1. Introduction
SharpShield is committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and protecting the rights of data subjects. This policy outlines our approach to GDPR compliance and the measures we implement to protect personal data.
2. Scope
This policy applies to:
- All personal data processed by SharpShield
- All SharpShield employees, contractors, and service providers
- All data processing activities within the European Economic Area (EEA)
- All data transfers outside the EEA
3. Data Protection Principles
SharpShield adheres to the core GDPR principles:
3.1 Lawfulness, Fairness, and Transparency
We process personal data lawfully and transparently. Data subjects are informed about how their data is used through our Privacy Policy and direct communications.
3.2 Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with these purposes.
3.3 Data Minimization
We collect only the personal data necessary for our stated purposes. We regularly review data collection practices to ensure minimization.
3.4 Accuracy
We take reasonable steps to ensure personal data is accurate and up to date. Data subjects can request corrections at any time.
3.5 Storage Limitation
Personal data is retained only as long as necessary for the purposes for which it was collected. See Section 7 for retention periods.
3.6 Integrity and Confidentiality
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction.
3.7 Accountability
We maintain documentation demonstrating compliance and can demonstrate accountability to supervisory authorities upon request.
4. Legal Bases for Processing
4.1 Customer Data
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) |
| Service delivery | Contract performance (Art. 6(1)(b)) |
| Billing and invoicing | Contract performance (Art. 6(1)(b)) |
| Customer support | Legitimate interest (Art. 6(1)(f)) |
| Service improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4.2 End User Data (Processed on Behalf of Customers)
When processing End User data, SharpShield acts as a Data Processor. Our Customers (Data Controllers) are responsible for establishing a valid legal basis. Common bases include:
- Legitimate interest in fraud prevention and risk management
- Legal obligations related to gambling regulation
- Contract performance with End Users
4.3 Website Visitors
| Processing Activity | Legal Basis |
|---|---|
| Essential cookies | Legitimate interest (Art. 6(1)(f)) |
| Analytics cookies | Consent (Art. 6(1)(a)) |
| Marketing cookies | Consent (Art. 6(1)(a)) |
5. Data Subject Rights
SharpShield enables data subjects to exercise their rights under GDPR:
5.1 Right of Access (Art. 15)
Data subjects may request confirmation of whether their personal data is processed and obtain a copy of that data. We respond within 30 days.
How to exercise: Email privacy@sharpshield.io with "Data Access Request" in the subject line.5.2 Right to Rectification (Art. 16)
Data subjects may request correction of inaccurate personal data or completion of incomplete data.
How to exercise: Email privacy@sharpshield.io or update directly in account settings.5.3 Right to Erasure (Art. 17)
Data subjects may request deletion of personal data when:
- Data is no longer necessary for the original purpose
- Consent is withdrawn (where consent was the legal basis)
- Data subject objects and no overriding legitimate grounds exist
- Data was unlawfully processed
5.4 Right to Restriction (Art. 18)
Data subjects may request restricted processing when:
- Accuracy is contested (during verification)
- Processing is unlawful but erasure is not requested
- Data is needed for legal claims
- Objection is pending verification
5.5 Right to Data Portability (Art. 20)
Data subjects may receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Format: JSON or CSV How to exercise: Email privacy@sharpshield.io with "Portability Request" in the subject line.5.6 Right to Object (Art. 21)
Data subjects may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
How to exercise: Email privacy@sharpshield.io with "Objection" in the subject line.5.7 Rights Related to Automated Decision-Making (Art. 22)
Our risk scoring involves automated processing. Data subjects have the right to:
- Not be subject to solely automated decisions with legal effects
- Obtain human intervention
- Express their point of view
- Contest the decision
5.8 Right to Withdraw Consent (Art. 7)
Where processing is based on consent, data subjects may withdraw consent at any time without affecting the lawfulness of prior processing.
