Privacy Policy

• Account Information: Email address, display name, and password (or OAuth credentials) when you create an account.
• Financial Data: Bank statements (PDF/CSV files) that you upload, and any transactions you enter manually. Bank statements may contain your name, account numbers, transaction dates, amounts, merchant names, and descriptions.
• Bank Connection Data: If you connect a bank account through Plaid or a similar service, we receive transaction data, account balances, and account identifiers as authorized by you through that service.
• Professional Information (B2B Users): Law firm name, attorney name, case reference numbers, and client identifiers provided when generating litigation reports.
• Clinical Information (B2B Users): Practice name, clinician name, and client identifiers provided when generating clinical reports.
• Communication Data: Information you provide when contacting our support team, providing feedback, or communicating with us.
• Payment Information: Payment details are collected and processed by our payment processor, Stripe. vigcheck does not store your credit card numbers or bank account details for payment purposes.

• Transaction Classifications: AI-generated categorizations identifying transactions as gambling-related and attributing them to specific platforms (e.g., DraftKings, FanDuel, BetMGM).
• Behavioral Analysis Data: AI-generated assessments of gambling behavioral patterns, including loss chasing indicators, deposit frequency analysis, time-of-day patterns, payday correlation analysis, and escalation detection.
• Financial Summaries: Calculated net win/loss figures, gambling-to-income ratios, and spending trend analyses.
• Narrative Reports: AI-generated written analyses of your gambling financial activity.
• Litigation Reports: Formatted PDF reports containing transaction data, behavioral analysis, and methodology documentation.

• Device and Browser Information: IP address, browser type and version, operating system, device type, and screen resolution.
• Usage Data: Pages visited, features used, session duration, actions taken within the Service (e.g., reports generated, analyses completed).
• Log Data: Server logs including timestamps, error messages, and referring URLs.
• Cookies and Similar Technologies: As described in Section 9 of this Policy.

• Service Delivery: Processing your financial data to provide transaction categorization, net win/loss calculations, behavioral analysis, and report generation.
• Account Management: Creating and managing your account, authenticating your identity, and processing payments.
• Communication: Responding to your inquiries, providing customer support, and sending service-related notifications (e.g., analysis completion, account alerts).
• AI Chat: Powering the conversational interface that allows you to query your analysis results.

• Service Improvement: Analyzing anonymized, aggregated usage patterns to improve AI accuracy, user interface design, and feature development. We never use your identifiable financial data for model training.
• Security and Fraud Prevention: Detecting and preventing unauthorized access, abuse, or fraudulent use of the Service.
• Legal Compliance: Complying with applicable laws, regulations, and legal processes.

We do NOT use your personal information for the following purposes:

• We do NOT sell your personal information to third parties.
• We do NOT share your personal information with advertisers or for targeted advertising purposes.
• We do NOT use your identifiable financial data to train AI models.
• We do NOT use your data for credit scoring, insurance underwriting, employment screening, or any purpose unrelated to the Service.
• We do NOT create profiles for advertising purposes or share data with data brokers.

• Purpose: Bulk transaction classification and gambling platform identification.
• Data Transmitted: Transaction descriptions, amounts, and dates. We strip personally identifiable information (names, account numbers) before transmission.
• Data Retention by OpenAI: OpenAI does not use API data for model training. Data is retained up to 30 days for abuse monitoring under their standard API terms, or zero days under Zero Data Retention agreements.
• Security: AES-256 encryption at rest; TLS 1.2+ in transit. SOC 2 Type II certified.

• Purpose: Behavioral pattern analysis, narrative report generation, litigation report generation, and AI chat responses.
• Data Transmitted: Categorized transaction summaries and metadata. We strip personally identifiable information before transmission where technically feasible.
• Data Retention by Anthropic: Anthropic does not use commercial API data for model training. API logs are retained for 7 days for safety monitoring.
• Security: AES-256 encryption at rest; TLS 1.2+ in transit. SOC 2 Type II certified.

Before transmitting data to any third-party AI provider, vigcheck applies data minimization techniques including: stripping names and full account numbers from transaction data; replacing dates with relative time offsets where behavioral analysis does not require absolute dates; and transmitting only the minimum data fields required for each specific AI task.

vigcheck uses a limited set of cookies and similar technologies:

• Strictly Necessary Cookies: Authentication tokens, session identifiers, and security cookies required for the Service to function. These cannot be disabled.
• Functional Cookies: Preferences such as language selection and display settings.
• Analytics Cookies: First-party analytics to understand how users interact with the Service. We do NOT use third-party advertising pixels (Facebook Pixel, Google Ads, etc.) or any tracking technology that transmits user identifiers to advertising networks.

Given the sensitive nature of our Service, we have made a deliberate decision NOT to use:

• Third-party advertising or retargeting pixels.
• Social media tracking widgets.
• Cross-site tracking technologies.
• Fingerprinting or device identification technologies beyond standard session management.

For EU/UK users: Non-essential cookies require your prior opt-in consent. We present a cookie consent banner with equal-prominence accept and reject options on your first visit.

For US users: You may opt out of non-essential cookies through the cookie settings accessible from the footer of our website. We honor Global Privacy Control (GPC) signals and Universal Opt-Out Mechanisms as required by applicable state laws.

For Australian users: We provide clear notice about our cookie usage and obtain consent for any cookies that collect sensitive information.

