Privacy Policy - LuckyStat

Controller and Contact Details

LuckyStat is the service operator and is responsible for personal data processed through the service where applicable privacy laws treat us as the data controller. For privacy questions, data requests, or operator contact, email support@luckystat.com.

Information We Collect

We collect the personal data needed to provide LuckyStat: account credentials such as email address and authentication identifiers, saved preferences and presets, generated combinations, subscription status, billing references, support messages, product usage events, technical logs, and cookie or device data. We do not sell personal data.

Purposes and Legal Basis

We process personal data only where we have a legal basis under GDPR. The main purposes are:

Processing	Data	Legal basis
Account creation, login, authentication, saved presets	Email, user id, session data, preferences, generated combinations	Contract performance and legitimate interests in securing the service
Subscriptions, checkout, invoices, billing support	Stripe customer id, subscription status, invoice metadata, billing events	Contract performance and legal obligations for tax/accounting records
Product analytics and service improvement	Usage events, device/browser data, approximate region, feature interactions	Consent where required for non-essential analytics; otherwise legitimate interests in improving the service
Customer support and service communications	Email, message content, account context, support history	Contract performance and legitimate interests in resolving requests
AI-assisted or automated analysis features	Historical draw data, selected filters, generated outputs, account entitlement state	Contract performance for requested features and legitimate interests in maintaining safe analysis; consent where required for optional AI processing

Recipients and Processors

We use service providers only where needed to run LuckyStat. They process data under contracts or platform terms that restrict their use of personal data.

Supabase: authentication, database, application storage, and server-side data access.
Stripe: checkout, payment processing, customer billing, invoices, payment methods, and fraud prevention.
Email provider: transactional emails such as sign-up confirmation, password reset, billing, and support messages.
Analytics provider: product analytics only if enabled, subject to applicable consent and opt-out requirements.
AI provider: external AI processing only if enabled for a feature, subject to applicable privacy and transfer requirements.

International Transfers

Some processors may process data outside the EU/EEA, including in the United States or other countries where they or their sub-processors operate. Where GDPR applies, transfers rely on an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism, together with any required supplementary safeguards.

Retention Periods

We keep personal data only for as long as needed for the purposes described above, unless a longer period is required by law or needed to resolve disputes, prevent abuse, or enforce agreements.

Category	Retention period
Account data	For the life of the account, then deleted or anonymized after account closure unless retention is legally required.
Billing data	Kept for the subscription period and then for the tax/accounting limitation period required by applicable law.
Security and server logs	Normally up to 90 days, unless longer retention is needed for security, fraud prevention, incident investigation, or legal claims.
Generated combinations, saved presets, and preferences	Kept until you delete them, close your account, or the account becomes inactive and is scheduled for deletion.
Analytics events	Kept in aggregated or identifiable form only as long as needed for product analysis, then deleted or anonymized.

Data Security

We use technical and organizational measures designed to protect personal data, including HTTPS in transit, access controls, least-privilege server access, and provider security controls. We avoid claiming that every storage location, log, and backup is encrypted at rest unless this has been verified for that specific system.

Payments and Stripe

Payment details are processed by Stripe. LuckyStat does not store full card numbers, CVC codes, or raw payment card data on our servers. We store Stripe identifiers, subscription status, invoice references, and limited billing metadata needed to manage your subscription.

Your Rights

Where GDPR or similar privacy laws apply, you may exercise the following rights by contacting support@luckystat.com. We may need to verify your identity before completing a request.

Access: ask for a copy of your personal data.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete personal data where legally available.
Restriction: ask us to restrict certain processing.
Portability: ask for data you provided in a portable format.
Objection: object to processing based on legitimate interests.
Withdrawal of consent: withdraw consent at any time where processing is based on consent, without affecting earlier lawful processing.
Complaint: lodge a complaint with your local data protection supervisory authority, including an EU/EEA Data Protection Authority.

Cookies

We use cookies and similar technologies for session security, preferences, payments, and analytics where enabled. Non-essential analytics cookies should be used only with consent where required.

Type	Purpose	Basis
Essential	Authentication, session management, security, locale and theme preferences.	Necessary for the service and contract performance.
Analytics	Understand feature usage, reliability, and product performance if analytics is enabled.	Consent where required; otherwise legitimate interests for privacy-preserving analytics.
Payment	Load Stripe checkout/payment elements, prevent fraud, and complete subscription payments.	Contract performance and legitimate interests in secure payment processing.