WhalesEdge

PRIVACY POLICY

Your Privacy at WhalesEdge

How we handle your data — in plain language.

Last updated: May 10, 2026

TL;DR

WhalesEdge is a social casino + content hub. We don't accept real money, don't process gambling deposits, and don't sell your data. We collect account info to run the site, optional analytics to improve it, and that's it. You can request deletion of your account and data at any time by emailing us.

Who we are (data controller)

WhalesEdge ("we", "our", "us") is operated as WhalesEdge Consulting — an information service publishing online-casino research and a social-casino product.

For compliance, GDPR, or other data-protection inquiries, please contact us via the email below — we read every message and respond within 30 days.

admin@whalesedge.com

What we collect

Account data

  • Email address (for sign-up and account recovery)
  • Username or display name (optional, you choose)
  • Password hash (bcrypt via Supabase Auth — we never see your raw password)
  • Locale preference (which language you use)

XP gameplay data

  • XP balance and total wagered
  • Game session history (game type, bet amount, outcome, timestamp)
  • Quiz completion and earned XP
  • Article reading metrics (which articles you opened, how far you scrolled)

Technical data

  • IP address (security log, retained 30 days then discarded)
  • Browser user-agent string
  • Cookies (see Cookies section below)
  • Device type (mobile / desktop / tablet)

Communication data

  • Support emails when you contact us
  • Newsletter opt-in status (only if you subscribe — we don't run a newsletter today)

Why we collect it (legal basis)

Under GDPR Article 6, every category of processing must rest on a legal basis. Here's ours, mapped to the data above:

  • Account creation and maintenance — contractual necessity (GDPR Art. 6(1)(b))
  • XP gameplay — contractual performance and our legitimate interest in providing the service
  • Analytics (Google Analytics, PostHog if enabled) — your consent (GDPR Art. 6(1)(a)). Opt-in only via the cookie banner.
  • Security logging — legitimate interest (GDPR Art. 6(1)(f)) in preventing fraud and abuse
  • Affiliate referrals — your consent and our legitimate interest. We disclose this clearly in our affiliate disclosure.

Cookies and tracking

We organize cookies into four categories. You control what runs on your device via the cookie banner — visible on first visit and re-accessible from the footer at any time.

Necessary

Session, security, language preference, and your consent record. These cannot be disabled — the site stops working without them.

Functional

Remembers your preferences (e.g. dismissed banners, theme) for a smoother experience on return visits. Default off.

Analytics

Anonymous, aggregated stats via Google Analytics 4 and PostHog. Helps us understand which articles are useful. Default off — opt-in only.

Marketing

Currently unused — we do not run paid advertising. We will re-prompt you for explicit consent when this changes. Default off.

Manage your cookie preferences via the "Cookie settings" link in the footer at any time.

Third-party processors

We share necessary data with these processors to operate the site. Each is a separate company with its own privacy policy:

  • Supabase — auth and database (EU region, Frankfurt). Stores your account, gameplay history, and password hash.
  • Cloudflare — CDN, DDoS protection, and Workers runtime (global edge). Sees IP and request metadata.
  • Google Analytics 4 — anonymized analytics (US). Loads only with your analytics consent.
  • PostHog — product analytics (US/EU). Loads only with your analytics consent. Currently optional.

We do not sell your personal data. Affiliate referrals route via a tracking subdomain — the partner casino receives a sub-ID, not your personal information.

Your rights (GDPR Art. 15-22)

If we hold your data, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — the "right to be forgotten"
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Objection — opt out of processing based on legitimate interest
  • Not be subject to decisions based solely on automated processing
  • Withdraw consent at any time (e.g. via the cookie settings link in our footer)

To exercise any of these rights, email admin@whalesedge.com. We respond within 30 days, free of charge.

Account deletion

Until our self-service deletion UI is live (planned for Q3 2026), please email us with the subject "Delete my account" from the email address registered to your account. We'll handle the rest:

  • Email admin@whalesedge.com with subject "Delete my account"
  • Send the message from the email address registered to your account (this is how we confirm identity)
  • We delete your account and associated personal data within 30 days
  • You receive a confirmation email when deletion is complete

Some records — anonymized security logs, an email hash to prevent rapid re-registration abuse — are retained per the retention schedule below. These contain no usable personal data.

Data retention

  • Active accounts: kept while the account exists, so we can show your XP balance and history
  • Deleted accounts: purged within 30 days of the deletion request
  • IP logs: 30 days, then automatically discarded (security purposes only)
  • Email hash for re-deletion cooldown: 7 days (anti-abuse, prevents instant re-registration)
  • Encrypted backups: deleted within 90 days
  • Support email correspondence: 2 years, then deleted

International transfers

Our infrastructure runs primarily in the EU (Supabase EU region) and on a global edge network (Cloudflare). Some data may be processed in the United States by Cloudflare and Google Analytics.

