PRIVACY POLICY

Punt Monkey (“we”, “us”, “our”) is operated by Vervet Ventures Ltd., contactable at support@puntmonkey.co.uk. We are the data controller for the personal data we hold about you and process it in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZC173567.

We collect the following categories of personal data:

• Account data: email address, display name (optional), and the unique ID assigned by our authentication provider.
• Authentication data: when you sign in with Google, we receive your Google account email and a unique identifier from Google. We never see your Google password.
• Choice records: any horse, race, stake, odds, bookmaker, and result that you choose to record in the app. This is your data. We do not place bets on your behalf.
• Subscription data: if you take a paid plan, our payment processor (Stripe) provides us with billing status, plan tier, and partial card details (last four digits, brand). We never store full card numbers; Stripe handles all card data on PCI-DSS certified infrastructure.
• Device data: if you install the mobile app, we store an Expo push notification token tied to your account so we can deliver alerts you have requested.
• Technical data: IP address, browser type, operating system, and pages visited. Collected via standard server logs and our hosting provider (Vercel).

• Performance of contract: to provide the predictions service, store your choice records, and process subscription payments.
• Legitimate interests: to operate, secure, and improve the service, and to detect abuse.
• Consent: to send marketing emails or push notifications. You can withdraw consent at any time.
• Legal obligation: to retain records where required by tax, accounting, or fraud-prevention law.

We share personal data only with the following processors:

• Supabase (database and authentication, EU region): stores your account, choice records, and session tokens.
• Vercel (web hosting): serves the website and logs access requests.
• Google: only if you choose to sign in with Google.
• Stripe: only if you take a paid plan; handles all payment processing.
• Backblaze B2 (EU region): encrypted backups of our database.

We do not sell your personal data, and we do not share it with bookmakers, advertisers, or data brokers.

When you tap a “BET” link in the app, you are sent to a bookmaker website. Some of these links contain affiliate identifiers that may earn us a commission if you place a bet. The bookmaker is a separate data controller from the moment you arrive on their site. Their privacy policy applies, not ours. We do not pass your personal data to bookmakers; they only see standard browser referral information.

Our infrastructure is hosted in the European Union (Supabase EU-West-1, Backblaze EU-Central-003). Some processors (Google, Stripe, Vercel) may transfer data to the United States; in those cases we rely on Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

• Account data: until you delete your account, plus up to 30 days for backup expiry.
• Choice records: until you delete the record or your account.
• Payment records: 7 years (UK accounting requirement).
• Server logs: 30 days.

Under UK GDPR you have the right to:

• access a copy of your data;
• correct inaccurate data;
• delete your data (right to erasure);
• object to or restrict our processing;
• port your data to another service;
• withdraw consent for marketing at any time.

To exercise any of these rights, email support@puntmonkey.co.uk. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

We use only first-party cookies that are strictly necessary to keep you signed in (Supabase auth session cookies). We do not use advertising cookies, tracking pixels, or third-party analytics that identify you personally.

Punt Monkey is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided us with personal data, contact us and we will delete it.

We may update this policy from time to time. We will post the new version on this page with a revised “Last updated” date, and notify account holders by email if the changes are material.

Questions about this policy or your personal data? Contact support@puntmonkey.co.uk.