Privacy is a design constraint, not a marketing line.

---

1. Who we are

ShieldBet is operated by ShieldBet Ltd, a UK company. For the purposes of UK GDPR, we are the data controller for the data described below. Contact: ryan@shieldbet.co.uk.

For most processing described in this policy, ShieldBet relies on one or more of the following lawful bases under UK GDPR: performance of a contract (providing the protection service), legitimate interests (service security, abuse prevention, accountability functionality, fraud prevention, service integrity, and operational monitoring), legal obligations, and consent where specifically requested.

Some ShieldBet data may reveal information about gambling behaviour, attempts to access gambling services, recovery support, or related wellbeing context. We treat this data as highly sensitive. Where required, ShieldBet relies on explicit consent for the processing and sharing of this accountability-related information with your accepted trusted partner.

2. What data we collect

2.1 Account data

• Your email address (used as your login)
• A first name (optional, for display)
• Your date of birth (used to confirm you're 18 or over)
• Your trusted partner's email address (used for the accountability flow)

When you provide a trusted partner's email address, you must confirm that you have that person's permission to provide their contact details to ShieldBet and to invite them into the accountability process. The partner relationship remains pending until that person accepts the invitation and agrees to act as your trusted partner.

A trusted partner is strongly recommended, but not mandatory. If you do not currently have a trusted partner, ShieldBet may be used in Solo Protection mode. Solo Protection does not use partner emails, partner dashboards, or partner notifications, but protection remains active and intentionally difficult to remove, disable, or bypass while you have an active trial or paid subscription.

2.2 Partner account data

• Your partner's email address
• Your partner's acceptance status, acceptance timestamp, and consent record
• Your partner's chosen username and password (password is stored as a bcrypt hash, never in plain text)
• Three security questions and answers (answers stored as hashes, never in plain text)
• Partner dashboard session and security records needed to protect the account

Partners may decline the invitation or withdraw from the role. If a partner does not accept, ShieldBet will not send them behavioural accountability notifications.

2.3 Protection-state data

• Whether protection is currently locked or temporarily unlocked, and when the unlock window expires
• Recent block-attempt counts within rolling 60-minute windows (used to drive the intervention threshold)
• Logs of blocked-site attempts: domain, timestamp, classification reason, and related accountability status
• Consent records, terms acceptance records, privacy-policy acceptance records, timestamps, and policy version numbers

2.4 Companion app and extension presence

The ShieldBet companion app has one job. It checks whether the main ShieldBet extension is still installed and active. It does not read your browsing history, analyse pages, collect page content, inspect what you type, or make blocking decisions.

The companion app uses a secure companion token created during setup so it can talk to ShieldBet. The token is used to confirm the companion is genuine and linked to the correct account. The companion app only sends limited protection status information, such as whether the main extension appears to be installed, active, removed, or disabled.

If the main extension or companion app is removed or disabled while protection is active, your accepted trusted partner may be notified. Removal alerts are not sent where there is no active trial or paid subscription.

2.5 Browser page-level data during analysis

The Chrome extension may access the URL, hostname, page title, and visible page text of pages you visit only to decide whether gambling protection should apply. This check happens on your own device, inside your browser. ShieldBet uses a hard blocklist, a hard safe list, path-aware checks, page evidence, and a policy decision engine to decide whether to block or allow. Page content used for classification is processed locally and is not sent to ShieldBet servers during normal use. The only data that normally leaves your browser is limited protection data, such as block events, attempt counts, account state, false-positive reports you choose to send, and partner-accountability events.

ShieldBet does not use webpage content for advertising, behavioural profiling, data brokerage, credit scoring, or unrelated analytics. Access to webpage content is limited solely to the functionality required to evaluate whether gambling protection should apply.

ShieldBet does not store a full browsing history. We do not keep a record of every website you visit. If a page is allowed, normal page content is not sent to ShieldBet servers as part of the protection decision. If a page is blocked or you choose to report it, limited details may be stored so we can provide accountability, support, audit checks, and improve the blocker.

