in plaintext.
- Magic-link tokens hashed; expire after 15 minutes; one-time use.
- Database access restricted to application service account.
- Backups encrypted at rest.
8. International transfers
Application servers and database are located in the UAE (Dubai). By using the Service, you consent to transfer of your data to the UAE for processing. Sub-processors operate in the EU and US; standard contractual clauses apply where required.
9. Changes
Material changes notified via email at least 14 days before effective date.
10. Contact
team@dataglass.pro