Privacy Policy — aivantix360
Last updated: July 5, 2026
1. Data controller
aivantix360 (entity in formation: Delaware holding + Florida LLC, U.S.). Privacy contact: soporte@aivantix360.com (provisional email). EU/UK representative (GDPR Art. 27): being appointed. DPO: not designated for now; the privacy contact is the email above.
aivantix360 is an educational sports-analytics platform: it is not a sportsbook, does not handle gambling funds and does not sell guaranteed picks.
2. Data we collect
Waitlist: email (from you). Account: email, password (hashed), language (via Supabase Auth). Profile: country, declared educational bankroll, favorite sports/leagues, risk tolerance. Usage: simulated picks, simulations, interactions, educational history, AI-chat messages. Technical: IP (used only for country-level geolocation and language — never stored), device, browser, cookie identifiers. Analytics and marketing: GA4, Meta Pixel and TikTok Pixel events, only with your consent (Consent Mode v2). Payments (when activated): subscription status and last 4 digits/expiry managed by Stripe; we never store the full card number.
We do not collect: special categories (health, religion, etc.), sportsbook account data or real-money movements. We do not direct the service at minors under 18 nor knowingly collect their data (see §10).
3. Purposes and legal bases (GDPR)
Creating and operating your account, providing the service and personalizing educational content: contract performance (Art. 6.1.b). Billing (via Stripe): contract + legal obligation (6.1.b/c). Enforcing minimum age, geo-blocks and responsible gambling: legal obligation / legitimate interest (6.1.c/f). Security and fraud prevention: legitimate interest (6.1.f). Analytics and advertising (GA4, Meta, TikTok): consent (6.1.a), revocable at any time. Marketing emails: consent (6.1.a) — opt-in at signup, unsubscribe in every email. Product improvement with aggregated/anonymized data: legitimate interest (6.1.f).
For users outside the EEA/UK, the equivalent bases of local law apply (e.g. Mexico’s 2025 LFPDPPP, Colombia’s Law 1581, Peru’s Law 29733, Switzerland’s revFADP).
4. Cookies, pixels and Consent Mode v2
We use essential cookies (session, language, theme, age-gate) and, only with consent, analytics and advertising cookies/pixels (GA4, Meta Pixel, TikTok Pixel). We implement Google Consent Mode v2: analytics_storage, ad_storage, ad_user_data and ad_personalization remain denied by default until you accept in the banner. You can change or revoke your choice at any time under "Cookie settings". Full detail: /legal/cookies.
5. Third parties processing data
Supabase (database and authentication) — U.S./EU. Vercel (hosting and logs) — U.S./global. Stripe (payments, when activated) — U.S.; joint controller for fraud prevention. Google (GA4; Google Ads if activated) — with Consent Mode v2. Meta and TikTok (pixels/ads) — only with consent; limited event data. AI providers for the chat (they process your chat messages to generate answers; per their API terms they do not train on them with your identifiers). Sports-data and odds providers (they receive only technical requests, not your personal data). Resend or another transactional email provider.
We do not sell personal data in the traditional sense. Under the CPRA, the use of advertising pixels may qualify as "sharing" for behavioral advertising: we offer an opt-out (§9).
6. International transfers
Data may be processed in the U.S. and other countries. For transfers from the EEA/UK/Switzerland we use the European Commission’s Standard Contractual Clauses (and the UK/Swiss Addendum), plus the EU-U.S. Data Privacy Framework where the provider is certified. For Switzerland: the Swiss–US Data Privacy Framework or FDPIC-recognized clauses; export countries (mainly the U.S.) are expressly disclosed. Copies available upon request.
7. Retention
Account and profile: while the account is active; upon deletion, erased within a maximum of 30 days, except what the law requires us to keep (e.g. billing: 6-10 years depending on jurisdiction). Waitlist: until signup or your unsubscription. Analytics: GA4 14 months; technical logs 90 days. Consent records (age-gate, terms, marketing): 5 years after account closure, as compliance evidence. Platform self-exclusion data: for the self-exclusion period + 2 years (so as not to recontact you).
8. Your rights (GDPR and equivalents)
Access, rectification, erasure ("right to be forgotten"), portability, restriction, objection (incl. to marketing at any time) and withdrawal of consent without retroactive effect. Also not to be subject to solely automated decisions with legal effects: we do not make them (AI analysis is educational content, not decisions about you).
Exercise: from your profile (account self-deletion) or by writing to the contact in §1; we respond within max. 30 days (GDPR) / 45 days (CCPA). You may lodge a complaint with your supervisory authority (e.g. your national DPA in the EU, the ICO in the UK) free of charge.
9. California users (CCPA/CPRA) and other U.S. states
Categories collected: identifiers, commercial information (subscription), internet activity, approximate geolocation (country/state), inferences (sports preferences). We do not collect sensitive personal information within the meaning of the CPRA beyond account credentials.
Rights: know/access, delete, correct, portability, opt-out of "sale"/"sharing" for behavioral advertising, limit use of sensitive information, and non-discrimination for exercising them. How to opt out: the "Do Not Sell or Share My Personal Information" link, the GPC (Global Privacy Control) signal — honored automatically — or email to the contact in §1. Authorized agents accepted with verification. We are not aware of "selling" data of minors under 16; we do not direct the service at minors.
10. Minors
The service is for adults 18+ only (19/21+ where applicable). It is not directed at children under 13 (COPPA) or under 18 in general; we do not knowingly collect minors’ data. If we detect a minor’s account, we will delete it. If you believe a minor gave us data, write to us and we will erase it.
11. Security
Hashed passwords, encryption in transit (TLS), database Row Level Security, access controls, least privilege and change logging. No system is 100% secure; we will notify breaches to the authority and to affected users where the law requires it (72 h GDPR; 48 h ANPD Peru; SPDP timeframes in Ecuador; Law 111-2005 in Puerto Rico).
12. Changes
We will update this policy when processing changes; material changes will be notified by email or in-app notice before they take effect.
13. Contact and complaints
aivantix360 — soporte@aivantix360.com (provisional email). If we do not resolve your request, you may turn to your country’s data protection authority: in the EU, your national DPA; UK: ICO; Mexico: Ministry of Anti-Corruption and Good Government ("Transparencia para el Pueblo"); Colombia: SIC; Peru: ANPD; Ecuador: SPDP; Uruguay: URCDP; Switzerland: FDPIC; U.S./California: Attorney General / CPPA. Your country annex (at /legal) names your specific authority.
Minimum age: 21+ — 21+ across the platform (18 in some states).
Helpline: National Problem Gambling Helpline (NCPG) — 1-800-GAMBLER (ncpgambling.org)
Applicable data law: CCPA/CPRA (California) + comprehensive state privacy laws (19-20 in force in 2026); federal COPPA and CAN-SPAM
Authority: State Attorneys General / CPPA (California) / FTC
Gambling regulator: State gaming commissions (not applicable: we are neither an operator nor an affiliate)
Country notes: Residents of California and other states with comprehensive laws may exercise access, deletion, correction and opt-out of "sale/sharing" (via the "Do Not Sell or Share" link and the GPC signal, honored automatically).