5.9 Response Timeline
| Request Type | Response Time |
|---|---|
| Standard requests | 30 days |
| Complex requests | Up to 60 days (with notification) |
| Manifestly unfounded requests | May refuse or charge fee |
6. Controller and Processor Responsibilities
6.1 When SharpShield is Controller
For Customer account data, we:
- Determine purposes and means of processing
- Respond directly to data subject requests
- Conduct Data Protection Impact Assessments when required
- Report breaches to supervisory authorities
- Maintain Records of Processing Activities
6.2 When SharpShield is Processor
For End User data, we:
- Process data only on Customer instructions
- Assist Customers with data subject requests
- Implement appropriate security measures
- Notify Customers of any data breaches
- Delete or return data upon contract termination
- Submit to audits as required
6.3 Data Processing Agreement
All Customers processing personal data through SharpShield must enter into our Data Processing Agreement (DPA), which includes:
- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data processed
- Categories of data subjects
- Customer obligations
- Sub-processor terms
- International transfer mechanisms
- Security requirements
- Audit rights
7. Data Retention
7.1 Retention Periods
| Data Category | Retention Period | Justification |
|---|---|---|
| Customer account data | Duration + 7 years | Legal/tax requirements |
| Customer user credentials | Until account deletion | Service delivery |
| End User betting data | Per Customer agreement (default 3 years) | Customer instruction |
| Risk assessments | Per Customer agreement (default 3 years) | Customer instruction |
| Platform audit logs | 7 years | Security and compliance |
| Marketing preferences | Until consent withdrawn | Consent-based |
| Website analytics | 2 years | Legitimate interest |
7.2 Deletion Procedures
- Automated deletion jobs run daily for expired data
- Manual deletion requests processed within 30 days
- Secure deletion methods ensure data is unrecoverable
- Confirmation provided upon completion
8. International Data Transfers
8.1 Primary Processing Location
All personal data is primarily processed within the European Union:
- Primary: Frankfurt, Germany (AWS eu-central-1)
- Backup: Amsterdam, Netherlands (AWS eu-west-1)
8.2 Transfers Outside EEA
Where data transfers outside the EEA are necessary, we implement:
Standard Contractual Clauses (SCCs)- We use EU Commission-approved SCCs
- SCCs are incorporated into all relevant contracts
- We conduct Transfer Impact Assessments
- Encryption of data in transit and at rest
- Pseudonymization where possible
- Access controls limiting data exposure
- Contractual commitments from recipients
8.3 Sub-Processors
Current sub-processors and their locations:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting | EU (Frankfurt, Amsterdam) |
| Stripe | Payment processing | EU + US (SCCs) |
| SendGrid | Email delivery | US (SCCs) |
| Datadog | Monitoring | US (SCCs) |
Customers are notified of sub-processor changes 30 days in advance.
9. Data Protection Impact Assessments
9.1 When Required
We conduct DPIAs for processing that is likely to result in high risk, including:
- Large-scale processing of behavioral data
- Automated decision-making with significant effects
- New technologies or processing methods
9.2 DPIA Process
- Describe processing: Document data flows and purposes
- Assess necessity: Evaluate proportionality
- Identify risks: Analyze risks to data subjects
- Mitigate risks: Implement safeguards
- Document and review: Maintain records, periodic review
9.3 Current DPIAs
We maintain DPIAs for:
- Risk scoring and classification system
- Sharp bettor detection algorithms
- Syndicate detection processing
10. Data Breach Management
10.1 Breach Detection
We implement technical and organizational measures to detect breaches:
- Security monitoring and alerting
- Access logging and analysis
- Regular vulnerability assessments
- Employee training on breach recognition
10.2 Breach Response
Upon detecting a potential breach:
Within 1 hour:- Incident response team activated
- Initial assessment conducted
- Containment measures implemented
- Full scope assessment
- Root cause analysis initiated
- Customer notification (if Processor)
- Supervisory authority notification (if required)
- Data subject notification (if high risk)
- Documentation completed
10.3 Notification Content
Breach notifications include:
- Nature of the breach
- Categories and approximate number of data subjects
- Categories and approximate number of records
- Contact details for further information
- Likely consequences
- Measures taken to mitigate
10.4 Documentation
All breaches are documented, including:
- Facts surrounding the breach
- Effects of the breach
- Remedial actions taken
- Lessons learned
11. Privacy by Design and Default
11.1 Privacy by Design
We integrate data protection into:
- System architecture decisions
- Product development processes
- Vendor selection criteria
- Security implementations
11.2 Privacy by Default
Default settings minimize data collection:
- Only necessary data fields are required
- Data retention defaults to minimum periods
- Sharing is opt-in, not opt-out
- Access is restricted by default
12. Training and Awareness
12.1 Employee Training
All employees receive:
- GDPR fundamentals training upon hiring
- Annual refresher training
- Role-specific data protection training
- Incident response training
12.2 Awareness Program
Ongoing awareness includes:
- Monthly security and privacy tips
- Updates on regulatory changes
- Lessons learned from incidents
- Best practice sharing
13. Records of Processing Activities
13.1 Controller Records (Art. 30(1))
We maintain records including:
- Name and contact details of controller
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers and safeguards
- Retention periods
- Security measures description
13.2 Processor Records (Art. 30(2))
For processing on behalf of Customers:
- Name and contact details of processor and controller
- Categories of processing
- International transfers and safeguards
- Security measures description
14. Supervisory Authority
14.1 Lead Supervisory Authority
As an Estonia-based company, our lead supervisory authority is:
Estonian Data Protection Inspectorate(Andmekaitse Inspektsioon) Tatari 39 10134 Tallinn, Estonia Email: info@aki.ee
14.2 Cooperation
We cooperate with supervisory authorities and respond promptly to inquiries.
15. Data Protection Officer
15.1 Contact
Data Protection OfficerSharpShield Email: dpo@sharpshield.io
15.2 Responsibilities
The DPO:
- Advises on GDPR compliance
- Monitors compliance activities
- Serves as contact for supervisory authorities
- Handles data subject requests
- Conducts training and audits
16. Updates to This Policy
This policy is reviewed annually and updated as necessary. Material changes are communicated to relevant stakeholders.
17. Contact Us
For GDPR-related inquiries:
- Privacy: privacy@sharpshield.io
- Data Protection Officer: dpo@sharpshield.io
© 2025 SharpShield. All rights reserved.