Before processing your financial data for gambling-related analysis, we will present you with a separate, unbundled consent request that: (a) identifies the data as special category data related to health under GDPR Article 9; (b) specifies each processing purpose; (c) names the categories of recipients; and (d) explains how to withdraw consent. This consent is separate from your agreement to the Terms of Service and can be withdrawn at any time.

Under GDPR/UK GDPR, you have the following rights:

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate personal data.
• Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction (Article 18): Request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Article 21): Object to processing based on legitimate interest.
• Right to Withdraw Consent: Withdraw your consent at any time without affecting the lawfulness of processing performed before withdrawal.
• Right Regarding Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects concerning you. You have the right to obtain human intervention, express your point of view, and contest any automated decision.

Our Service uses automated processing (AI) to categorize your financial transactions and generate behavioral analysis. We provide meaningful information about the logic involved: our AI agents use large language models to classify transactions based on merchant names, MCC codes, and transaction patterns, and to detect behavioral patterns based on timing, frequency, and amount analysis. You may request human review of any automated assessment at any time by contacting privacy@vigcheck.io.

Your personal data is transferred to and processed in the United States. We rely on the following transfer mechanisms:

• EU-US Data Privacy Framework (DPF) and UK Extension: vigcheck participates in the EU-US Data Privacy Framework. [Self-certification to be completed prior to processing EU user data.]
• Standard Contractual Clauses (SCCs): We maintain SCCs as supplementary transfer mechanisms with all sub-processors.
• Transfer Impact Assessments: We conduct Transfer Impact Assessments for transfers to AI sub-processors (OpenAI, Anthropic) addressing US surveillance laws and supplementary safeguards.

vigcheck has conducted a Data Protection Impact Assessment (DPIA) for the processing of gambling-related financial data, as required by GDPR Article 35. The DPIA addresses the necessity and proportionality of processing, risks to data subjects, and safeguards implemented. A summary of the DPIA is available upon request to our Data Protection Officer.

You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

• Right to Know/Access (§1798.100): Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete (§1798.105): Request deletion of personal information we have collected from you, subject to statutory exceptions.
• Right to Correct (§1798.106): Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing (§1798.120): vigcheck does NOT sell or share your personal information for cross-context behavioral advertising. This right is technically available to you but does not apply because we do not engage in these practices.
• Right to Limit Use of Sensitive Personal Information (§1798.121): You may limit our use of your Sensitive Personal Information (financial account data and health inferences) to uses that are necessary to provide the Service.
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any of your privacy rights.

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

SPI = Sensitive Personal Information under CPRA.

To exercise any of the rights described in this section, submit a verifiable consumer request to privacy@vigcheck.io. We will verify your identity before processing your request. We will respond within 45 days, with one 45-day extension if reasonably necessary.

If you reside in a state with a comprehensive consumer privacy law (including but not limited to Virginia, Colorado, Connecticut, Oregon, Texas, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, or Tennessee), you may have similar rights to access, correct, delete, and port your personal data, and to opt out of targeted advertising and profiling. We honor these rights for all US residents regardless of state. Where your state requires opt-in consent for sensitive data processing, we obtain such consent through our explicit consent mechanism.

We honor Global Privacy Control (GPC) signals and other Universal Opt-Out Mechanisms as required by applicable state laws.

Under CPRA ADMT regulations (effective January 1, 2027), you will have the right to: (a) receive notice when ADMT is used for significant decisions affecting you; (b) opt out of ADMT processing; and (c) access information about ADMT logic, outputs, and decision factors. vigcheck proactively implements these protections. You may request human review of any AI-generated assessment by contacting privacy@vigcheck.io.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) as amended. Key commitments:

• APP 1 (Open and Transparent Management): This Privacy Policy constitutes our APP 1 privacy policy, describing the kinds of personal information we collect, the purposes of collection, how we handle it, and how you can access and correct it.
• APP 3 (Collection of Sensitive Information): We obtain your consent before collecting sensitive information, including health information derived from gambling behavioral analysis.
• APP 6 (Use or Disclosure): We use and disclose your personal information only for the primary purpose of collection, or for directly related secondary purposes you would reasonably expect. Sharing reports with attorneys or counselors at your direction is a primary purpose.
• APP 8 (Cross-Border Disclosure): Your data is transferred to the United States for processing. We take reasonable steps to ensure overseas recipients comply with the APPs through enforceable data processing agreements. We inform you that APP protections may not apply to overseas recipients.
• APP 11 (Security): We take reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorized access, modification, or disclosure, as described in Section 10.
• APP 12 (Access): You have the right to request access to the personal information we hold about you.
• APP 13 (Correction): You have the right to request correction of inaccurate, out-of-date, or incomplete personal information.

Under the Privacy and Other Legislation Amendment Act 2024, effective December 10, 2026, we will disclose in this Policy: the kinds of personal information used in substantially automated decisions; the kinds of decisions made; and how those decisions are made. vigcheck’s AI system uses transaction descriptions, amounts, dates, and frequency patterns to categorize gambling transactions and detect behavioral patterns. You may request human review of any automated assessment.

If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

If you have a complaint about how we have handled your personal information, please contact us at privacy@vigcheck.io. If you are not satisfied with our response, you may lodge a complaint with the OAIC at oaic.gov.au.