Legal
Privacy Policy
Effective: 26 May 2026 · Version 5 · ABN: 51 388 454 681
Krok Odds ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our sports betting analytics platform, including our web dashboard, push channels (Telegram and Discord), API services, and editorial surfaces (blog, guides, glossary).
This policy complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. By using Krok Odds, you consent to the collection and use of your information as described in this policy.
Our service is available at krokodds.com.au. For any privacy-related questions, contact us at contact@krokodds.com.au.
1. Information We Collect
We collect the following categories of personal information:
1.1 Account & Authentication Information
- Email address: Collected when you register for an account or start a free trial.
- Phone number: Collected if you sign in with a phone number or use SMS verification, and stored against your user profile so we can recognise you on subsequent sign-in.
- Google sign-in profile data: If you sign in with Google, we receive your Google account email, display name, and profile photo URL from Google.
- Optional profile fields: Full name and timezone where you have entered them in onboarding or settings.
- Authentication is provided by Firebase Authentication (Google LLC). Passwords are never visible to us — Firebase Authentication stores them in salted, hashed form managed by Google, and we have no ability to view or recover them.
1.2 Payment Information
- Billing details: Card type, last four digits, and billing postal code, processed and stored securely by Stripe, Inc.
- Credit card required for trial: To start your 7-day free trial (web dashboard), you must provide a valid credit card. This is processed by Stripe. You will not be charged until the trial period ends unless you cancel beforehand.
- API plan payments: API subscriptions (Hobby, Pro, Enterprise) are charged immediately upon plan selection via Stripe.
We do not store full card numbers or CVV codes on our systems at any point.
1.3 API Keys & Usage Data
- API keys: When you subscribe to an API plan, we generate a unique API key tied to your account. This key is stored securely in our database — see Section 6.4.
- API request logs: We log API requests (timestamp, endpoint, response status, request count) for rate limiting, billing verification, abuse detection, and service optimisation. These logs do not include the actual opportunity data returned, only metadata about the request.
- Rate limit tracking: We track your API request rate against a rolling per-minute window to enforce plan limits (60 req/min for Hobby, 300 req/min for Pro, 1,000 req/min for Enterprise). Current limits and the exact reset window are surfaced in the
X-RateLimit-RemainingandX-RateLimit-Resetresponse headers.
1.4 Betting Activity Data (Optional)
Profit tracker data: Bets you log voluntarily in the Bet Tracker, including stake amounts, odds, outcomes, and sportsbook selections. We may enrich these records server-side with later odds movements to compute closing-line value (CLV) so you can see your edge over time. This data is private to your account and is not shared with bookmakers or with other users.
This data is optional. You are not required to use the Bet Tracker to access Krok Odds.
1.5 Account Health & Bookmaker Profile (Optional)
If you use Account Health, we store the bookmakers you have indicated you hold accounts with, the health and restriction scores you record over time, and any notes you enter. We use this only to display your dashboard and to drive personalised filtering and alerting; it is never shared with bookmakers.
1.6 Usage Analytics & Diagnostics
We use Google Analytics 4 and Firebase Analytics (Google LLC) to measure pages visited, features used, session duration, browser type, device type, and approximate geographic location (country/region level, derived from IP and then truncated by Google). These services set cookies on your browser including _ga, _ga_<measurement-id>, and _gcl_au.
You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout.
For abuse and fraud prevention we use Firebase App Check backed by Google reCAPTCHA Enterprise. reCAPTCHA collects hardware and software information about your device (such as user agent, IP address, screen and interaction signals) and sends it to Google for analysis under Google's Privacy Policy and Terms of Service.
We use Sentry (Functional Software, Inc.) for error and performance monitoring. When the application errors, Sentry receives your account UID, the URL you were on, browser/device metadata, and a stack trace. Sentry does not receive your password, full payment details, or the contents of bets you have logged.
