Privacy Policy (GDPR)

Service Status

Lottomatikai is a project developed and operated by Logika.studio, currently in the early stages of service delivery. Data collected in this phase is processed exclusively for the purposes described in this notice, in compliance with the principles of data minimization and purpose limitation. This notice may be supplemented as the service evolves.

Data Controller

The Data Controller of personal data is Logika.studio, the entity under which the Lottomatikai project is developed, operated and owned. The Controller's full identifying information and contact details are being finalized and will be published in this section; in the meantime, the Controller can be contacted via the institutional website logikastudio.it.

Data Processors and Third-Party Providers

To deliver the service, the Controller relies on third-party providers that process data as data processors pursuant to Art. 28 GDPR — including the cloud infrastructure, authentication and database provider and the analytics tooling provider (Google Analytics 4, activated only with prior consent). Payments are handled by the external providers Ko-fi and PayPal, which process payment data under their respective privacy policies; Logika.studio does not store full payment-card details. These providers process data within the limits necessary for service delivery and transactions. An up-to-date list of processors is available upon request. logika.studio

Categories of Data Processed

• Registration data: email and password (bcrypt hash), optional name.
• Usage data: game/wheel preferences, saved systems, generated predictions, viewed AI suggestions.
• Technical data: IP address, browser, operating system, pages visited, timestamps (collected automatically in logs).
• Analytics data (opt-in): interaction events collected via Google Analytics 4 only with explicit consent (Consent Mode v2).
• Payment data: handled via the external providers Ko-fi and PayPal; we do not store full payment-card details (number, expiry, CVV).

Processing Purposes

• Provision of statistical analysis and ML service.
• User account management, preferences and system history.
• Security, fraud prevention and technical debugging.
• Product improvement (aggregated anonymous analytics).

Security and Retention

Data is protected with adequate technical and organizational measures: encryption in transit (HTTPS/TLS), bcrypt password hashing, database RLS, periodic encrypted backups. Retention follows minimization and purpose principles — specific details for each category of data will be supplemented as the service evolves.

Exercise of Data Subject Rights

The User has the right of access, rectification, portability, restriction and erasure of their data pursuant to Arts. 15-22 GDPR. Requests can be directed to the Controller (Logika.studio) via the institutional website logikastudio.it; a dedicated channel for exercising rights is being activated. logikastudio.it

Account security and device fingerprinting

To protect your account from unauthorized access and ensure only one device is active at a time (per Terms of Service), we collect a unique browser identifier called visitorId. This identifier is a non-reversible hash generated from approximately 30 browser signals (canvas, audio, screen, timezone, hardware) via the open-source FingerprintJS v5 library (MIT license). Raw signals are NOT transmitted to our servers: only the final hash.

Additionally we store a hash of your IP subnet (/24 format) combined with a server-side salt: this allows us to detect access anomalies (e.g. access from many different networks in a few hours) without storing your exact IP.

Legal basis: legitimate interest of the Controller pursuant to Art. 6(1)(f) GDPR — fraud prevention (account-sharing) and account information security. A Legitimate Interest Assessment (LIA) document is available upon request.

Your rights: you can see active sessions on your account at any time from the /account/security page. You can disconnect other devices with one click. Account deletion automatically removes all associated session records (CASCADE delete). Revoked session records are automatically deleted after 90 days.

This processing is based on legitimate interest and does not require separate explicit consent. However, you will receive an informational in-app notification on first access post-deployment, dismissable with one click.