Privacy Policy

Last updated: 16 May 2026 · Applies to all use of PuntGenius.

Snapshot. PuntGenius is operated by GOATech Inc. We collect the minimum information needed to run your account, take payment, deliver picks, and improve the Service. We do not sell your personal information. Payment data is handled by Stripe. By using PuntGenius you consent to the practices in this Policy.

Contents

Who we are
Information we collect
How we use it
Who we share with
International transfers
Cookies & local storage
Retention
Security
Your rights
Marketing & opt-out
Children
Automated decisions
Sale or transfer of business
Changes to this Policy
Complaints & contact

1. Who we are

PuntGenius is owned and operated by GOATech Inc. ("GOATech", "we", "us", "our"). GOATech Inc. is the data controller / APP entity responsible for your personal information under this Policy. You can reach us at [email protected].

This Policy is designed to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and, where relevant, equivalent protections under the EU/UK GDPR. It must be read together with our Terms of Service.

2. Information we collect

We collect the following categories of personal information:

Account data: email address, display name (optional), hashed password, account creation date, subscription status.
Payment data: we receive payment status, last 4 digits of card, card brand, country, and a Stripe customer ID from our payment processor. We never see or store your full card number, CVC, or expiry.
Usage data: pages and picks viewed, feature interactions, click events, timestamps, results-tab usage, in-app preferences.
Device & technical data: IP address (truncated where practical), user-agent string, device type, browser, operating system, language, time-zone, referrer URL.
Communications: any message you send to support, ratings or feedback you submit, replies to our emails.
Verification data (rare): if we suspect fraud, age misrepresentation, account sharing, or wrongful chargeback, we may request limited identity verification (such as confirmation of name on card or a billing-postal-code match) and retain a record of that verification.
Inferred data: risk signals (such as duplicate-account scoring, chargeback risk), engagement segments, and aggregate analytics derived from the above.

We do not knowingly collect sensitive information (as defined under the Privacy Act). Please do not send us sensitive information unless we specifically request it.

3. How we use your information

We use personal information for the following purposes:

Purpose	Legal basis (AU APPs / GDPR)
Create, secure, and operate your account	Performance of contract
Take payment, prevent chargeback fraud, comply with payment-network rules	Performance of contract / legitimate interests
Deliver picks, results, dashboard, transactional emails	Performance of contract
Improve algorithms, picks accuracy, product features	Legitimate interests
Detect and prevent fraud, abuse, multi-accounting, sharing	Legitimate interests / legal obligation
Send marketing about PuntGenius features and offers	Consent (you can opt out anytime)
Comply with law, court orders, regulator requests	Legal obligation
Enforce our Terms and protect our rights	Legitimate interests

We do not use your information for any purpose materially different from those listed above without your consent, unless required or permitted by law.

4. Who we share your information with

We do not sell your personal information. We share limited information only with the following categories of recipient, and only as needed for the purposes above:

Payment processing: Stripe, Inc. (United States and Ireland).
Transactional email delivery: Resend (United States).
Cloud hosting & database: Railway (United States) and its sub-processors.
Product analytics: PostHog, Inc. (United States), used to understand how the Service is used (page views, button clicks, conversion funnels, retention) and to record anonymised playback of sessions so we can identify usability issues. Form inputs, passwords, email addresses, and card details are masked client-side before recording.
Behavioural analytics & heatmaps: Microsoft Clarity (Microsoft Corporation, United States), used to generate aggregate heatmaps and session recordings (with PII auto-masked) for diagnosing UX problems. Microsoft does not use this data for advertising or to identify you.
Error & crash monitoring: Functional Software, Inc. d/b/a Sentry (United States), used to capture client and server errors so we can fix bugs. We do not send personal data into Sentry event payloads; query strings are stripped from captured URLs.
Professional advisers: our lawyers, auditors, accountants, and insurers, under duties of confidence.
Fraud & chargeback databases: we may report wrongful chargebacks and abuse signals to industry shared-signal services (e.g. Ethoca, Verifi, Stripe Radar) to prevent further fraud.
Authorities: regulators, courts, or law-enforcement agencies if required by law, court order, or to protect our rights, property, or safety, or that of any person.
Corporate transaction: as described in Section 13.

All processors are contractually bound to handle your data only as directed by us and to maintain appropriate security.

5. International transfers

GOATech Inc. and several of our service providers (including Stripe, Resend, and Railway) are based in or process data in the United States and other countries outside Australia. By using the Service you acknowledge and consent to your personal information being transferred to, stored in, and processed in those countries.