IP addresses are logged by Firebase Authentication, Firebase App Hosting, Stripe (for fraud prevention), and our administrative audit log when an authorised administrator accesses your account. These records are retained for security and compliance purposes for up to 12 months.
1.7 Communications
- Support emails: The content of any support emails or messages you send us.
- Email one-time codes: Email-based sign-in codes are generated by us and delivered via Resend (see Section 3.2).
- Feedback: Any feedback you provide via surveys or direct communication.
We do not collect government identifiers, financial account credentials (beyond what Stripe processes), or sensitive information as defined under the Privacy Act.
1.8 Telegram & Discord Connection Data
If you connect your Telegram account, we store your Telegram chat ID, alert preferences (which alert types you have enabled), and pause/resume state, so we can deliver notifications and respond to slash commands. We do not access your Telegram messages, contacts, or groups.
If you connect your Discord account, we store your Discord user ID and (where you initiate setup) your Discord username, so we can open a direct-message channel to send alerts and respond to slash commands. We do not access your Discord messages, servers, or friends list.
Krok Odds Discord server (paid members subscription). If you join the Krok Odds Discord server, Discord makes your Discord username and user ID available to us as a server administrator. Your activity in the server (messages, reactions, voice-channel events) is logged by Discord and may be reviewed by moderators where necessary to enforce our Terms of Service and Community Rules. If you take out the paid Members Only subscription, your subscription is processed and your member role is automatically granted or revoked by Whop, Inc. (“Whop”), our third-party subscription and access-management provider; Whop shares your Discord identifier and subscription status with us so we can confirm entitlements, and Whop processes your billing details under its own privacy policy. Subscription terms, including the 3-day free trial and cancellation mechanics, are described in Section 14A of our Terms of Service.
You can disconnect the Discord push channel at any time through Settings, or by sending /disconnect to the bot. Disconnecting permanently removes the corresponding identifier from our active alert systems within 7 days. To end your Members Only subscription, cancel through your Whop dashboard; your Members Only role is revoked at the end of your paid period (or immediately on failed payment). Message metadata and server-activity logs retained by Discord on its own systems are governed by Discord's privacy policy.
1.9 Referral Data
If you join the referral program we generate a unique referral code, and we store the click counts, sign-ups, and payouts attributed to your code. If you arrive at Krok Odds via someone else's referral link, we may set a short-lived first-party cookie to attribute your sign-up and we record the referrer code on your account at registration.
1.10 AI Feature Inputs
Where you use the win-probability estimator or personalised betting recommendations, the inputs you submit (such as bookmaker odds, market type, sport, and any context you choose to add) are sent to Google LLC for processing using Google's Gemini generative AI models via Firebase Genkit. We do not knowingly send your name, contact details, or payment data to the AI service. AI outputs are estimates and must not be relied upon as advice — see our Terms of Service for the full disclaimer.
2. How We Use Your Information
We use the information we collect for the following purposes:
2.1 Providing the Service
- Creating and managing your account, including phone and email verification
- Processing payments for web dashboard subscriptions and API plans
- Generating and managing API keys
- Delivering opportunity data via web dashboard and API, and alerts via Telegram and Discord
- Operating Account Health, Bet Tracker, Steam Moves, Player Props, Racing, and other dashboard features
- Enforcing API rate limits and monitoring usage
2.2 Optional Features
Storing and displaying the betting activity data you voluntarily enter so you can monitor your edge over time, and processing your inputs to AI features (Section 1.10) when you choose to use them.
2.3 Transactional Communications
- Sending receipts, subscription confirmations, payment failure notices, and service alerts
- Sending API usage notifications (e.g., "You've used 80% of your monthly requests")
- Notifying you when your API key is about to expire or your plan is up for renewal
- Sending one-time codes for email-based sign-in
2.4 Marketing & Service Announcements
- Email: We may send product updates, new feature announcements, and promotional offers by email. You can unsubscribe at any time via the link in any email or by emailing us.
