Legal

Privacy Policy

Effective 2026-04-21.

1. Summary

We collect the minimum we need to run the product: account info when you sign up, your game history when the extension syncs it, and standard server logs. We don't sell your data. AI providers we route predictions through may see your prompts and bet history — that's the tradeoff for multi-provider AI.

2. What we collect

  • Account data: email, optional name, subscription tier, role (for staff).
  • Stake user identifier: a token Stake issues to identify your Stake account. The extension captures this from Stake's own authed responses so we can tag your bet history per-user. We never receive your Stake password.
  • Bet history: game type, bet amount, payout, outcome, timestamp — what the extension intercepts from Stake's public game APIs. Stored per Stake user in api.sl_game_history on our Supabase project.
  • AI prompts & responses: the text the Predictor or Chat sends to AI providers, plus the response. We do not train models on your data.
  • Server logs: IP address, user agent, request path, timestamp, response code — retained 30 days for security and debugging.
  • Audit log: staff admin actions (login, password change, session revocation) with actor, IP, timestamp. Retained indefinitely for SOC 2 / compliance.

3. Third parties who see parts of your data

  • Supabase (database + auth) — stores everything above. US-West-2 region.
  • Vercel (hosting) — terminates TLS, serves the web platform, processes server logs.
  • Anthropic, OpenAI, OpenRouter, DeepSeek, Groq — receive the prompt text and relevant bet history when you use AI features. Each provider's own retention policy applies; see their privacy pages.
  • Stripe (when payments are enabled) — processes your card and subscription lifecycle. We do not store card numbers.

4. What we don't do

  • Sell your data to third parties.
  • Train AI models on your prompts or bet history.
  • Share your Stake user ID with anyone besides our own infrastructure and the AI providers you invoke.
  • Run third-party analytics beyond Vercel's first-party Web Analytics.

5. Security

Encryption in transit: TLS 1.3. Encryption at rest: AES-256 (managed by Supabase and Vercel). Admin credentials are bcrypt-hashed with per-account salts. Session cookies are HTTP-only + Secure + SameSite=Lax, signed with HS256 JWT and a server-side secret. Admin actions are rate-limited, password attempts trigger a 15-minute lockout after 5 failures, and all admin activity is recorded in an append-only audit log with a SHA-256 hash chain.

6. Your rights

Depending on where you live (GDPR, CCPA, similar regimes) you may have the right to access, export, correct, or delete your personal data. Write to privacy@strathub.ai with your request. We aim to respond within 30 days.

7. Cookies

We use a minimum set of cookies: authentication session cookie, CSRF token cookie, and Vercel's first-party performance cookie. No advertising cookies, no cross-site tracking.

8. Data retention

Account data: for the life of your account, plus 90 days after deletion. Bet history: until you delete your account. AI prompts: not stored long-term by us; subject to each provider's retention. Server logs: 30 days. Audit logs: indefinitely.

9. Children

StratHub is not for anyone under the legal gambling age in their jurisdiction (at minimum 18, often 21). We don't knowingly collect data from minors.

10. Changes

We'll announce material changes on the site 7 days before they take effect. Continued use after the effective date means you accept the update.

11. Contact

Questions: privacy@strathub.ai.