Privacy is a design constraint, not a marketing line.

---

1. Who we are

ShieldBet is operated by ShieldBet Ltd, a UK company. For the purposes of UK GDPR, we are the data controller for the data described below. Contact: ryan@shieldbet.co.uk.

For most processing described in this policy, ShieldBet relies on one or more of the following lawful bases under UK GDPR: performance of a contract (providing the protection service), legitimate interests (service security, abuse prevention, accountability functionality, and operational monitoring), legal obligations, and consent where specifically requested.

2. What data we collect

2.1 Account data

• Your email address (used as your login)
• A first name (optional, for display)
• Your date of birth (used to confirm you're 18 or over)
• Your trusted partner's email address (used for the accountability flow)

2.2 Partner account data

• Your partner's chosen username and password (password is stored as a bcrypt hash, never in plain text)
• Three security questions and answers (answers stored as hashes, never in plain text)

2.3 Protection-state data

• Whether protection is currently locked or temporarily unlocked, and when the unlock window expires
• Recent block-attempt counts within rolling 60-minute windows (used to drive the intervention threshold)
• Logs of blocked-site attempts: domain, timestamp, classification reason

2.4 Companion extension presence

The companion extension reports whether the main ShieldBet extension is installed and active. A long-lived companion token (issued at install) authenticates this check. If the main extension or companion extension is removed or disabled while protection is active, the partner is notified. Removal alerts are not sent where there is no active trial or paid subscription.

2.5 Page-level data during analysis

The Chrome extension may access the URL, hostname, page title, and visible page text of pages you visit only to determine whether gambling protection should apply. This analysis happens on-device, in your browser. Page content used for classification is processed locally within the browser and is not transmitted to ShieldBet servers during normal operation. The only data that leaves your browser are the classification outcomes — block events, attempt counts, account state, false-positive reports voluntarily submitted by the user, and partner-accountability events.

ShieldBet does not use webpage content for advertising, behavioural profiling, data brokerage, credit scoring, or unrelated analytics. Access to webpage content is limited solely to the functionality required to evaluate whether gambling protection should apply.

2.6 Developer feedback (optional, beta only)

During the closed beta and early public releases, developer-only feedback controls may be used by ShieldBet staff to label pages for future model review. These labels are stored for manual review and later training work only. They do not change live blocking decisions and are not used as an automatic allowlist or blocklist.

3. How we use this data

• To operate the protection service (block decisions, allow decisions, intervention flow)
• To deliver partner notifications (block-attempt alerts, unlock codes, removal alerts)
• To enforce the partner-approval architecture for unlock and logout
• To maintain service performance and detect operational issues
• To improve classification accuracy through reviewer-labelled training data

We do not use your data for advertising, profiling, or any commercial purpose unrelated to running ShieldBet.

4. Email notifications

ShieldBet sends emails to your trusted partner in the following situations:

• You have made multiple blocked-site attempts within a short window (calibrated thresholds; not every attempt)
• You have requested an unlock or logout (the email contains the approval code)
• The main ShieldBet extension or the companion extension has been removed or disabled while protection is active
• You cancel your ShieldBet subscription while protection is active
• The partner has logged in to the partner dashboard

These notifications are a core part of the accountability system. Removal and cancellation alerts are only sent where the user has an active trial or paid subscription. They cannot be disabled without disabling protection itself, which requires the partner's involvement.

5. Where data is stored

ShieldBet uses Supabase (a managed Postgres provider) for account, protection-state, and block-log storage. Data is held in EU/UK regions. Edge Functions run in secure server environments and validate every privileged request against three authentication contexts (user JWT, partner session token, companion token) before performing any action.

Approval codes (unlock, logout, partner login) are generated server-side using cryptographically random values. Only a hash of each code is stored. The raw code is sent directly to the partner's email and is never logged or persisted.

6. Data sharing

We do not sell, rent, or share personal data with third parties for advertising or marketing purposes. The only third parties we share data with are operational service providers:

• Supabase (database and authentication infrastructure)
• Stripe (payment processing, subscription management, invoices, and customer portal)
• Our transactional email provider (for partner notification delivery)
• Chrome Web Store / equivalent app stores (for distribution; standard install metadata only)

Each is bound by contractual data-processing terms and processes data only as needed to deliver their service.

ShieldBet does not permit third parties to use personal data collected through the extension for their own advertising, profiling, or marketing purposes. Service providers process data only on ShieldBet's instructions and only to the extent necessary to provide their contracted service.

ShieldBet does not store full card details. Payments, card details, invoices, and subscription billing are handled by Stripe.

7. Data retention

Account data is retained while your ShieldBet account is active. Block logs are retained only for as long as reasonably necessary to provide ShieldBet functionality, accountability features, and recent-activity review within the partner dashboard.

When you delete your account, all linked records are removed atomically — account, protection state, block logs, partner association, security questions, and authentication credentials. The deletion runs in a single database transaction; if any part fails, the whole operation rolls back.

8. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and all linked data
• Export a copy of your data in a machine-readable format
• Object to or restrict certain processing
• Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, contact ryan@shieldbet.co.uk.

9. Cookies and tracking

This website uses no third-party tracking. We do not load Google Analytics, Facebook Pixel, or equivalent products. The only cookies set are first-party functional cookies needed for login sessions on the user and partner dashboards.

ShieldBet does not use hidden tracking technologies, cross-site tracking, third-party analytics, advertising identifiers, browser fingerprinting, or data-sharing SDKs.

10. Security

Account passwords are stored using bcrypt hashing. Session tokens and security-question answers are stored only as hashes. Security-relevant account actions may be logged with IP address and user-agent for audit and abuse-prevention purposes. Rate limiting is applied to authentication endpoints to help protect accounts from repeated unauthorised access attempts.

Access to production systems is restricted and authenticated. Sensitive operations affecting account state, partner approval, subscription access, or protection controls are validated server-side before execution. Where appropriate, audit records may be retained for security, fraud prevention, operational integrity, and dispute resolution.

11. Age requirement

ShieldBet is for adults (18+). We do not knowingly collect data from anyone under 18. The registration flow requires a date of birth and rejects accounts that do not meet the age requirement.

12. Changes to this policy

If we make material changes to this policy, we will notify you by email at the address linked to your account, and the change will be reflected in the "Last updated" line at the top of this page.

13. Chrome extension permissions and limited use

ShieldBet requests browser permissions only where necessary to provide the protection service. Browser permissions are used exclusively for gambling-protection functionality, account security, accountability features, and related operational requirements.

ShieldBet complies with the Chrome Web Store User Data Policy and Limited Use requirements. Data accessed through Chrome extension permissions is not sold, transferred, or used for advertising, creditworthiness decisions, or unrelated commercial profiling.

---

Questions, corrections, privacy requests, or account-related help: ryan@shieldbet.co.uk.