2.6 Developer feedback (optional, beta only)

During the closed beta and early public releases, developer-only feedback controls may be used by ShieldBet staff to label pages for future model review. These labels are stored for manual review and later training work only. They do not change live blocking decisions and are not used as an automatic allowlist or blocklist.

2.7 Mobile and Android protection data

Where ShieldBet is used on Android or other mobile platforms, the app may use local device permissions such as VPN, accessibility services, foreground-app monitoring, usage statistics access, notifications, device-admin controls, uninstall-friction mechanisms, and related protection features. These permissions are used solely to provide gambling protection, detect attempted bypass or removal, monitor risky app activity, maintain accountability protections, keep protection active, and support the safeguarding architecture. They are not used for unrelated advertising, profiling, or behavioural surveillance.

The local VPN is designed to work on your device. It is not intended to route all browsing through ShieldBet servers. Mobile protection data sent to ShieldBet is limited to account state, protection status, blocked or risky attempt events, removal or tamper events, support requests, and partner-accountability events.

3. How we use this data

• To operate the protection service (block decisions, allow decisions, intervention flow)
• To support Solo Protection mode and Partner Accountability mode
• To invite and verify trusted partners before accountability notifications are enabled, where Partner Accountability is selected
• To deliver partner notifications where Partner Accountability is active
• To deliver user check-in emails where Solo Protection is active and repeated blocked attempts occur
• To enforce protection-first safeguards, including restricted removal, anti-bypass controls, recovery checks, and accountability safeguards
• To maintain service performance, security, abuse prevention, and operational integrity
• To detect protection tampering, companion-extension removal, mobile-app removal, or attempted bypass
• To improve classification accuracy through reviewer-labelled training data
• To keep records showing when users and partners accepted the applicable terms, privacy policy, and consent wording

We do not use your data for advertising, profiling, or any commercial purpose unrelated to running ShieldBet.

4. Email notifications

ShieldBet uses email notifications differently depending on your protection mode. In Solo Protection mode, check-in emails may be sent to you after repeated blocked attempts. In Partner Accountability mode, accountability emails may be sent to your trusted partner only after they have accepted the trusted-partner role.

• You have made multiple blocked-site attempts within a short window (calibrated thresholds; not every attempt)
• Protection removal, recovery, or sensitive account-change activity requires verification or accountability safeguards
• The main ShieldBet extension or the companion extension has been removed or disabled while protection is active
• You cancel your ShieldBet subscription while protection is active
• Security-relevant partner account activity, where this is needed to protect the account or accountability relationship

These notifications are a core part of the protection model. Removal and cancellation alerts are only sent where the user has an active trial or paid subscription. Notification settings cannot be used as a simple bypass route because that would weaken the protection. In Partner Accountability mode, some sensitive changes may require partner involvement. In Solo Protection mode, safeguarding and recovery controls still apply.

Partner notifications may reveal sensitive information about gambling-related attempts, protection status, removal attempts, account recovery, or attempts to change ShieldBet protection. Users and partners are told this before the accountability relationship becomes active. Solo users do not have partner notifications, but may receive their own check-in emails after repeated blocked attempts.

5. Where data is stored

ShieldBet uses Supabase (a managed Postgres provider) for account, protection-state, and block-log storage. Where supported by our providers, data is held in UK/EU regions. Edge Functions run in secure server environments and validate every privileged request against three authentication contexts (user JWT, partner session token, companion token) before performing any action.

Security and recovery codes used for partner login, account recovery, or sensitive account changes are generated securely on our servers. Only a hash of each code is stored. The actual code is sent directly to the relevant email address and is not saved in plain text.

6. Data sharing

We do not sell, rent, or share personal data with third parties for advertising or marketing purposes. The only third parties we share data with are operational service providers:

• Supabase (database, authentication infrastructure, and Edge Functions)
• Stripe (payment processing, subscription management, invoices, and customer portal)
• Our transactional email provider (for account emails, partner invitations, approval codes, and accountability notifications)
• Chrome Web Store / equivalent app stores (for distribution; standard install metadata only)
• Professional advisers, regulators, courts, law-enforcement bodies, or insurers where legally required or necessary to protect ShieldBet, users, partners, or the public

Each is bound by contractual data-processing terms and processes data only as needed to deliver their service.