- Telegram & Discord broadcasts: If you have opted into push alerts, we may occasionally send service announcements, new feature notices, or promotional messages through the same channel. You can disable promotional pushes specifically (while keeping opportunity alerts) in Settings, or disconnect entirely.
2.5 Platform Improvement & Security
- Analysing usage patterns to improve features, fix bugs, and optimise performance
- Monitoring API endpoint performance, error rates, and response times
- Identifying and addressing security threats, fraud, and abusive API usage
- Investigating support requests and reproducing reported bugs (which may include administrative impersonation — see Section 6.2)
2.6 Legal Compliance
- Meeting our obligations under Australian law, including tax and record-keeping requirements
- Responding to lawful requests from government authorities
- Investigating suspected breaches of our Terms of Service
3. How We Share Your Information
We do not sell, rent, or trade your personal information. We share information only with trusted third-party service providers necessary to operate the platform. The principal sub-processors and data recipients are:
3.1 Payment Processing — Stripe, Inc.
Stripe processes all credit-card payments for web dashboard subscriptions and API plans. Stripe is a separate data controller for the payment data it processes — see stripe.com/au/privacy. We do not have access to your full card number or CVV.
3.2 Email Delivery — Resend
Resend (Resend, Inc.) sends our transactional emails, marketing emails, and the one-time codes used for email-based sign-in. Resend receives the recipient address, subject, and message body for each email we send.
3.3 Analytics, App Check & Monitoring
- Google Analytics 4 / Firebase Analytics (Google LLC) — usage analytics and cookies as described in Section 1.6.
- Firebase App Check / reCAPTCHA Enterprise (Google LLC) — abuse and fraud prevention.
- Sentry (Functional Software, Inc.) — error and performance monitoring.
3.4 Hosting & Infrastructure — Google LLC
Krok Odds is hosted on Firebase App Hosting and Google Cloud Platform. The following Firebase / Google Cloud services process your data on our behalf as our sub-processor under the Firebase / Google Cloud Data Processing Addendum:
- Firebase Authentication — accounts and sign-in
- Cloud Firestore — user data, opportunities, alerts, audit log
- Firebase Realtime Database — presence and online status
- Cloud Functions for Firebase — alert dispatch, billing webhooks, opportunity processing, scheduled tasks
- Cloud Storage for Firebase — file storage
- Firebase App Hosting (Google Cloud Run) — web app hosting
- Google Cloud Logging — operational logs
3.5 Rate Limiting & Caching — Upstash, Inc.
We use Upstash Redis for API rate limiting, abuse protection, and short-lived caching. Upstash receives your account UID and request metadata (timestamp, endpoint, IP) but not bet contents or AI inputs.
3.6 Search Indexing — Algolia, Inc.
We use Algolia (Algolia, Inc.) to power the on-site search experience for teams, players, matchups, and runners in the Stats explorer. Algolia receives the search query strings you submit and standard request metadata (timestamp, IP, browser user-agent). Search queries are not linked to your account identifier when sent to Algolia. Algolia operates under its own privacy policy.
3.7 Push Channels — Telegram & Discord
If you have opted in, we send your alerts to Telegram (Telegram Messenger Inc.) and/or Discord (Discord, Inc.). Your chat or DM identifier is sent with each message. Telegram and Discord operate under their own privacy policies.
3.7a Discord Server Access & Subscription — Whop, Inc.
Where you take out the paid Krok Odds Discord Members Only subscription described in Section 14A of our Terms of Service, your billing and Discord access are managed by Whop, Inc. (“Whop”). Whop receives your payment details, your Discord identifier, and your subscription status, and assigns or revokes your Members Only role automatically on the Krok Odds server. We receive your Discord identifier and your current entitlement state from Whop so we can confirm your subscription. Whop operates as a separate data controller for the payment data it processes and as our sub-processor for entitlement state on the server; see whop.com/privacy.
