Privacy Policy

1. Data Controller

OUTRIGHT Vision GmbH
Im Klapperhof 33
50670 Cologne
Germany
Email: contact@openlottogpt.com

2. Data Collected

When using OpenLottoGPT, we collect the following personal data:

• Email address
• First and last name
• Subscription tier
• Generated number suggestions and configurations

No payment card data is stored on our servers. Payment processing is handled exclusively by Stripe.

3. Purpose of Processing

The collected data is processed for the following purposes:

• Account management and authentication
• Generation of personalised number suggestions
• Billing and subscription management

4. Legal Basis

The processing of personal data is based on Art. 6(1)(b) GDPR (performance of a contract). The provision of our service requires the processing of the aforementioned data.

5. Data Sharing

We share personal data with the following third parties:

• Stripe — for payment processing (name, email, payment information, see section 7)
• Anthropic — for AI-powered analysis (see section 8)

6. Analytics Tools and Advertising

Umami

Our website uses Umami Analytics, an open-source web analytics tool, to analyse visitor behaviour. Umami Analytics is privacy-friendly and compliant with the General Data Protection Regulation (GDPR).

What data is collected?

• Pages visited and access time
• Referrer (i.e., which website you came from)
• Browser type, operating system, and device type
• Geographic origin (country/region)

No personal data is collected. There is no identification of individual users and no linking of data with other services.

Use of Cookies

Umami does not use cookies to collect data. Therefore, no cookie banner is required for this analytics tool.

Purpose of Data Processing

The collected data helps us better understand how our website is used and optimise our offering accordingly. All data remains anonymous and is used exclusively for statistical purposes.

Data Storage

All data is anonymised and not shared with third parties.

If you have questions about the collection and processing of your data, please feel free to contact us.

7. Payment Processing via Stripe

Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter "Stripe"). Stripe is a payment service provider of the US company Stripe, Inc.

Integration: Our website uses Stripe via a direct API integration for payment processing. We use Stripe Checkout (a Stripe-hosted payment form) and the Stripe customer portal to enable you to make payments easily and manage subscriptions (recurring payments).

Data Processing: When making a payment via Stripe, personal data is transmitted directly to Stripe to process the transaction. We do not store sensitive payment data such as full credit card numbers or bank details on our systems — these are collected and processed exclusively by Stripe. Data processed by Stripe includes in particular:

• Contact and order data: Your name, email address, billing address, and where applicable, delivery address
• Payment information: the chosen payment method (e.g. credit card or SEPA direct debit) along with the required details (e.g. credit card number, expiry date, CVV or IBAN, BIC), which are securely stored by Stripe
• Transaction data: the payment amount, currency, date/time of the transaction, and a transaction identifier
• Technical information: e.g. IP address as well as browser and device data, collected by Stripe for fraud prevention and securing payment transactions (e.g. through the "Stripe Radar" system)

Purpose: Data processing is carried out for the purpose of payment processing within the scope of the contract with you (purchase or subscription) and the management of recurring payments. Stripe uses the transmitted data to process payments initiated by you (including forwarding to banks/credit card providers) and for fraud prevention (detection/prevention of fraud). Through the Stripe customer portal, you can manage your subscription (e.g. update payment method or cancel); the data processing required for this is also carried out by Stripe.

Legal Basis: The integration of Stripe is based on Art. 6(1)(b) GDPR (performance of a contract), as the processing of payment data is necessary for the performance of your contract. Additionally, we rely on Art. 6(1)(f) GDPR (legitimate interest), as we have a legitimate interest in a secure and efficient payment process (e.g. fraud prevention measures and ensuring IT security). Where Stripe uses cookies or similar technologies that are not technically essential for providing the payment function, access to information on your device only occurs with your consent pursuant to § 25(1) TTDSG. Technically necessary cookies/technologies required for the essential operation of Stripe (e.g. for fraud prevention or payment processing) are used pursuant to § 25(2) TTDSG without consent.

