SmartLottos
SmartLottos Privacy Policy

Privacy Policy — How SmartLottos Handles Your Data

This Privacy Policy explains how SmartLottos (smartlottos.com) collects, uses, shares, and protects your personal data. It applies to all visitors and registered users of our website and is written in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the ePrivacy Directive.

1. Data Controller

The data controller responsible for your personal data is SmartLottos (smartlottos.com). If you have questions about how your data is handled, you can contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

  • Account data: email address and hashed password when you register or log in.
  • Usage data: pages visited, features used, and interactions with the site — collected via analytics cookies (with your consent).
  • Device and technical data: IP address, browser type, operating system, and referral URL — collected automatically by our hosting infrastructure and analytics tools.
  • Cookie preferences: your consent choices are stored locally in your browser.

We never collect or store any lottery numbers you generate. Number generation happens entirely in your browser and is not transmitted to our servers.

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

  • Contract (Art. 6(1)(b)): processing your account data is necessary to provide the registered-user features you signed up for.
  • Consent (Art. 6(1)(a)): analytics, marketing, and preference cookies are only set after you give explicit consent via our cookie banner. You may withdraw consent at any time.
  • Legitimate Interests (Art. 6(1)(f)): we process minimal technical data (server logs, security monitoring) to keep the site secure and functioning. This interest is not overridden by your rights.
  • Legal Obligation (Art. 6(1)(c)): we may process data where required by applicable law.

4. Cookies and Tracking Technologies

We use four categories of cookies. You can manage your preferences at any time by clicking 'Cookie Settings' in the site footer.

  • Strictly Necessary — required for the website to function (authentication sessions, security tokens, load balancing). No consent required.
  • Analytics — used to understand how visitors use the site (e.g. Google Analytics: pages viewed, session duration, bounce rate). Only set with your consent.
  • Marketing & Advertising — used to deliver relevant advertisements and measure campaign effectiveness (e.g. Google Ads, remarketing tags). Only set with your consent.
  • Functionality & Preferences — used to remember your settings and personalise your experience (e.g. theme, language). Only set with your consent.

Google Consent Mode v2 is implemented on this site. All non-essential Google signals are denied by default until you grant consent.

5. Third-Party Processors and Recipients

We share data with the following third-party service providers acting as data processors:

  • Google Analytics (Google LLC) — website analytics. Data may be transferred to the USA under Standard Contractual Clauses. Privacy policy: policies.google.com/privacy
  • Google Ads (Google LLC) — advertising and remarketing. Same transfer safeguards as above.
  • Supabase — authentication and database hosting. Your account email and password hash are stored here.
  • Netlify / Vercel — website hosting and edge infrastructure. Server logs (IP address, request metadata) are processed here.

We do not sell, trade, or rent your personal data to any third party for their own marketing purposes.

6. International Data Transfers

Some of our third-party processors (including Google and Vercel) are based in or transfer data to the United States. Where personal data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent UK International Data Transfer Agreements (IDTAs).

7. Data Retention

  • Account data: retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Analytics data: retained for up to 14 months in Google Analytics (Google's default maximum for EU data).
  • Server logs: retained for up to 30 days by our hosting provider for security purposes.
  • Cookie consent records: stored in your browser's localStorage until cleared. No server-side copy is kept.

8. Your Rights Under GDPR

If you are located in the EU, UK, or EEA, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your data ('right to be forgotten').
  • Right to restriction — request that we limit how we process your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — withdraw cookie consent at any time via the Cookie Settings link in the footer. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — you have the right to lodge a complaint with your national data protection authority. In the UK: the ICO (ico.org.uk). In the EU: your local supervisory authority.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures including HTTPS encryption, hashed password storage, and access controls. However, no method of transmission over the internet is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the 'Last updated' date at the bottom of this page. If changes affect how we process your data in a way that requires fresh consent, we will re-display the cookie consent banner.

12. Contact Us

For any privacy-related questions, data subject requests, or complaints, contact us at: [email protected]

Contact us
Last updated: 3/31/2026