BetFund

1. What We Collect

BetFund collects the minimum data necessary to operate the investment fund:

• Account information: Username, display name (optional), and email (optional).
• Authentication data: Password hash (bcrypt — we never store plaintext passwords).
• Financial data: Deposit amounts, withdrawal amounts, share balances, and transaction history.
• Technical data: IP addresses (for rate limiting only, not stored persistently), session cookies.

2. What We Do NOT Collect

• We do not collect real names, physical addresses, phone numbers, or government IDs.
• We do not use analytics trackers, advertising pixels, or third-party cookies.
• We do not sell, share, or monetize your data in any way.

3. How We Use Your Data

• Account management: To authenticate your sessions and display your portfolio.
• Fund accounting: To track your deposits, withdrawals, shares, and performance.
• Security: Rate limiting to prevent brute-force attacks on login.
• Audit trail: An immutable transaction log records all financial operations for integrity verification.

4. Data Storage

All data is stored in SQLite databases on a single server. Databases are backed up daily. Data is not replicated to third-party cloud services.

5. Third-Party Services

The following third-party services process data as part of fund operations:

• Boltz Exchange: Processes Bitcoin Lightning/on-chain swaps for deposits and withdrawals. Boltz receives payment hashes and amounts but not your identity.
• Betting platform: Receives bet placements. No investor identity is shared with the platform.

6. Cookies

We use a single session cookie for authentication. It is:

• HttpOnly (not accessible to JavaScript).
• SameSite=Lax (not sent with cross-site requests).
• Expires after 24 hours of inactivity.

7. Data Retention

Financial records (deposits, withdrawals, transaction logs) are retained indefinitely for audit purposes. Account data is retained as long as your account is active. Deactivated accounts may be purged after 12 months if the balance is zero.

8. Your Rights

You may request:

• A copy of all data associated with your account.
• Correction of inaccurate account information.
• Account deactivation (subject to zero balance).

Contact the Operator to exercise these rights.

9. Security

We protect your data with: bcrypt password hashing, CSRF protection, rate limiting, HttpOnly cookies, security headers (X-Frame-Options, X-Content-Type-Options), and HTTPS encryption in transit.