Privacy Policy

Table of Contents

Last updated: 29 June 2026

This Privacy Policy explains how iGaming Tools handles personal data when you use i-gaming.tools. It is meant to be honest and specific, not a generic template. The "Last updated" date above is also the effective date of this policy.

Who we are and how to contact us

iGaming Tools is operated by an independent team. We are not a registered company, so we do not have a company name, number or registered office. Day-to-day responsibility for data protection rests with a designated Data Protection Contact, a responsible role within the team, reachable at [email protected]. You can use that address to ask questions about this policy or to exercise your rights.

The team, acting through the Data Protection Contact, is the data controller for the purposes of UK GDPR and the Data Protection Act 2018. The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO).

What data we collect

For registered users:

  • Email address (which is also your username).
  • Password, stored only as a PBKDF2 hash and never in plaintext.
  • Language preference.
  • Email-confirmation status and the time it was confirmed.

Tokens we generate:

  • Email-confirmation and password-reset tokens, stored as SHA-256 hashes; the plaintext value exists only in the link emailed to you and is short-lived.
  • API tokens, stored as SHA-256 hashes, together with a name, scope and last-used timestamp.

Security and audit data:

  • The actor, IP address (stored in full, but masked to /24 in our admin interface) and a short user-agent string.

For anonymous visitors we collect no identifying account data. IP address and user-agent are processed transiently for security and abuse prevention. We use Cloudflare Turnstile on sign-up and sign-in for bot protection.

Cookies

We use only strictly necessary cookies. There is no analytics, advertising, tracking or fingerprinting. The cookies we set are:

  • Session (strictly necessary) — keeps you signed in and maintains your session. Duration: session, until you sign out.
  • CSRF (strictly necessary) — protects forms and requests against cross-site request forgery. Duration: session.
  • Language preference (strictly necessary) — remembers the language you chose. Duration: persistent, until changed or cleared.
  • Cloudflare Turnstile (strictly necessary) — bot protection on the sign-up and sign-in forms only. Duration: short-lived.

Cloudflare Turnstile is used only on the sign-up and sign-in forms to protect those actions from automated abuse, and runs in a privacy-preserving mode that is not used to track you across sites. Because all of these cookies are strictly necessary to provide a service you have explicitly requested (signing in, keeping you logged in, protecting forms and authentication), no cookie-consent banner is required under PECR, and so none is shown.

  • Account creation, authentication and API access: performance of a contract.
  • Email confirmation and password reset: performance of a contract.
  • Security, abuse and brute-force prevention, rate limiting and audit logging: legitimate interests. Specifically, we rely on our legitimate interests in keeping the Service secure, preventing abuse and fraud, and maintaining an audit trail.

We do not carry out advertising or profiling, and we do not sell your data. We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you.

Who we share it with (sub-processors)

  • Cloudflare, for Turnstile bot protection and R2 storage.
  • A third-party email delivery provider (SMTP).
  • GlitchTip, self-hosted by us for error monitoring; secrets, tokens and personal data are scrubbed before any event is recorded.
  • Hosting in the EU (Germany, via Hetzner) and Cloudflare's global network.

To be clear about a distinction: large language model providers (Anthropic, OpenAI, Google) process only scraped public web content. They do not receive your account data, email address, IP address, password or tokens.

How long we keep it

  • Account data: for as long as your account exists.
  • Audit logs: 365 days, then automatically deleted.
  • Email-confirmation and password-reset tokens: short-lived (hours).
  • API tokens: until you revoke them.

Your rights and how to exercise them

You have the right to access, rectification, erasure, restriction, data portability and objection. We do not provide self-service tools for these; instead, email [email protected] and we will respond within the statutory time limits (normally one month).

A few practical points: responding is free, unless a request is manifestly unfounded or excessive; the one-month period may be extended by up to a further two months for complex or numerous requests, in which case we will tell you; and we may need to verify your identity before acting on a request.

You also have the right to complain to the ICO (ico.org.uk).

Security

We use HTTPS with HSTS, store passwords using PBKDF2, apply a Content Security Policy, protect login against brute-force attempts and restrict the admin area by IP. No system is ever perfectly secure, but these are the measures we have in place.

International transfers and hosting

Our servers are in the EU (Germany, via Hetzner), and delivery is via Cloudflare's global network, which may process data in other countries. Where personal data is transferred outside the UK, we rely on UK adequacy regulations where they apply. Where no adequacy regulation applies, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and, for recipients in the United States, the UK extension to the EU–US Data Privacy Framework.

Children

Our content is for adults aged 18 or over. The Service is not directed at children, and we do not knowingly collect data from anyone under 18.

Changes to this policy

We may update this policy from time to time. We will revise the "Last updated" date, which serves as the effective date. For significant changes, we will make them clear and, where you hold an account, notify you by email to your account address. Please review this policy periodically.

Governing law

This policy is governed by the law of England and Wales.