Data Processing Agreement: We have concluded a data processing agreement with Stripe pursuant to Art. 28 GDPR. Stripe acts as our data processor and is contractually obligated to process personal data exclusively according to our instructions and for the processing of payments and related processes. This also includes services such as technical payment processing, the customer portal (subscription management), sending payment confirmations, and compliance with statutory retention obligations. Stripe treats the data confidentially and uses it only within the scope of the stated purposes.

Third-Country Transfers: Stripe Payments Europe Ltd. generally processes customer data on servers within the EU/EEA. However, it cannot be excluded that data may be transferred to Stripe Inc. in the USA or other Stripe group companies in third countries in the course of providing the service. For such cases, Stripe has implemented appropriate safeguards to ensure an adequate level of data protection. In particular, Stripe uses EU Standard Contractual Clauses (SCC). Furthermore, Stripe Inc. (USA) is certified under the EU–US Data Privacy Framework (DPF) to ensure the protection of personal data during transfers to the USA.

Note: Please be aware that there is no level of data protection in the USA comparable to that of the European Union. US authorities could access personal data without adequate legal remedies being available to EU citizens. However, Stripe and we have contractually ensured through Standard Contractual Clauses and additional measures the best possible protection of your data.

Further Information: Detailed information about data processing by Stripe can be found in Stripe's privacy policy (available at Stripe Privacy Center).

8. AI Data Processing

For AI data processing, we use Anthropic models. Only anonymised statistical data and configuration parameters are transmitted to the Anthropic API. No personal data is shared with Anthropic. The transmitted data comprises only aggregated lottery statistics and analysis settings chosen by the user. None of the transmitted data is used for training further models.

9. Feedback Feature

OpenLottoGPT offers registered users an in-app feedback feature through which bug reports and improvement suggestions can be submitted.

User-Entered Data

• Category (bug report or feature request)
• Area of the app (optional, e.g. Generator, Statistics)
• Free-text message

Automatically Transmitted Technical Data

To enable traceability of reported bugs, the following technical information is automatically collected when submitting feedback:

• Page URL: the address of the page the user was on when submitting
• Browser identifier (User-Agent): information about the browser and operating system used
• Screen resolution (Viewport): width and height of the browser window
• Subscription tier: the current tier at the time of submission
• App version: the current version of the application

Users are informed in the feedback form about the automatic transmission of this technical information.

Purpose: The processing serves bug fixing and product improvement. The technical data enables reported bugs to be reproduced and resolved.

Legal Basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in quality assurance and further development of the service).

Retention Period: Feedback data is retained until the user account is deleted. Early deletion of individual feedback entries by the user is not provided for.

10. Retention Period

• Account data: until deletion of the account by the user
• Usage logs: 90 days
• Billing data: 10 years (statutory retention requirement)

11. Data Subject Rights

Pursuant to Art. 15–21 GDPR, you have the following rights:

• Access (Art. 15 GDPR) — Right to information about your stored data
• Rectification (Art. 16 GDPR) — Right to correction of inaccurate data
• Erasure (Art. 17 GDPR) — Right to deletion of your data
• Restriction (Art. 18 GDPR) — Right to restriction of processing
• Objection (Art. 21 GDPR) — Right to object to processing
• Data Portability (Art. 20 GDPR) — Right to receive your data in a transferable format

To exercise your rights, please contact us at: kontakt@openlottogpt.com

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data. A list of data protection officers and their contact details can be found at: www.bfdi.bund.de

13. Cookies

OpenLottoGPT uses only technically necessary session cookies to maintain the session. No tracking cookies, analytics cookies, or third-party cookies are used.

14. Hosting and Content Delivery Networks (CDN)

We use Hetzner for our website hosting. The service provider is the German company Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. More information about data processed through the use of Hetzner can be found in their privacy policy at https://www.hetzner.com/de/legal/privacy-policy.