Privacy Policy

This policy explains what personal data hunch.mt collects about you, why we collect it, how we use it and what rights you have. We follow the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Malta's Data Protection Act (Chapter 586 of the Laws of Malta).

1. Who is the data controller

hunch.mt is the data controller for the personal data described in this policy. You can reach us about anything privacy-related at hello@hunch.mt.

2. What data we collect

We try to keep this short. We collect:

• Account data — your email address, a password hash (we never store your password in clear text), an optional display name and profile picture, and the interests you tick during sign-up.
• Google sign-in data— if you choose to log in with Google, we receive your email address, name and profile picture from Google. We don't see your Google password.
• Activity on hunch.mt — the polls you vote on, battles (Duos) you create or accept, prediction-market orders and trades placed against your virtual balance, friend connections, and the time and outcome of those actions.
• Virtual balance and transaction ledger — every account starts with a virtual €20.00 credit (no real money is involved — see the Terms of Use). We keep a ledger of virtual-balance movements (orders, trade fills, refunds, payouts and Duo escrow entries) so that the platform can show your portfolio and resolve disputes.
• Anonymous poll votes— when anyone (logged in or not) casts a vote on a poll, we set a random "voter token" cookie (predicta_voter) in their browser so the same browser can't vote twice on the same poll. The token is not linked to your account; we cannot tell from the token alone who you are.
• Hashed IP for vote rate-limiting — for poll votes we store a salted SHA-256 hash of the request IP address so we can stop a fresh browser on the same network casting a second anonymous vote on the same poll. We do not store plaintext IP addresses against votes. Signed-in voters bypass the IP check, because per-account uniqueness already prevents a second vote.
• Anti-bot signals (Cloudflare Turnstile) — the credentials sign-up form shows a Cloudflare Turnstile widget, which sends behavioural and device signals (including your IP and user-agent) to Cloudflare so it can tell humans from bots. Cloudflare processes this as our processor; their privacy notice applies to the data they hold. We only receive a pass/fail signal and the token they issue.
• Technical data — IP address, user-agent and basic request logs, kept for a short period to debug issues and protect the service from abuse. These logs are held by our hosting provider; they are separate from the vote tables described above.
• Communications — if you email us we keep your message and contact details so we can reply and so we have a record of what was discussed.
• Password reset tokens — when you ask for a password reset we generate a short-lived (1-hour) token tied to your email, sent by email, and delete it once used.

3. Why we use it (legal bases)

4. We don't sell your data

hunch.mt does not sell, rent or trade your personal data. We don't run third-party advertising trackers on the site.

5. Who we share data with

We share the minimum needed to operate the service, with providers bound by data-processing agreements. The processors we use today are:

• Railway— application hosting and managed Postgres database. Data is processed in the region our Railway project runs in, under Railway's sub-processor terms.
• Cloudflare — edge / DNS and the Turnstile bot challenge on signup. Cloudflare receives your IP, user-agent and the behavioural signals their challenge collects.
• Resend — transactional email delivery (welcome, password reset, announcements). Resend receives the recipient email address and the message body.
• Google — only if you choose Google sign-in. Their privacy policy applies to the data Google holds about you.
• Authorities — where we are required to disclose data by Maltese law, court order or regulatory request, or to protect our rights or those of our users.

Where data leaves the European Economic Area, we rely on the European Commission's standard contractual clauses or an applicable adequacy decision to keep your data protected.

6. Cookies

We keep cookies to a minimum:

• NextAuth session cookie — keeps you logged in. Strictly necessary.
• Voter token cookie (predicta_voter) — a random ID set when you cast a poll vote (election poll or any of the side polls). Used only to stop the same browser from voting twice on the same poll. It is not, by itself, linked to your account.
• Cloudflare Turnstile — the captcha widget on the signup form may set short-lived Cloudflare cookies needed to issue and verify its challenge token.

We don't set advertising or analytics tracking cookies on hunch.mt. Because the cookies we set are strictly necessary, no cookie banner is shown — but you can clear them at any time from your browser.

7. How long we keep data

• Account data — until you delete your account. After deletion we keep a minimal record (e.g. that the account ID existed) only as long as needed for security, dispute or legal reasons, then erase it.
• Battle / Duo records — kept while either party still has an active account. When both accounts are deleted the record is deleted with them.
• Trading activity— orders, trades, positions and the virtual-balance transaction ledger are kept for the life of your account so we can show your portfolio and resolve disputes. They're deleted when the account is deleted, subject to any legal-obligation retention.
• Anonymous poll votes — kept indefinitely as statistical data because they cannot be linked back to a specific person. Hashed IPs attached to those votes are retained on the same schedule. The voter-token cookie itself expires after one year of inactivity.
• Server logs — typically 30 days at our hosting provider, longer only if an investigation needs it.
• Password reset tokens — one hour, then deleted. Used tokens are deleted immediately.
• Email correspondence — usually 24 months from the last reply.

8. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• rectify inaccurate data;
• eraseyour data (the "right to be forgotten"), subject to limited exceptions;
• restrict or object to certain processing;
• port your data to another service in a machine-readable format;
• withdraw consentat any time where processing is based on consent (this won't affect anything we did before you withdrew it).

To exercise any of these rights, email hello@hunch.mt. We'll reply within one month, or tell you if we need a bit longer.

9. Complaints

If you're not happy with how we've handled your data, we'd rather you tell us first so we can put it right. You also always have the right to complain to Malta's supervisory authority:

Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, High Street, Sliema SLM 1549, Malta
idpc.org.mt
idpc.info@idpc.org.mt

10. Children

hunch.mt is not intended for under-18s. We don't knowingly collect data from children. If you believe a child has signed up, email us and we'll remove the account.

11. Security

We use industry-standard measures to protect your data — TLS in transit, bcrypt password hashing, salted SHA-256 hashing of any IP address stored against poll votes, principle-of-least-privilege access. No system is perfectly secure though, so please use a strong, unique password and let us know straight away if you spot anything weird.

12. Changes to this policy

We may update this policy from time to time. The current version is always at this URL with the "Last updated" date at the top. For material changes we'll let registered users know by email or in-app notice.

13. Contact

Questions about your data? Email hello@hunch.mt.

See also our Terms of Use.