Privacy Policy

This Privacy Policy explains how Statizio ("we", "us", "our") collects, uses, stores, and protects personal data when you use this website. It covers users from all jurisdictions and applies the requirements of the applicable privacy framework for your location.

We collect the following categories of data:

• Contact form data: Name, email address, subject, and message when you submit the contact form.
• Account data (Phase 2): Username, encrypted email address, and password hash when you create an account.
• Usage data: Pages visited, time spent, and interactions, collected via Google Analytics 4 with IP anonymisation enabled.
• Cookie consent records: Your consent choice, timestamp, anonymised IP address, and country code stored for compliance audit purposes.
• Session data: A session identifier stored in a first-party cookie to maintain your language preference and login state.
• Technical data: IP address, browser type, and device type collected via server logs and analytics.

We do not collect payment card data. All payment processing is handled by Stripe, which stores card data on their infrastructure under their own privacy policy.

• To respond to contact form enquiries
• To manage your account and subscription if you register
• To remember your language preference
• To analyse site usage and improve the service via Google Analytics 4
• To record cookie consent choices for legal compliance
• To detect and prevent spam and abuse via rate limiting
• To process subscription payments via Stripe

We use the following third-party services. Each has access only to the data necessary for their function:

• Google Analytics 4: Usage analytics. IP anonymisation is enabled. Subject to Google's Privacy Policy.
• Google AdSense: Display advertising for free users. Subject to Google's Privacy Policy.
• OneSignal: Push notifications. Subject to OneSignal's Privacy Policy.
• Tawk.to: Live chat widget. Subject to Tawk.to's Privacy Policy.
• Anthropic Claude API: AI match analysis generation. Statistical data only is sent. No personal data is transmitted to this service.
• Google Translate API: Dynamic content translation. Content strings only. No personal data is transmitted.
• Stripe: Payment processing for premium subscriptions. Subject to Stripe's Privacy Policy.
• Brevo: Transactional email delivery. Subject to Brevo's Privacy Policy.

We use first-party cookies for session management, language preferences, and consent recording. Third-party cookies are set by Google Analytics, Google AdSense, and OneSignal when consent is given. Full details of every cookie we set are available on the Cookie Policy page.

You can manage your cookie preferences at any time by clicking the cookie settings link in the footer.

• Contact form messages: retained for 2 years then deleted.
• Account data: retained for the duration of the account. Deleted within 30 days of a verified deletion request.
• Consent records: retained for 3 years for compliance audit purposes.
• Server logs: retained for 90 days.
• Analytics data: subject to Google Analytics data retention settings, default 14 months.

For users in the EU and UK, we process personal data under the following lawful bases:

• Consent: For analytics cookies and marketing cookies.
• Contract: For processing your account and subscription.
• Legitimate interests: For security, fraud prevention, and site improvement.
• Legal obligation: For retaining consent records and responding to legal requests.

You have the following rights under GDPR and UK GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure (right to be forgotten)
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with your national supervisory authority

To exercise any of these rights, use the Data Rights page. We respond within 30 days.

California residents have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt out of the sale or sharing of personal information
• Right to non-discrimination for exercising privacy rights

We do not sell personal information. To opt out of sharing for targeted advertising purposes, use the Do Not Sell or Share My Personal Information link. We respond to verified requests within 45 days.

For users in Brazil, we process personal data under the Lei Geral de Protecao de Dados. You have the right to access, correct, delete, and port your personal data. You may request restriction of processing and object to processing based on legitimate interests. We respond to data subject requests within 15 days.

To exercise your rights, use the Data Rights page.

Canada (PIPEDA): We collect only the personal information necessary for the stated purposes, obtain consent before collecting, and allow individuals to access and correct their information.

South Africa (POPIA): We process personal information lawfully and in a reasonable manner that does not infringe on your privacy. You have the right to access, correct, and delete your personal information.

Nigeria (NDPR): We comply with the Nigeria Data Protection Regulation. You have the right to access, correct, delete, and restrict processing of your personal data. Requests are responded to within 30 days.

All data is transmitted over HTTPS. Email addresses stored in user accounts are encrypted using AES-256 encryption. Passwords are hashed using bcrypt. We apply technical and organisational measures appropriate to the risk level of the data we hold. We do not store payment card data.

This site uses IP-based geo-detection to apply the appropriate consent standard automatically. EU and UK users are shown a GDPR opt-in consent banner. California users are shown a CCPA opt-out standard. All other users are shown a standard opt-in banner.

For privacy-related enquiries or to exercise any data subject right, use the Data Rights page or contact us via the Contact page.

For GDPR complaints, you may also contact your national data protection supervisory authority. For UK users, this is the Information Commissioner's Office at ico.org.uk.