Privacy Policy

The data controller for the BetLink Service is Velocity Cy Ltd ({TODO(legal)}), a company registered in Cyprus. You can reach our privacy team at {TODO(legal): privacy@velocity.cy} or through the Report page in the site footer.

We process the following categories of personal data:

• Account data — email, display handle, avatar, phone number, hashed password, MFA factors, recovery codes.
• KYA data — declared traffic profile, target geographies, payment-method ownership confirmation, sanctions screening flags, IP and device fingerprint at sign-up.
• Traffic and conversion data — click logs, referrer, UTM parameters, geo-IP, postback events received from operators (registration, FTD, deposit, NGR), and the resulting commission attribution.
• Billing data — Stripe customer ID, subscription and product, invoice metadata, partial card brand and last four digits (Stripe holds the full PAN).
• Communications — email events, support tickets, feedback submissions, in-product chat messages, audit logs of admin actions on your account.
• Technical telemetry — error traces (Sentry), performance traces, request and rate-limit logs.

We rely on the following Article 6 GDPR bases:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service, run KYA, attribute conversions, pay commissions, and operate billing.
• Legitimate interests (Art. 6(1)(f)) — to secure accounts, prevent fraud and abuse, run product analytics, and improve the Service. You may object at any time on grounds relating to your particular situation.
• Consent (Art. 6(1)(a)) — for non-essential cookies, marketing email, and any optional analytics. Consent can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)) — for book-keeping, tax, anti-money-laundering, sanctions screening, and lawful disclosure orders.

We use personal data to operate the Service, run KYA and sanctions checks, attribute affiliate conversions, pay commissions, send transactional and (with consent) marketing email, prevent fraud and abuse, comply with legal obligations, and provide customer support. We do not sell personal data and we do not use it for automated decision-making with legal or similarly significant effects without an explicit human-review fallback.

Account and KYA data are retained for the lifetime of the account plus six (6) years after closure to satisfy book-keeping, AML, and dispute-window obligations. Conversion logs are retained for the longer of (i) the operator’s reconciliation window, typically ninety (90) days, and (ii) two (2) years from the click event. Support tickets are retained for two (2) years from closure. Marketing-consent records are retained for the duration of the consent plus three (3) years. Pseudonymised analytics events are retained for up to twenty-four (24) months.

We share personal data with the following sub-processors, all governed by Article 28 GDPR data-processing agreements:

• Supabase — primary application database and authentication, hosted in the EU (Frankfurt).
• Vercel — application hosting and CDN, EU edge regions where available.
• Stripe Payments Europe Ltd. — payment processing and self-billing infrastructure, Ireland.
• Resend — transactional and operational email delivery, EU region.
• Anthropic and OpenAI — large-language-model inference for product features that you opt into; prompts are zero-retention where contractually available.
• Sentry — error and performance monitoring, EU region.
• Better Stack — uptime and log aggregation, EU region.

Where a sub-processor is located outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and, where relevant, the UK International Data Transfer Addendum. A current sub-processor list with location and SCC reference is available on request from {TODO(legal): privacy@velocity.cy}.

Subject to the conditions of Articles 15-22 GDPR, you have the right to: access your personal data; have inaccurate data rectified; request erasure (“right to be forgotten”); restrict processing; receive your data in a portable format; object to processing based on legitimate interests or direct marketing; and withdraw any consent you have given. You can exercise most of these rights directly from /account/settings or by writing to the privacy team. We will respond within one calendar month and may extend by two further months for complex requests, with notice.

We set strictly necessary cookies for authentication, CSRF protection, locale preference, and rate-limiting. Optional cookies (e.g. product analytics, attribution beacons used for UTM-capture) are loaded only after you opt in via the cookie banner. See the dedicated cookie notice for the full list, retention, and the “Cookie settings” control to update your choices.

BetLink is not directed at children. We do not knowingly process personal data of persons under eighteen (18). If you believe a minor has created an account, please use the Report page or write to the privacy team and we will close the account and delete the data without undue delay. See also our Youth Safety policy.

We use TLS in transit, AES-256 at rest, scoped Postgres row-level-security, MFA enforcement on privileged roles, secret rotation, audit logging, principle-of-least-privilege access, and a documented incident-response runbook. No system can be made fully secure; we will notify affected users and the competent supervisory authority within seventy-two (72) hours of becoming aware of a personal-data breach where required by Article 33 GDPR.

If you believe our processing infringes the GDPR, you may lodge a complaint with your local data-protection authority. The lead supervisory authority for BetLink is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, dataprotection.gov.cy. We would, however, appreciate the chance to address your concerns first.

We will post material changes to this policy in-product and notify registered users by email at least fifteen (15) days before the change takes effect. The current version and last-updated date are shown at the top of this page.