Data & Compliance Policy
Last updated 16 June 2026This Data and Compliance Policy describes the framework GoalEdge uses to protect personal data, secure the Platform and meet its regulatory obligations. It complements our Privacy Policy and Terms of Use.
1. Governance
GoalEdge takes a privacy-by-design and security-by-design approach. Data protection and security responsibilities are owned at leadership level, and our practices are reviewed as the Platform evolves. Privacy and security matters can be raised at privacy@goaledge.com.
2. Regulatory framework
We align our practices with the following, as applicable:
- the Nigeria Data Protection Act 2023 and the guidance of the Nigeria Data Protection Commission;
- the EU and UK General Data Protection Regulation for users in those regions;
- cookie and electronic-communications principles for transparency and consent;
- PCI-DSS obligations, which are met by our payment processors, since GoalEdge does not store full card data;
- responsible gambling principles: GoalEdge is not a betting operator, restricts access to adults aged 18 and over and presents predictions with clear no-guarantee messaging.
3. Data classification
We classify data as account data, activity data, technical and security data, and billing data. Sensitive authentication data, such as passwords, is stored only as a salted hash, and card data is never stored by GoalEdge.
4. Sub-processors
We engage a limited set of providers under appropriate safeguards, including payment processors (Stripe, Paystack, Flutterwave), hosting and security infrastructure, and sports data sources. Each is used only for its stated purpose.
5. Security controls
Our layered controls include:
- encryption of data in transit, with HTTP Strict Transport Security;
- strong, slow password hashing with per-user salts;
- protection against cross-site request forgery on state-changing actions;
- per-IP rate limiting and progressive brute-force lockout;
- strict security headers, including a content security policy and clickjacking protection;
- input validation and output encoding to defend against injection and cross-site scripting;
- parameterised database queries throughout, which prevent SQL injection;
- least-privilege administrative access behind a separate admin role;
- same-origin request policy, with cross-origin access permitted only for explicitly approved origins;
- secure session cookies marked HttpOnly and SameSite, and Secure in production.
6. Payment integrity
Where card payments are enabled, our billing design follows recognised best practice. Inbound payment webhooks are signature-verified and processed idempotently, so a retried event is never actioned twice. Subscription state is recorded in an append-only ledger, so every change is auditable and no financial record is overwritten in place.
7. Vulnerability management
We test the Platform for common weaknesses, including injection, broken access control, authentication flaws and cross-site scripting, and we support automated security scanning as part of our release process. We welcome responsible disclosure of any vulnerability at security@goaledge.com. Please do not access other users' data or disrupt the service while testing.
8. Access control and authorisation
User actions are authorised against the signed-in account on the server, so one user cannot read or change another user's data by altering a request. Administrative functions require the admin role, which is verified server-side on every privileged request.
9. Breach response
If a personal data breach occurs that is likely to result in a risk to individuals, we will assess it promptly and, where required, notify the relevant supervisory authority and affected users within the timeframes set by applicable law, which is generally without undue delay and, where feasible, within 72 hours.
10. Data subject requests
Requests to access, correct, delete, port or restrict personal data are handled in line with our Privacy Policy. Contact privacy@goaledge.com and we will respond within the period required by applicable law.
11. Retention
We retain personal data only as long as necessary for the purposes described in our Privacy Policy or as required by law. Audit and billing records are kept for the period needed to meet legal and financial obligations.
12. Review
This policy is reviewed periodically and updated as the Platform, our providers or the regulatory landscape change.
This policy is provided for general information and does not constitute legal advice.