Where data leaves the European Economic Area, transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. By using the service you acknowledge these cross-border transfers are necessary for delivery.

California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the rights described below in addition to those under GDPR. This section also serves as our "Notice at Collection" under Cal. Civ. Code § 1798.100(b).

Categories of personal information we collect

Under the CCPA taxonomy (Cal. Civ. Code § 1798.140(v)), we collect:

  • Identifiers (Cat. A) — email, account ID, IP address
  • Customer records (Cat. B) — username, password hash
  • Protected classifications (Cat. C) — age confirmation that you are 21+
  • Commercial information (Cat. D) — XP balance, gameplay history, content engagement
  • Internet or network activity (Cat. F) — pages visited, scroll depth, browser type, referrer
  • Geolocation data (Cat. G) — approximate only (city/country level from IP), never precise
  • Inferences (Cat. K) — derived preferences from gameplay and reading patterns

We do not collect biometric information (Cat. E), sensory data (Cat. H), professional information (Cat. I), education records (Cat. J), or precise geolocation.

Sensitive personal information

We do not collect or process sensitive personal information as defined by Cal. Civ. Code § 1798.140(ae) — no Social Security numbers, financial account numbers, precise geolocation, racial or religious data, health data, or sexual-orientation data. Because of this, the "Right to Limit Use of Sensitive PI" does not apply to us.

Sources of personal information

We collect personal information directly from you (when you sign up, sign in, or contact us); automatically through cookies and analytics scripts (only with your consent); and from our service processors Supabase and Cloudflare for site operation. We do not purchase data from data brokers.

Business and commercial purposes

We use personal information to operate the site and maintain accounts; for security, fraud prevention, and abuse mitigation; to improve content quality through aggregated analytics; and to comply with legal obligations.

Sale or sharing of personal information

We do not sell your personal information for monetary or other valuable consideration, and we do not share it for cross-context behavioral advertising — as those terms are defined under CCPA/CPRA. Affiliate referral links pass only an opaque sub-ID, not your personal information, to partner casinos. We honor the Global Privacy Control (GPC) browser signal as an automatic opt-out.

Your California rights

  • Right to Know — request the categories and specific pieces of personal information we hold about you, the sources, purposes, and recipients. Scope: the prior 12 months under CCPA, limited to data we still retain per the retention schedule above (for example, IP logs are kept only 30 days)
  • Right to Delete — request deletion of personal information we hold, subject to legally required exceptions
  • Right to Correct — request correction of inaccurate personal information we maintain
  • Right to Opt-Out of Sale or Sharing — not applicable because we do not sell or share personal information; we still honor the Global Privacy Control signal
  • Right to Limit Use of Sensitive PI — not applicable because we do not collect sensitive personal information
  • Right to Non-Discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised any of these rights

How to exercise your California rights

Email admin@whalesedge.com with the subject "California Privacy Request" and specify which right you are exercising. We respond within 45 days, extendable once by an additional 45 days with notice. To verify identity we will only ask you to send the request from the email address registered to your account — we will not request additional sensitive information.

Authorized agent

You may designate an authorized agent to make a request on your behalf. The agent must provide written permission signed by you, and we may still verify the request directly with you to prevent fraud.

Minors

Our service is restricted to users 21 years of age or older. We do not knowingly collect personal information from anyone under 16, and we do not sell or share such information.

Annual disclosure metrics

Because we do not sell or share personal information, the metrics required under Cal. Civ. Code § 1798.130(a)(5)(B) for the past calendar year are reported as zero across all categories of consumer requests.

Children

WhalesEdge is for users 21 years of age or older. We do not knowingly collect data from anyone below this age.

If we believe a user is under-age, we will:

  • Lock the account immediately
  • Delete associated personal data within 30 days
  • Refuse re-registration with the same email address

Parents or guardians who believe a minor has accessed our site may email admin@whalesedge.com — we will assist with any data removal request, no questions asked.

Changes to this policy

We notify users of material changes via email (if we have your address) and a banner on the site for at least 14 days.

The "Last updated" date at the top of this page reflects the most recent material change. Older versions are available on request.

Contact

Privacy questions, data subject requests, or compliance concerns — write to us:

admin@whalesedge.com

GDPR complaints

If we haven't resolved your concern, you have the right to lodge a complaint with your local Data Protection Authority.

See also: Terms of Service →

Privacy Policy — WhalesEdge