Privacy Policy

This Privacy Policy explains how bicycle-kick (operated by PSYCHOLAB, "we", "us", "our") collects, uses, and protects information when you use this website (the "Service"). The Service is hosted in Iceland and is subject to Icelandic law and the EU General Data Protection Regulation (GDPR).

1. Information We Collect

We collect the minimum data necessary to operate the Service:

• Account data: username and password (stored as a hash; we never store your plaintext password).
• Authentication data: JSON Web Tokens (JWT) and refresh tokens stored as HTTP-only cookies and in our database for session management and revocation.
• Audit logs: IP address, user agent string, and request timestamps recorded for security monitoring and abuse prevention (retained for up to 90 days).
• Match-prediction inputs: the team names, odds, form inputs, and other prediction parameters you submit; these are processed in-memory and not associated with your account beyond the duration of the prediction.

We do not collect: real names, addresses, phone numbers, payment information, or any other personally identifying information beyond what is listed above.

2. How We Use Your Information

• Authenticate your account and maintain your session.
• Detect and prevent abuse, brute-force attacks, and credential-stuffing attempts.
• Generate predictions you have requested (in-memory processing only).

We do not use your data for marketing, profiling, or behavioral advertising.

3. Cookies

The Service uses essential cookies for authentication and security. See our Cookie Policy for details.

4. Third-Party Services

• API-Football: server-side fetch of fixtures, odds, and statistics. No user data is shared with API-Football; only match identifiers are queried.
• Advertising partners: the Service may display advertisements served by third-party advertising networks. These advertisers may set their own cookies and collect data subject to their own privacy policies. We do not control or have access to data collected by these third parties. Specific advertising partners will be disclosed when integrated.

5. Data Retention

6. Your Rights Under GDPR

If you are a resident of the European Economic Area (EEA), you have the following rights:

• Right of access: request a copy of the data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure ("right to be forgotten"): request deletion of your account and associated data.
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: request your data in a machine-readable format.
• Right to object: object to processing of your data for specific purposes.
• Right to lodge a complaint: with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact us via the Abuse Contact page with the subject line "GDPR Request". We will respond within 30 days.

7. International Users

The Service is hosted in Iceland (European Economic Area). By using the Service from outside the EEA, you acknowledge that your data may be transferred to and processed in Iceland under Icelandic law and the EU GDPR.

8. Security

We use industry-standard practices to protect your data: passwords are hashed using bcrypt; communications are encrypted via HTTPS/TLS; database access is restricted; audit logging is in place. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us via the Abuse Contact page and we will delete the account.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Continued use of the Service after changes constitutes acceptance.

11. Contact

For privacy-related questions, contact us at: [email protected] or via the Abuse Contact page.