← Back

Privacy Policy

Last updated: May 2026. This policy covers the WC 2026 Prediction Game, a private competition web application.

What we collect

We collect the minimum data necessary to operate the prediction game:

  • Email address — used to identify your account and send match-related notifications.
  • Display name — shown on leaderboards and pool membership lists.
  • Avatar URL (optional) — if provided via Google sign-in; used to display your profile picture.
  • Prediction data — your score predictions for all 64 matches and any bonus answers you submit.
  • IP address — recorded in server access logs for security and abuse prevention purposes.

Legal basis (Article 13/14)

We process your personal data under the following legal bases as defined by the GDPR:

  • Contract performance (Article 6(1)(b)) — processing your email, display name, and predictions is necessary to provide the prediction game service you signed up for.
  • Legitimate interest (Article 6(1)(f)) — server access logs (IP address) are retained for security, fraud prevention, and service reliability.

We do not use your data for advertising, profiling, or any purpose beyond operating the prediction game.

Retention

  • Prediction and account data — retained for the duration of the tournament (until the World Cup 2026 final) plus 30 days, then deleted or anonymised.
  • Server access logs — retained for 14 days, then automatically purged.
  • Account deletion — you may request immediate deletion of your account and all associated data at any time (see Your Rights below).

Cookies & local storage

  • We use only strictly-necessary cookies: Supabase session cookies (sb-*-access-token, sb-*-refresh-token) to keep you signed in, and a CSRF token. No analytics, no advertising, no third-party trackers.
  • Per GDPR (ePrivacy Directive Recital 25), strictly-necessary cookies don't require a consent banner — so we don't show one.
  • localStorage is used for the React Query cache and tiny UI preferences (e.g., last-visited pool). Nothing leaves your browser.
  • Cookies are cleared automatically when you sign out, or you can wipe them from your browser settings at any time.

Sub-processors

We use the following third-party services to operate the application. Each acts as a data processor under appropriate data processing agreements (DPAs):

  • Supabase — database, authentication, and real-time features. Hosted on EU servers (Frankfurt region). DPA available at supabase.com/privacy.
  • Resend — transactional email delivery (magic-link sign-in emails). Receives only your email address and the sign-in link. DPA available at resend.com/legal/dpa.
  • football-data.org — public World Cup match schedule and results data. No personal data is shared with this service.

Your rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Access (Article 15) — you may request a copy of the personal data we hold about you.
  • Correction (Article 16) — you may update your display name and avatar at any time via your profile settings.
  • Deletion (Article 17) — you may request erasure of your account and all personal data. We will process deletion requests within 30 days. To request deletion, email us at the address below.
  • Portability (Article 20) — you may request an export of your prediction data in machine-readable format.

To exercise any of these rights, contact us using the email address in the Contact section below.

Contact

For any privacy-related questions, data subject requests, or concerns, contact the data controller:

Email: juha@arosusi.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.