ShieldBet does not permit service providers to use ShieldBet behavioural data, accountability data, gambling-related data, or protection-state data for their own advertising, profiling, analytics, marketing, or commercial purposes. Service providers process data only on ShieldBet's instructions and only where necessary to operate the service.

ShieldBet does not permit third parties to use personal data collected through the extension for their own advertising, profiling, or marketing purposes. Service providers process data only on ShieldBet's instructions and only to the extent necessary to provide their contracted service.

ShieldBet does not store full card details. Payments, card details, invoices, and subscription billing are handled by Stripe.

We may transfer or disclose limited data as part of a business reorganisation, merger, acquisition, funding process, or sale of assets, but only where appropriate confidentiality, security, and data protection safeguards are in place.

7. Data retention

Account data is generally retained while your ShieldBet account, trial, subscription, or active protection period remains in place. Certain protection, accountability, operational, fraud-prevention, billing, support, dispute-resolution, safeguarding, and security records may continue to be retained for a reasonable period after subscription expiry or account closure where necessary to operate the service safely, comply with legal obligations, protect users and partners, investigate abuse, or maintain service integrity.

Where practical, block-attempt logs and accountability events are minimised over time. Security, consent, billing, fraud-prevention, and audit records may be kept for longer where needed to comply with legal obligations, resolve disputes, protect accounts, or evidence consent and service operation.

ShieldBet is designed as a safeguarding and anti-relapse product. Because impulsive attempts to remove protection may occur during periods of vulnerability, ShieldBet may refuse, delay, limit, or place safeguards around certain deletion, unlinking, recovery, unlock, logout, or protection-removal requests where reasonably necessary to preserve active protection, maintain accountability safeguards, prevent abuse, investigate fraud, comply with legal obligations, resolve disputes, or protect service integrity. Where deletion is approved, linked records are removed together where legally and technically possible.

8. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion, restriction, or erasure of personal data, subject to safeguarding, legal, billing, fraud-prevention, security, accountability, operational-integrity, and dispute-retention requirements
• Export a copy of your data in a machine-readable format
• Object to or restrict certain processing
• Withdraw consent where we rely on consent, although this may mean ShieldBet can no longer provide some protection or accountability features
• Complain to the Information Commissioner's Office (ICO)

To request access, correction, restriction, export, or deletion of your personal data, email ryan@shieldbet.co.uk with the subject line “Privacy request”.

We may ask you to confirm your identity before processing the request. Contact ryan@shieldbet.co.uk.

We may need to verify your identity before acting on a privacy request. Because ShieldBet is designed to prevent impulsive removal and account tampering, some account or partner-change requests may also require the appropriate recovery or partner-verification process before they can be completed.

9. Cookies and tracking

This website uses no third-party tracking. We do not load Google Analytics, Facebook Pixel, or equivalent products. The only cookies set are first-party functional cookies needed for login sessions on the user and partner dashboards.

ShieldBet does not use hidden tracking technologies, cross-site tracking, third-party analytics, advertising identifiers, browser fingerprinting, or data-sharing SDKs.

ShieldBet does not operate advertising networks, behavioural advertising systems, third-party ad exchanges, or data-brokerage operations. ShieldBet is a subscription-based safeguarding product and does not monetise user behavioural data.

10. Security

Account passwords are stored using bcrypt hashing. Session tokens and security-question answers are stored only as hashes. Security-relevant account actions may be logged with IP address and user-agent for audit and abuse-prevention purposes. Rate limiting is applied to authentication endpoints to help protect accounts from repeated unauthorised access attempts.

