Privacy Policy

Controller and privacy channel

Predict The Cup acts as controller of personal data used to provide accounts, predictions, rankings, groups, profiles, purchases, rewards, support, and sharing features.

Data subject requests, questions, objections, or security reports should be sent to support@predicthecup.com or through the Contact page form.

We may request additional information to verify the requester's identity and prevent disclosure or changes by unauthorized parties.

Data we collect and why

• Account and sign-in: Google account identifier, name, email address, and profile photo authorized by the user. Purpose: create and authenticate the account, restore access, and prevent duplicate or fraudulent accounts.
• Profile: display name, username, country, bio, favorite team, avatar, banner, frame, and social links provided by the user. Purpose: personalize and publish the profile and identify the participant in rankings and groups.
• Game and community: predictions, brackets, groups, selected champion, scores, accuracy, XP, badges, rank, activity, invites, and respect interactions. Purpose: apply game rules, calculate results, display rankings, and prevent manipulation.
• Purchases: product, quantity, amount, currency, checkout session, customer and payment identifiers, status, and purchase history. Purpose: process transactions, release benefits, provide support, prevent fraud, and meet accounting duties. Full card details are collected directly by Stripe.
• Contact and support: name, email, optional phone number, category, subject, message, account ID and email, username, display name, and IP address. Purpose: answer the request, verify eligibility, limit abuse, and retain a support history.
• Invites and rewards: invite code, share ID, source URL, capture date, inviter and invitee, IP address, user agent, and qualification status. Purpose: attribute invites, calculate campaigns, audit eligibility, and combat artificial registrations.
• Browser push, only when authorized: subscription endpoint, public encryption keys, expiration, language, user agent, policy versions, and consent date. Purpose: deliver browser notices and record the user's choice.
• Analytics, only with consent: page, event, date and time, interaction properties, browser, device, and usage data such as clicks and scrolling. Purpose: measure use, diagnose journeys, and improve the product and campaigns.
• Technical and security data: IP address, user agent, language, headers, session identifiers, access logs, errors, and usage attempts. Purpose: operate infrastructure, apply limits, investigate incidents, prevent fraud, and protect accounts.

Data that may be public

• Public profiles may show display name, username, avatar, banner, country, bio, favorite team, social links, level, XP, badges, statistics, rank, and competitive activity.
• Rankings, groups, public share pages, posters, and shared brackets may be accessed by other people, search engines, and social networks selected by the user.
• Do not publish confidential information about yourself or others in profiles, bios, links, or images. Account deletion cannot guarantee removal of copies already shared by other people.

Third-party services and shared data

• Google OAuth: receives the sign-in request and provides the authorized account identifier, name, email, and photo. Google processes data under its own terms and policies.
• Vercel: hosts the website and, when Analytics is authorized, processes technical and usage data for access and performance metrics.
• Microsoft Clarity: only with Analytics consent, processes browsing interactions, clicks, scrolling, device data, and masked sessions for experience analysis.
• Railway and managed PostgreSQL, or equivalent contracted infrastructure: host the API and database and process data required for accounts, sessions, predictions, rankings, purchases, support, and security.
• Cloudflare R2: stores and delivers avatars, banners, profile images, and share artwork. Files marked public can be accessed through their corresponding URL.
• Stripe: receives purchase data and directly collects payment method details for checkout, confirmation, fraud prevention, refunds, disputes, and financial obligations.
• Resend: receives contact-form content and associated account and security data to deliver the message to the support team.
• Browser or operating-system push service, such as Google, Mozilla, or Apple: receives the endpoint and technical data needed to deliver authorized notifications.
• YouTube in privacy-enhanced mode and FlagCDN: may receive IP address, browser, and technical data when videos or flags load. YouTube may activate its own storage after video interaction.
• Social networks and sharing apps, such as WhatsApp, Facebook, and X: receive data only when the user opens a link, shares content, or visits an external profile. These services operate under their own policies.
• Google AdSense: the account-validation metatag is active. After approval and ad activation, Google may use cookies, web beacons, IP addresses, and other identifiers to serve, measure, and protect ads. Where required, ad serving will depend on a Google-certified CMP.

Purposes and legal bases

• Contract performance and pre-contract steps: create an account, authenticate, save predictions, calculate rankings, process purchases, deliver items, and provide requested support.
• Consent: Analytics, Microsoft Clarity, optional preferences, marketing, and promotional notifications. Consent may be refused or withdrawn without blocking essential functions.
• Legitimate interests, after necessity and impact assessment: security, fraud and abuse prevention, strictly necessary operational metrics, service defense, and improvement without optional tracking.
• Compliance with legal or regulatory obligations: tax records, payments, lawful authority requests, and data protection duties.
• Exercise or defense of legal rights: preserve records needed for complaints, disputes, audits, chargebacks, and proceedings.

Cookies and similar technologies

Necessary cookies maintain sessions, security, consent, and temporary invite attribution. Local storage also records interface preferences and accepted legal versions.

Vercel Analytics and Microsoft Clarity load only after Analytics consent. The Google AdSense validation metatag does not serve ads. Before enabling ads, we will disclose the applicable technologies and use a Google-certified CMP where required.

The Cookie Policy, version 2026-06-09, lists names, purposes, duration, and management options.

How long we keep data

• Account, profile, and competitive history: while the account is active and afterward as needed for deletion processing, backups, fraud prevention, and legal rights.
• Purchase and financial records: for periods required by tax, accounting, consumer, anti-fraud, and dispute-prevention rules.
• Contact and support: as long as needed to resolve and document the request and, where applicable, preserve evidence of service or defense.
• Browser consent: cookie for up to 12 months; local record until deleted, withdrawn, or invalidated by a new policy version.
• Invite reference: up to 30 days in the browser. Push subscription: until cancellation, endpoint expiration, or account deletion.
• Where no fixed legal period applies, data is deleted or anonymized after the purpose ends unless a legitimate and documented retention need remains.

International transfers

Google, Vercel, Microsoft, Railway, Cloudflare, Stripe, Resend, and push providers may process data in the United States and other countries or regions where they maintain infrastructure and subprocessors.

Transfers must use a valid mechanism under applicable data protection law, including contractual safeguards where required. We limit transfers to what is needed for each purpose and assess supplier security measures.

Your data rights

• Confirm whether we process personal data and request access.
• Correct incomplete, inaccurate, or outdated data.
• Request anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
• Request portability when regulated and technically applicable.
• Obtain information about public and private entities with which data was shared.
• Withdraw consent and learn the consequences of refusing it.
• Object to unlawful processing and request review of solely automated decisions where applicable.
• Submit a petition to the ANPD or consumer protection authorities after using the controller's channel, as provided by law.

Children and teenagers

The service is not directed to children, and we do not knowingly collect children's data without specific, prominent consent from a legal guardian where required.

Guardians may request verification and deletion through the privacy channel. Teenagers should use the service with supervision where applicable law requires it.

Security

We use access controls, protected sessions, input validation, encryption in transit, restricted administrative routes, usage limits, and incident monitoring.

No system is immune to risk. Relevant incidents will be investigated and reported to users and authorities when required by law.

Versions and updates

• Privacy Policy: 2026-06-09.
• Terms of Use: 2026-06-08.
• Cookie Policy: 2026-06-09.
• Last updated: June 9, 2026.
• Material changes will be highlighted and, when consent is the legal basis, a new choice will be requested.