BetHoop

Last updated: June 1, 2026 · v2026-06-01

Privacy Policy

BetHoop respects your privacy. This Policy explains what personal data we collect, why we process it, with whom we share it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and other applicable privacy laws (CCPA, PIPEDA, etc.). It applies to all users of the BetHoop service.

1. Data controller

For the purpose of GDPR Article 4(7), the data controller is BetHoop (sole proprietorship, France). Contact: privacy@bethoopai.com. BetHoop has not yet designated a Data Protection Officer (DPO) — not legally required at our scale — but a single point of contact handles every privacy request via the email above.

2. Data we collect and why

We process the categories of data below, each on a specified legal basis (GDPR Article 6):

  • Account data — email, authentication identifier, login method, language preference. Legal basis: performance of the contract (Art. 6.1.b). Source: you, via Clerk.
  • Legal acceptance log — version of Terms accepted, timestamp, IP address at acceptance. Legal basis: legal obligation to prove consent (Art. 6.1.c).
  • Billing data — subscription plan, Stripe customer ID, subscription status, last invoice timestamps. We never see or store full card numbers; Stripe handles all card data as a separate controller. Legal basis: performance of the contract (Art. 6.1.b) and legal obligation for accounting (Art. 6.1.c).
  • Usage data — pages viewed, analyses requested, language preference, daily quota usage, identifier of the matchups you analyzed. Legal basis: legitimate interest in operating, securing and improving the service (Art. 6.1.f).
  • Server logs & security data — IP address, user-agent, timestamps, technical errors. Legal basis: legitimate interest in security (Art. 6.1.f) and legal obligation (Art. 6.1.c).
  • Analytics (PostHog, EU region) — event-level product analytics with a short-lived anonymous identifier, then linked to your account once you sign in. Legal basis: consent (Art. 6.1.a) — collected via the cookie banner; if you decline, no analytics events are sent.
  • Email engagement — opens / clicks on our transactional emails (Resend).Legal basis: legitimate interest in service quality (Art. 6.1.f). Marketing emails are not used today; if introduced, opt-in consent will be requested.

We do not process special categories of personal data (Art. 9 GDPR) and do not use automated individual decision-making with legal effects (Art. 22 GDPR). The AI generates statistical analyses, not user-level decisions.

3. Sub-processors

We rely on the providers below to operate the service. Each acts as a processor on our behalf (or, where indicated, as a separate controller) under a written data processing agreement.

  • Clerk Inc. (US) — authentication and user management.
  • Stripe Payments Europe Ltd. (Ireland / US) — payment processing (independent controller for card data).
  • Vercel Inc. (US) — hosting and edge delivery.
  • Neon Inc. (US, EU AWS region available) — managed PostgreSQL database.
  • OpenAI Ireland Ltd. (Ireland) — large-language-model assistance for the qualitative portion of analyses. No personal data is sent in the prompts — only aggregated sports statistics. OpenAI is contractually prohibited from training its models on our API inputs.
  • Resend Inc. (US) — transactional email delivery.
  • PostHog Inc. (EU region — Frankfurt) — product analytics, conditional on your consent.
  • cron-job.org (Germany) — scheduled trigger of our data-refresh cron (no personal data, only a secret key to authenticate the call).

4. Cookies and similar technologies

We split cookies into two categories:

  • Strictly necessary cookies (no consent required): Clerk authentication (`__session`, `__client`), our locale preference (`bethoop_locale`), legal-consent version (`bethoop_legal_consent`), Stripe checkout session (when initiated by you). These are essential to operate the service.
  • Analytics cookies(consent required): PostHog (`ph_*`). Loaded only if you accept analytics in the cookie banner. Withdraw your consent at any time from the banner's “Cookie preferences” link in the footer.

We do not use third-party advertising or cross-site tracking cookies. We do not sell or share your personal data with advertisers.

5. Data retention

  • Account & profile: as long as your account exists, plus 30 days for backup rotation.
  • Billing & tax records: 10 years from the end of the fiscal year, as required by French commercial law (Article L123-22 of the French Commercial Code).
  • Server logs: 12 months maximum, then automatic purge.
  • Analytics events: 13 months (CNIL recommendation).
  • Legal acceptance log: kept for the duration of the account plus 5 years (statute of limitations on contract claims under French law).

6. International data transfers

Some sub-processors (Clerk, Stripe, Vercel, Resend, OpenAI, Neon) operate or replicate data in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) for transfers to non-adequate countries, and where available on the EU-US Data Privacy Framework (Clerk, Stripe, Vercel are certified). Additional safeguards (encryption in transit and at rest, access controls) supplement the legal basis.

7. Your rights

Under the GDPR and equivalent laws, you have the right to:

  • Access the data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data, subject to legal retention obligations (Art. 17 — “right to be forgotten”).
  • Restrict processing in certain cases (Art. 18).
  • Portability: receive your data in a structured, commonly-used, machine-readable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, where processing is based on consent (Art. 7.3) — including analytics cookies.
  • Define directives regarding the fate of your data after your death (Article 85, French Data Protection Act).
  • Lodge a complaint with the CNIL (cnil.fr) if you are in France, or your local data protection authority otherwise. For California residents, you have the additional rights under the CCPA (right to know, delete, opt-out of sale — we do not sell personal data).

To exercise these rights, email privacy@bethoopai.com. We respond within one month (extendable to three months in complex cases, as permitted by Art. 12.3 GDPR). We may ask for proof of identity if there is reasonable doubt as to who is making the request.

8. Security

We use TLS encryption in transit, authenticated access to the database with the principle of least privilege, rotated API keys, and standard security controls. Card data never transits our servers. No system is perfectly secure; in the event of a personal data breach affecting your rights, we will notify the CNIL within 72 hours and notify you without undue delay where required by Art. 34 GDPR.

9. Minors

The service is not directed at, nor intended for, persons under the legal gambling age (21 in the United States, 19 in most Canadian provinces, varies in Europe). We do not knowingly collect data from minors. If you believe a minor has provided us data, contact privacy@bethoopai.com for immediate deletion.

10. AI processing

Match analyses are produced by a deterministic mathematical model assisted by OpenAI's GPT models for the qualitative scenario. The prompts sent to OpenAI contain only aggregated sports statistics for the two teams (no user identifier, no email, no IP). Per OpenAI's API policy, our inputs are not used to train OpenAI's models.

11. Changes

Material changes to this Policy will be notified by email or in-app at least 15 days before they take effect. The version and last-updated date above reflect the latest revision.

12. Contact

Privacy inquiries: privacy@bethoopai.com. General inquiries: hello@bethoopai.com.