Access to production systems is restricted and authenticated. Sensitive operations affecting account state, partner approval, subscription access, or protection controls are validated server-side before execution. Where appropriate, audit records may be retained for security, fraud prevention, operational integrity, and dispute resolution.

No online service can guarantee absolute security. If we become aware of a personal-data breach that creates a risk to users or partners, we will investigate, take appropriate containment steps, and notify affected individuals or regulators where required by law.

10.1 Safeguarding and restriction philosophy

ShieldBet is designed to support individuals vulnerable to gambling-related harm. A core part of the service is introducing meaningful friction between the user and gambling access. Because users experiencing relapse or impulsive behaviour may attempt to disable or remove protections during periods of vulnerability, some ShieldBet protections intentionally include delay, partner involvement, recovery verification, uninstall friction, or additional approval steps.

ShieldBet has two protection modes. Solo Protection is for users who do not currently have a trusted partner. Partner Accountability is for users who add an accepted trusted partner. A trusted partner is strongly recommended because accountability can strengthen recovery, but ShieldBet protection does not depend on a partner existing.

ShieldBet may use accountability controls, partner approval architecture, uninstall friction, session verification, companion monitoring, device-admin controls, VPN protections, or related safeguarding mechanisms to help reduce impulsive removal or bypass attempts. These measures are considered core parts of the service design.

ShieldBet cannot guarantee the prevention of gambling access, relapse, financial harm, emotional distress, or circumvention attempts. The service is intended to reduce access and increase accountability, not to act as a guaranteed prevention system.

11. Age requirement

ShieldBet is intended for adults aged 18 and over. We do not knowingly collect personal data from children. The registration flow requires a date of birth and rejects accounts that do not meet the minimum age requirement. If we become aware that personal data has been provided by a child in breach of this policy, we will take reasonable steps to remove that data.

12. Changes to this policy

If we make material changes to this policy, we will notify you by email at the address linked to your account, and the change will be reflected in the "Last updated" line at the top of this page.

13. Chrome extension permissions and limited use

ShieldBet requests browser permissions only where necessary to provide the protection service. Browser permissions are used exclusively for gambling-protection functionality, account security, accountability features, and related operational requirements.

ShieldBet complies with the Chrome Web Store User Data Policy and Limited Use requirements. Data accessed through Chrome extension permissions is not sold or used for advertising, creditworthiness decisions, or unrelated commercial profiling. It is only shared where needed to provide ShieldBet, such as with our database, email, payment, security, or app-store providers.

14. Partner consent and accountability safeguards

Adding a trusted partner is strongly recommended, but it is not mandatory. Users who do not add a trusted partner use Solo Protection instead. Solo Protection does not send accountability notifications to a third party, but the core protection and anti-bypass safeguards still apply.

ShieldBet does not treat the entry of a partner email address as proof that the partner has agreed to receive accountability information. The user must confirm they have permission to provide the partner's email address, and the partner must separately accept the trusted-partner role before behavioural accountability notifications are enabled.

The trusted partner is not a clinician, counsellor, emergency contact, or guarantor. ShieldBet does not require the partner to monitor the user all the time or take any specific action. The partner role is there to provide accountability, visibility, and friction. It is not professional treatment or crisis support.

15. Automated and assisted decision-making

ShieldBet uses local rules, classification logic, and supporting models to decide whether gambling protection should apply to a website, app, route, or activity. These systems are used to deliver the protection service requested by the user. They are not used for credit decisions, employment decisions, insurance decisions, advertising, or unrelated profiling.

Users can report false positives or missed gambling content through ShieldBet support or the in-product reporting flow where available. Reports may be reviewed manually to improve the service.

16. Not medical treatment or emergency support

ShieldBet is a behavioural support and accountability tool. It is not a medical device, clinical service, therapy service, counselling service, emergency service, or replacement for professional support. ShieldBet is designed to reduce access, add friction, and support accountability. It cannot guarantee that gambling access, gambling behaviour, relapse, financial harm, or emotional distress will be prevented.

---

Questions, corrections, privacy requests, or account-related help: ryan@shieldbet.co.uk.