3.8 AI Processing — Google LLC (Gemini via Firebase Genkit)
Inputs to AI features are processed by Google's Gemini API as our sub-processor (see Section 1.10). We operate under API tiers that prohibit using inputs to train Google's public models.
3.9 Sports Data Collection
We collect odds, results, player statistics, racing form, and fixture data primarily from two upstream providers — The Odds API (a service operated by Odds API, Inc.) and api-sports.io — alongside publicly available bookmaker information, exchange markets, and official sporting bodies. These providers act as our data sources, not as sub-processors of personal information: we send no personal data about you to them in the ordinary course of data collection. Their use of any traffic we generate is governed by their respective terms.
3.10 Legal Disclosures
We may disclose your information where required by law, court order, or to protect the rights, property, or safety of Krok Odds, our users, or others. Where we receive a binding access request from an Australian law-enforcement or regulatory authority, we will respond in accordance with our obligations under Australian law.
4. Data Retention
4.1 Web Dashboard Data
We retain your personal information for as long as your account is active or as needed to provide the service.
When you delete your account, we use the Firebase Delete User Data extension to remove your data from Firestore, Realtime Database, and Cloud Storage on deletion of your Firebase Authentication record. Manual support-driven deletions complete within 60 days. Stripe customer and invoice records, audit-log entries, and any data we are required by Australian law (including tax law) to retain are kept for the period required by law (typically up to 7 years) and then deleted or de-identified.
Betting activity data you have logged in the Bet Tracker, Account Health entries, and player-prop resolution history used for hit-rate statistics is retained for the lifetime of your account and deleted as part of the account closure process unless you export it beforehand. Aggregated, de-identified analytics may be retained indefinitely for platform metrics.
4.2 API Data Retention
- API keys: Stored until you revoke them or your API plan is cancelled. Revoked keys are immediately deactivated and purged from active systems within 30 days.
- API request logs: Stored for 90 days for billing verification and troubleshooting, then automatically deleted. Aggregated anonymised metrics may be retained indefinitely for platform analytics.
- Opportunity data returned via API: We do not store the specific opportunity data returned to you via API calls. Once delivered, it is your responsibility to manage that data according to our Terms of Service (Section 6.1 — no unauthorised redistribution).
4.3 Administrative & Security Logs
The administrative audit log (including impersonation events — see Section 6.2) and security/abuse logs are retained for 24 months for accountability and incident-response purposes.
5. Cookies & Tracking
We use cookies and similar technologies to keep you logged in, remember your preferences, prevent abuse, and collect usage analytics.
5.1 Essential Cookies
Required for the platform to function — including the Firebase Auth session cookie, Krok Odds session/CSRF cookies, and Stripe's fraud-detection cookie. Cannot be disabled without breaking core functionality.
5.2 Analytics Cookies
Set by Google Analytics 4 / Firebase Analytics — including _ga, _ga_<measurement-id>, and _gcl_au. You may opt out via your browser settings or the Google Analytics Opt-Out Browser Add-on.
5.3 App Check & reCAPTCHA
Cookies and signals set by Google's reCAPTCHA Enterprise for bot detection and abuse prevention. These are used for security purposes and cannot be disabled without preventing sign-in and core actions.
5.4 Referral Attribution
A short-lived first-party cookie may be set when you arrive via a referral link, so that the referring user can be credited if you sign up.
5.5 API Authentication
API keys are passed via HTTP headers (not cookies or query parameters). These are logged as described in Section 1.3.
5.6 Cookie Consent & Regional Choice
You can configure your browser to refuse or delete cookies, though some features of the platform may not function correctly as a result. Where you visit Krok Odds from outside Australia (in particular from the European Economic Area, the United Kingdom, or California) you may have additional rights to refuse non-essential cookies. Where law requires it, we will present a consent prompt before non-essential cookies are set.
