Privacy Policy

Last updated: February 2026

1. Introduction

LottoLab ("we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By creating an account or using our service, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use LottoLab.

Data Controller: LottoLab
Contact: support@lottolab.ai

2. Information We Collect

We collect only the information necessary to provide and improve our service. The categories of data we collect are outlined below.

2.1 Account Data

When you create an account, we collect your email address and a password. Your password is hashed using the Argon2 algorithm before storage and cannot be read by us or anyone else. We also store your subscription status (free or Pro) to manage access to features.

2.2 Ticket Data

When you log lottery tickets, we collect the lottery numbers you played, the game type (e.g. Lotto, EuroMillions), the ticket cost, draw dates, and match results. This data is used to provide your personal analytics, spending-versus-winnings tracking, and historical performance insights.

2.3 Syndicate Data

If you create or manage a syndicate, we store the member names you provide. You may optionally add email addresses or phone numbers for syndicate members. This information is provided by you, the syndicate creator, and is used solely for syndicate management purposes within your account.

2.4 Payment Data

Payments are processed entirely by Stripe. We never receive, store, or have access to your full card number, CVV, or billing address. We store only your Stripe customer ID and subscription status so we can manage your account tier and entitlements.

2.5 Analytics Data

We use PostHog for product analytics. All usage events are anonymised and contain no personally identifiable information (PII). Autocapture is disabled; we only track specific, intentional events such as page views and feature usage. This data helps us understand how the service is used so we can improve it.

2.6 Technical Data

Our servers automatically log your IP address for security and abuse-prevention purposes. Our analytics service may record your device type and browser information in an anonymised form. We do not use this data to identify individual users.

3. How We Use Your Information

We use the information we collect for the following purposes:

Service provision: To create and manage your account, authenticate your sessions, and deliver the features you use, including ticket tracking, analytics dashboards, and syndicate management.
Subscription management: To process your subscription via Stripe, manage your access tier, and handle upgrades, downgrades, or cancellations.
Transactional communications: To send you essential service emails such as password reset requests, subscription confirmations, and important account notifications.
Product improvement: To analyse anonymised usage patterns so we can identify bugs, improve features, and make informed product decisions.
Security and fraud prevention: To detect and prevent unauthorised access, abuse, or other harmful activity against our service and users.

We do not sell your personal data. We do not use your data for advertising. We do not profile you for marketing purposes.

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases to process your personal data:

Consent (Article 6(1)(a)): When you create an account you consent to the collection and processing of your email address and password for authentication purposes. You may withdraw consent at any time by deleting your account.
Performance of a contract (Article 6(1)(b)): Processing your ticket data, syndicate data, and subscription information is necessary to provide you with the service you have signed up for.
Legitimate interests (Article 6(1)(f)): We process anonymised analytics data and server logs for the legitimate interests of improving our service, maintaining security, and preventing fraud. These interests do not override your rights as the data is either anonymised or minimally intrusive.

5. Data Sharing and Third Parties

We do not sell or rent your personal data to any third party. We share data only with the following trusted processors who act on our behalf and under our instructions:

Stripe (payment processing) — Handles all payment transactions securely. See Stripe Privacy Policy.
PostHog (product analytics) — Receives anonymised usage events with no PII. See PostHog Privacy Policy.
Resend (transactional email) — Sends service emails on our behalf (e.g. password resets). See Resend Privacy Policy.
Neon (database hosting) — Hosts our PostgreSQL database where your account and ticket data is stored. See Neon Privacy Policy.
Vercel (web hosting) — Hosts our web application and handles incoming requests. See Vercel Privacy Policy.
Railway (API hosting) — Hosts our backend API server and processes incoming API requests. See Railway Privacy Policy.

Each processor is contractually required to handle your data securely and only for the purposes we specify. We may also disclose data if required by law, regulation, or legal process.

6. Cookies and Tracking

We use a minimal number of cookies, all of which serve a functional purpose. We do not use advertising cookies or cross-site tracking.

6.1 Essential Cookies

These cookies are strictly necessary for the service to function and cannot be disabled.

Authentication token — An httpOnly JWT cookie that keeps you signed in. It is not accessible to JavaScript and is sent only over secure connections.
Refresh token — An httpOnly cookie used to renew your authentication session without requiring you to sign in again.

6.2 Analytics Cookies

If you consent to analytics, PostHog sets a session cookie (prefixed ph_*) to track anonymised usage within your browsing session. This cookie contains no personally identifiable information.

6.3 Consent Mechanism

Your cookie consent preference is stored as a flag in your browser's localStorage. This is not a cookie itself and is only used to remember whether you have accepted or declined optional analytics cookies.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at support@lottolab.ai.

Right of access: You can request a copy of the personal data we hold about you. We will respond within one month.
Right to rectification: You can ask us to correct any inaccurate or incomplete personal data.
Right to erasure: You can request that we delete your personal data. You can also delete your account directly through the app, which will trigger the erasure process described in the Data Retention section.
Right to restriction: You can ask us to temporarily restrict the processing of your data while we resolve a concern.
Right to data portability: You can request your data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).
Right to object: You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds that override your rights.
Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Data Retention

We retain your data only for as long as necessary to provide our service and fulfil the purposes described in this policy.

Account data: Retained while your account is active. After you delete your account, we retain your data for 30 days to allow for recovery in case of accidental deletion, after which it is permanently deleted.
Ticket and syndicate data: Anonymised upon account deletion. Anonymised data cannot be linked back to you and may be retained indefinitely for aggregate statistical purposes.
Server logs: Automatically deleted after 30 days.
Stripe data: Managed by Stripe in accordance with their retention policies and applicable financial regulations.

9. Children's Privacy

LottoLab is not intended for anyone under the age of 18. Playing the National Lottery and EuroMillions in the United Kingdom requires you to be at least 18 years old. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at support@lottolab.ai.

10. International Transfers

Some of our third-party processors operate outside the United Kingdom. Where your data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements. These safeguards may include:

Transfers to countries with an adequacy decision from the UK government.
Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office.
Binding corporate rules or other approved transfer mechanisms where applicable.

You can contact us to request more information about the specific safeguards applied to any international transfer of your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice within the service before the changes take effect.

We encourage you to review this page periodically. The "Last updated" date at the top of this page indicates when this policy was most recently revised.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@lottolab.ai
Data Controller: LottoLab

We aim to respond to all data protection enquiries within 30 days.