Data Protection Policy

1. Purpose

Finaltable Media Ltd (“the Company”, “we”, “us”) is committed to protecting the personal data of every individual we interact with — whether visitors to our websites, customers, commercial contacts, employees, or contractors. This Data Protection Policy sets out how we comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Scope

This policy applies to all personal data processed by the Company, in any format, in the course of our business. It applies to all directors, employees, contractors, consultants, and any third parties who process personal data on our behalf.

3. Legal framework

The Company processes personal data in accordance with:

• The UK General Data Protection Regulation (UK GDPR).
• The Data Protection Act 2018.
• The Privacy and Electronic Communications Regulations 2003 (PECR), in respect of cookies and electronic marketing.
• Guidance issued by the Information Commissioner’s Office (ICO).

4. Definitions

• Personal data — any information relating to an identified or identifiable natural person (‘data subject’).
• Special category data — personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
• Processing — any operation performed on personal data, whether or not by automated means (including collection, recording, storage, use, disclosure, or erasure).
• Controller — the party that determines the purposes and means of processing personal data.
• Processor — a party that processes personal data on behalf of a controller.

5. Data protection principles

We process personal data in line with the seven principles set out in the UK GDPR:

• Lawfulness, fairness, and transparency.
• Purpose limitation — collected for specified, explicit, and legitimate purposes.
• Data minimisation — adequate, relevant, and limited to what is necessary.
• Accuracy — kept accurate and, where necessary, up to date.
• Storage limitation — kept for no longer than is necessary for the purposes for which it is processed.
• Integrity and confidentiality — processed in a manner that ensures appropriate security.
• Accountability — we are responsible for, and must be able to demonstrate, compliance with these principles.

6. Lawful bases for processing

We rely on the following lawful bases, depending on the processing activity:

• Legitimate interests — for website analytics, service improvement, and responding to business enquiries, where these interests are not overridden by the rights and freedoms of the data subject.
• Contract performance — for administering commercial contracts with suppliers, affiliate partners, and service providers.
• Legal obligation — for complying with tax, employment, accounting, and regulatory record-keeping obligations.
• Consent — for certain cookies and any electronic marketing, where this is freely given, specific, informed, and unambiguous.

7. Personal data we process

StableBet does not operate account registration, comment systems, or newsletter sign-ups on its public website. We do not collect names, passwords, or payment details from site visitors. The personal data we process is limited to:

• Website usage data collected via Google Analytics 4 (including truncated IP address, device type, referring URL, pages viewed, and session duration).
• Cookie identifiers set by analytics and performance tools.
• Email correspondence — where an individual contacts us directly, we receive their email address and the content of their message.
• Commercial contact data — for staff of affiliate partners, suppliers, and other business counterparties.
• Employee and contractor data — in the ordinary course of employment and engagement.

8. Data subject rights

Under the UK GDPR, data subjects have the right to:

• Be informed about the collection and use of their personal data.
• Access the personal data we hold about them.
• Request correction of inaccurate or incomplete data.
• Request erasure of personal data in certain circumstances.
• Restrict or object to processing.
• Data portability, where applicable.
• Not be subject to a decision based solely on automated processing.
• Lodge a complaint with the Information Commissioner’s Office (ICO).

Requests should be sent to brett.andrews@finaltablemedia.co.uk. We respond to valid requests within one calendar month of receipt, extendable by up to two further months for complex or multiple requests, with reasons provided.

9. Security measures

The Company applies appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

• Access controls — personal data is only accessible to personnel who need it for a legitimate business purpose.
• Strong, unique passwords and multi-factor authentication on business-critical systems where available.
• Encryption of data in transit (TLS/HTTPS) and at rest where provided by our third-party service providers.
• Regular patching and updating of systems, devices, and software.
• Restricted use of removable media and personal devices for business personal data.
• Supplier due diligence prior to entrusting personal data to a processor.

10. Data breach procedures

All personnel must report any suspected or actual personal data breach to Brett Andrews (brett.andrews@finaltablemedia.co.uk) without delay and in any event within 24 hours of becoming aware.

Where a breach is likely to result in a risk to the rights and freedoms of data subjects, the Company will notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware. Where a breach is likely to result in a high risk, affected data subjects will also be notified without undue delay.

A written record is kept of all personal data breaches, including the facts, effects, and remedial action taken, whether or not the breach is notifiable.

11. Data retention

Personal data is retained only for as long as necessary for the purpose for which it was collected, subject to applicable legal and regulatory retention periods. Typical retention periods are:

• Google Analytics data — 26 months from the date of collection (Google default).
• Email correspondence — for the duration of the enquiry and a reasonable period thereafter, typically up to 2 years.
• Commercial counterparty records — for the duration of the relationship plus 6 years, for contractual and tax purposes.
• AML/CTF-related records — for a minimum of 5 years, in line with the AML/CTF Policy.
• Employment records — in line with statutory and best-practice retention periods.

12. International transfers

Where personal data is transferred outside the United Kingdom, the Company ensures that appropriate safeguards are in place, including: transfers to jurisdictions covered by UK adequacy regulations; the use of the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with the UK Addendum; or an applicable derogation under Article 49 UK GDPR.

13. Third-party processors

Where we engage a third-party processor (for example, website hosting, analytics, or email providers), we only appoint processors that provide sufficient guarantees to implement appropriate technical and organisational measures. Each processor is engaged under a written contract that includes the provisions required by Article 28 UK GDPR.

14. Responsibilities

The Board has overall accountability for compliance with data protection law.

The Director (Brett Andrews) is the policy owner and acts as the Company’s primary data protection contact. The Company is not currently required to appoint a statutory Data Protection Officer under Article 37 UK GDPR, but any future change in circumstances will trigger a reassessment.

All personnel are responsible for handling personal data in accordance with this policy, reporting breaches promptly, and completing data protection training.

15. Training and awareness

All personnel receive data protection briefing on induction and periodic refresher training. This policy is made available at all times on the Company’s internal systems.

16. ICO registration and complaints

The Company is (or will be, on commencement of relevant processing) registered with the Information Commissioner’s Office as required under the Data Protection (Charges and Information) Regulations 2018. Individuals who believe their personal data has been handled in breach of UK data protection law may contact us at brett.andrews@finaltablemedia.co.uk or lodge a complaint with the ICO at ico.org.uk.

17. Review

This policy is reviewed at least annually and following any material change in applicable law, regulatory guidance, or our processing activities. The next scheduled review date is 19 April 2027.