6. Security
We take reasonable technical and organisational measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These include:
- Encrypted data transmission (HTTPS) for all web traffic
- Secure cloud infrastructure (Firebase App Hosting on Google Cloud Platform) with access controls and managed by Google
- Firebase App Check with reCAPTCHA Enterprise to block automated abuse
- Server-side authorisation checks on every privileged endpoint
- Rate limiting and abuse detection via Upstash
- Regular review of our codebase, dependencies, and infrastructure
- Access controls limiting who can view personal data (only authorised personnel)
However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of any security concern, please contact us immediately at contact@krokodds.com.au.
6.1 API Security
- Do not share your API key. Treat it like a password. Anyone with your key can make requests on your behalf.
- Regenerate keys if compromised. You can revoke and regenerate your API key at any time via your account dashboard.
- Monitor usage: Check your API usage dashboard regularly to detect unauthorised activity.
6.2 Administrative Access & Impersonation
For support, security investigations, fraud prevention, and bug reproduction, authorised Krok Odds personnel may sign in as you ("impersonation") via a server-issued custom token. Every impersonation is recorded in an internal audit log capturing the administrator, the affected account, the action taken, the timestamp, and the originating IP address. Impersonation does not expose your password and does not give administrators access to your stored payment details. Audit-log entries are retained for 24 months for accountability and security purposes. See also Section 15 of our Terms of Service.
6.3 Notifiable Data Breaches
We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). Where an eligible data breach occurs that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner as soon as practicable.
6.4 API Key Storage
API keys are issued from a cryptographically secure random source and stored in our database in encrypted form (industry-standard encryption, AES-256 or equivalent). If you lose an API key, regenerate it from the API dashboard.
7. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you
- Correct any inaccurate or outdated personal information
- Request deletion of your personal information, subject to our legal retention obligations
- Opt out of marketing emails at any time via the unsubscribe link in any email, or by contacting us directly
- Disable promotional pushes on Telegram and Discord while keeping opportunity alerts (in Settings)
- Disconnect your Telegram or Discord account at any time (in Settings, or via
/disconnect) - Request your API usage logs (within the 90-day retention window)
- Revoke your API key at any time via your account dashboard
- Request exclusion from administrative impersonation (see Section 6.2)
- Complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have mishandled your personal information
To exercise any of these rights, contact us at contact@krokodds.com.au. We will respond within 30 days.
7.1 Visitors From Outside Australia
If you access Krok Odds from the European Economic Area, the United Kingdom, or California, you may also have rights under the GDPR, the UK GDPR, or the CCPA / CPRA respectively. These include rights of access, rectification, erasure, restriction, objection, and portability, and the right to lodge a complaint with your local supervisory authority. To exercise these rights contact contact@krokodds.com.au.
For users in the EEA / UK, our lawful bases for processing are: contract performance (operating your account, billing, delivering alerts and API responses), legitimate interests (security, fraud prevention, product improvement, direct marketing of similar services), consent (non-essential cookies and analytics where required, and optional Telegram/Discord channels and AI features), and legal obligation (tax and accounting records). International transfers to the United States rely on Standard Contractual Clauses or equivalent mechanisms operated by our sub-processors.
8. Children
Krok Odds is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it and may terminate the associated account.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Effective" date and version at the top of this page
- Notify you by email where the changes are material
- Post the updated policy at krokodds.com.au/privacy
Your continued use of Krok Odds after any changes constitutes your acceptance of the revised policy.
10. International Data Transfers
Krok Odds is operated in Australia. If you access our service from outside Australia, your information may be transferred to, stored, and processed in Australia or other countries where our service providers operate (in particular Google data centres in the United States and other regions, and Stripe, Resend, Sentry, Upstash, Algolia, Telegram, Discord, and Whop infrastructure in their respective operating regions).
By using Krok Odds, you consent to such transfers. Our sub-processors implement Standard Contractual Clauses or equivalent transfer mechanisms where required by applicable data-protection law, and we ensure that international transfers comply with applicable law and that our service providers implement adequate safeguards.