The privacy laws of those countries may differ from those of your country. We take reasonable steps to ensure that overseas recipients handle your personal information consistently with the APPs, including by relying on the contractual commitments of major processors (such as Stripe and Railway) and, where applicable, the European Commission's Standard Contractual Clauses or equivalent transfer mechanisms.

6. Cookies & local storage

We use cookies and similar storage technologies for the following purposes:

Strictly necessary local storage: to remember your session token, preferred plan, and UI preferences (such as age-gate dismissal). The Service will not work without these.
Server-side analytics: simple page-view and feature-usage counters, without device fingerprinting.
Product analytics cookies: PostHog and Microsoft Clarity set first-party cookies (or use localStorage) to assign you an anonymous device identifier so we can measure how the Service is used across visits. These cookies are not used to identify you and are not shared with advertisers.
Error monitoring: Sentry uses localStorage to deduplicate repeat errors from the same browser session.
Advertising measurement: if you reach the Service via a Meta (Facebook/Instagram) advertisement, Meta may set its own cookies to attribute the visit, governed by Meta's Privacy Policy.
Payment / fraud signals from Stripe: Stripe may set its own cookies on checkout pages to prevent fraud, governed by Stripe's Privacy Policy.

You can request opt-out from product analytics or session recording at any time by emailing [email protected] and we will configure your account to be excluded.

7. How long we keep your information

We keep your personal information only as long as needed for the purposes in Section 3, or as required by law:

Account data: while your account is active, plus a reasonable period afterwards.
Closed accounts: personal data is deleted or anonymised within 90 days of confirmed account closure, except records we must retain (see below).
Payment & tax records: retained for at least 7 years as required by Australian tax and accounting law.
Fraud, abuse, and chargeback records: retained as long as necessary to prevent re-offending and to protect our rights.
Backups: may persist for up to 60 days after deletion from primary systems.

8. Security

We use industry-standard measures to protect your information, including HTTPS/TLS encryption in transit, bcrypt or comparable hashing for passwords, HMAC-signed session tokens, server-side input validation, parameterised database queries, role-based access controls, infrastructure provided by reputable cloud vendors, and segregation of payment data with Stripe.

No method of transmission or storage is 100% secure. You play a critical role in protecting your account: use a strong, unique password, never share credentials, and notify us immediately of any suspected compromise.

9. Your rights

Subject to applicable law, you have the right to:

Access the personal information we hold about you;
Correct inaccurate or out-of-date information;
Delete your account and associated personal information, subject to records we must retain by law (see Section 7);
Object to processing based on legitimate interests, or restrict processing in certain cases;
Withdraw consent for marketing communications at any time (the unsubscribe link in every marketing email is the easiest way);
Request portability of information you provided directly to us, in a structured machine-readable format, where this right applies;
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or with your local privacy regulator.

To exercise any of these rights, email [email protected] from the email address on your account. We may ask you to verify your identity before responding, and we will respond within 30 days or as required by applicable law. Some requests may be denied or limited where permitted by law (for example, where granting them would prejudice fraud prevention, legal obligations, or the rights of others).

10. Marketing & opt-out

We send transactional emails (account, billing, security, password resets) that are required to operate the Service; you cannot opt out of these while your account is active. We may also send product and marketing emails about PuntGenius features, results, and offers. You can unsubscribe from marketing at any time via the link in any such email, or by emailing us. Opting out of marketing does not affect transactional messages.

11. Children

PuntGenius is strictly for adults aged 18 or older. We do not knowingly collect personal information from anyone under 18. If we learn that we have done so, we will delete it promptly. If you believe we hold information about a minor, contact [email protected].

12. Automated decision-making

Our pick selection and rating algorithms are automated, but they do not make decisions with legal or similarly significant effects on you. We may use automated risk signals to detect fraud, multi-accounting, or wrongful chargeback patterns; if these signals contribute to account suspension you may request human review by emailing us.

13. Sale or transfer of business

If GOATech Inc. is involved in a merger, acquisition, financing, reorganisation, sale of assets, or insolvency event, your personal information may be transferred as part of that transaction to the acquiring or surviving entity, or to a prospective buyer under appropriate confidentiality protections. We will require any successor to honour the commitments in this Policy or notify you of any material change.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will give reasonable advance notice (by email, in-product banner, or dashboard notice). Your continued use of the Service after the updated Policy takes effect constitutes acceptance.

15. Complaints & contact

If you have a question, concern, or complaint about our handling of your personal information, please contact us first:

GOATech Inc. (operator of PuntGenius)
Email: [email protected]

We will acknowledge your complaint within a reasonable time and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.