Back

Legal

Data Ownership Agreement (DAO)

Owner/Operator: Statara Analytics Inc. ("Company")

Last Updated: April 6, 2026  ·  Effective Date: April 6, 2026

Applies To: All users of the Statara Service

1. Purpose and Relationship to Other Documents

1.1 This DAO defines data rights, permissions, and governance for Statara.

1.2 This DAO is incorporated into the Terms & Conditions. If there is a conflict, the document that provides greater user protection controls unless law requires otherwise.

2. Definitions

  • "Personal Data" / "Personal Information" means information relating to an identified or identifiable individual, as defined by applicable law.
  • "User Data" means all data you submit or that is generated through your use of the Service that is linked or reasonably linkable to you or your Account.
  • "User Content" includes manual bet entries, notes, uploads, screenshots, CSVs.
  • "Account Data" includes registration data, subscription status, device identifiers, login events.
  • "Usage Data" includes app interactions, feature usage, diagnostics, and performance logs.
  • "Derived Data" means data created by transforming User Data (categorization, summaries, computed metrics, risk indicators, model features).
  • "Aggregated Data" means combined statistics not reasonably linkable to an individual.
  • "De-identified Data" means data processed to remove or obscure identifiers consistent with applicable legal standards to reduce linkability.
  • "Third-Party Data" means data provided by sportsbooks, odds providers, analytics services, or other external sources.

3. Ownership and Rights Allocation

3.1 User Content Ownership. As between you and Company, you retain rights in your User Content.

3.2 Company Ownership of Service and Methods. Company owns the Service, including its software, schemas, model architectures, prompts, evaluation methods, scoring logic, derived analytics frameworks, and documentation.

3.3 Derived Data and Output Rights.

  • You may access your Derived Data and Outputs through the Service.
  • Company retains rights in the methods and format of Derived Data and Outputs.

3.4 Aggregated / De-identified Data. Company may create Aggregated and/or De-identified Data and use it to operate, improve, secure, and grow the Service, including for benchmarking and research, subject to legal constraints.

4. License to Process User Data

4.1 You grant Company a worldwide, non-exclusive, royalty-free license to collect, store, use, process, transmit, and display User Data to provide the Service, prevent fraud, secure systems, comply with law, and enforce agreements.

4.2 Company will seek to limit collection and processing to what is necessary for stated purposes, subject to technical realities and legal obligations.

5. Collection and Lawful Bases

5.1 Privacy Notice Controls. Data categories, purposes, disclosures, and jurisdiction-specific rights are described in the Privacy Notice.

5.2 Lawful Bases (When Applicable). Where required, Company will rely on one or more lawful bases (e.g., contract necessity, consent, legitimate interests), and will obtain consent for marketing and cookies where required.

6. Storage, Security, and Encryption

6.1 Security Program. Company implements administrative, technical, and organizational safeguards appropriate to the sensitivity of data.

6.2 Encryption. All data in transit is protected by TLS (HTTPS) enforced at the infrastructure level via Railway. Data at rest is stored in PostgreSQL 16 on Railway-managed infrastructure with encrypted volumes. Database connections use SSL in production. Access to production data stores is restricted to authorized service accounts.

6.3 Access Controls. Least privilege, logging, and monitoring procedures apply.

6.4 No Absolute Guarantee. No system is perfectly secure; Company does not guarantee absolute security.

7. Retention, Deletion, and Portability

7.1 Retention Schedule. Company retains data consistent with the Privacy Notice and operational needs (security, fraud, legal compliance).

7.2 Deletion Requests. Where legally required, Company will delete or de-identify Personal Data upon verified request, subject to legal exceptions and backup constraints.

7.3 Portability. Company will provide export of core User Data in a reasonably portable format where required or offered (CSV/JSON).

7.4 Backups. Deleted data may persist in backups until overwritten, consistent with Company's backup lifecycle.

8. Third-Party Processors, Subprocessors, and Integrations

8.1 Service Providers / Processors. Company may use vendors for hosting, analytics, email delivery, crash reporting, customer support, payments, and AI/OCR processing, under contract restrictions consistent with law.

8.2 Subprocessor List. Company will maintain a list or description of subprocessors in the Privacy Notice or DPA (for enterprise).

8.3 Third-Party Integrations. If you connect to Third-Party Services, you authorize Company to exchange data as configured; third-party terms govern their processing.

9. Cross-Border Transfers and Localization

9.1 Data may be processed in jurisdictions where Company or its vendors operate.

9.2 Where required (e.g., Quebec cross-border considerations; GDPR transfers), Company will implement contractual and technical safeguards and required assessments.

10. AI/ML, Analytics, and Model Training

10.1 Feature Operation. Company may use User Data to generate Outputs and power user-requested analytics.

10.2 Model Improvement and Training.

  • By default, Company may use Aggregated/De-identified Data to improve detection and analytics.
  • Use of identifiable User Data for training, where legally required or materially different from core service provision, will require a separate consent toggle or opt-out mechanism as described in the Privacy Notice.

10.3 Third-Party AI Providers. If used, they will process data as service providers/processors with restrictions on independent use, subject to vendor capabilities and contracts.

10.4 No Re-identification. Users may not attempt to re-identify de-identified data.

11. Logging, Audit Trails, and Law Enforcement Requests

11.1 Logs. Company maintains security and operational logs to prevent fraud, debug issues, and investigate incidents.

11.2 Legal Requests. Company may disclose information pursuant to lawful requests (subpoenas, court orders) consistent with applicable law.

11.3 Minimization. Company will seek to disclose the minimum necessary and to record disclosures where appropriate.

12. Breach Notification and Incident Response

12.1 General Rule. Company will notify users and regulators when required by applicable breach-notification laws.

12.2 Jurisdiction Examples (Non-exhaustive).

  • Canada (federal): Notice and report "as soon as feasible" when real risk of significant harm threshold is met.
  • Quebec: Notify regulator and affected individuals promptly when risk of serious injury; maintain incident register.
  • United Kingdom: Notify ICO within 72 hours for reportable breaches.
  • Florida: Notice no later than 30 days after determination (with limited extension).
  • Texas: Notice to affected individuals no later than 60 days, plus applicable state reporting rules.
  • New Zealand: Notify commissioner and affected individuals as soon as practicable.

13. Contact and Governance

13.1 Privacy Contact. For privacy-related inquiries, requests, or concerns, contact us at: support@statara.co

13.2 Complaints. Users may submit privacy complaints and data requests by emailing support@statara.co. We will acknowledge receipt and respond within the timeframe required by applicable law.