PRIVACY POLICY

Oxiano ("the platform", "we", "our service") is a quantitative sports data analytics platform operated as an independent digital service. We are committed to protecting the privacy of our users in accordance with Regulation (EU) 2016/679 (GDPR) and all applicable data protection legislation.

This Privacy Policy describes in detail what personal data we collect, for what purposes we process it, with whom we share it, and what your rights are. By using the Oxiano platform, you confirm that you have read and understood this policy.

We collect exclusively the data strictly necessary for the operation of the service:

• ·Email address — used for creating and authenticating an optional account. Not used for marketing purposes without explicit consent.
• ·Encrypted password — stored exclusively as a bcrypt hash (one-way hashing algorithm). We have no access to passwords in plain text.
• ·Usage preferences — Combo Analyzer selections stored locally in the browser (localStorage), without transmission to our servers.
• ·Anonymous technical data — anonymised IP address, browser type, technical errors, collected via Sentry.io exclusively for technical diagnostics.

Important: Account creation is entirely optional. The platform is fully functional without authentication. We do not collect: real name, phone number, GPS location data, biometric data, or financial information.

We process personal data based on the following legal grounds:

• ·Performance of contract (Art. 6(1)(b) GDPR) — providing statistical analysis services, account management, and access to platform features.
• ·Legitimate interest (Art. 6(1)(f) GDPR) — platform security, fraud prevention, and service quality improvement through anonymous technical data.
• ·Consent (Art. 6(1)(a) GDPR) — optional email communications, withdrawable at any time.

We do not use your data for behavioural advertising, automated profiling with legal effects, or sale to third parties.

Personal data is stored securely through the following certified providers:

• ·Supabase Inc. (USA) — primary database, with servers in the European Union, SOC 2 Type II certified. International transfer conducted under Standard Contractual Clauses (SCCs).
• ·Render.com (USA) — processing server, SOC 2 certified. Data processed in transit, no permanent storage of personal data.

All transmissions are protected by TLS 1.2+ encryption. Data at rest is encrypted at the database level. Passwords are stored exclusively as bcrypt hashes with random salt.

We do not sell, rent, or commercialise your data. We share limited data exclusively with technical service providers necessary for operating the platform:

• ·Supabase — account data storage (supabase.com/privacy-policy)
• ·Sentry.io — technical error monitoring, anonymised data (sentry.io/privacy)
• ·Render.com — server infrastructure (render.com/privacy)
• ·Football-data.org / The Odds API — third-party sports data providers, do not receive personal data
• ·Gumroad Inc. (USA) — payment processor for Analyst and Pro subscriptions. Gumroad collects and processes payment data (bank card, billing address) directly, under its own privacy policy available at gumroad.com/privacy. Oxiano does not have access to your full card financial data.

All third-party providers are contractually bound to process data solely in accordance with our instructions and to implement appropriate security measures.

Under Regulation (EU) 2016/679, you have the following rights:

• ·Right of access (Art. 15) — to request a copy of the personal data we process about you.
• ·Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• ·Right to erasure (Art. 17) — to request deletion of your data. Available directly from the app via "Delete account and all my data".
• ·Right to data portability (Art. 20) — to receive your data in structured JSON format.
• ·Right to object (Art. 21) — to object to processing based on legitimate interest.
• ·Right to restriction (Art. 18) — to restrict processing in certain circumstances.

To exercise any right, contact us at contact@oxiano.com. We respond within a maximum of 30 calendar days. You have the right to lodge a complaint with your competent national supervisory authority.

• ·Account data — stored for the duration of the account. Deleted in full within 30 days of an account deletion request.
• ·Anonymous technical data — maximum 90 days, in accordance with Sentry.io policies.
• ·localStorage data — stored locally on the user's device, under the user's exclusive control.

The Oxiano platform is intended exclusively for individuals aged 18 years or older. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it immediately. If you suspect that a minor has created an account, please contact us at contact@oxiano.com.

This Privacy Policy may be updated periodically to reflect legislative or operational changes. The current version is always available at oxiano.com/privacy. The date of the last update is indicated at the top of this document. Continued use of the platform after publication of changes constitutes implicit acceptance of the new version.

For any request related to the processing of personal data: