Privacy Policy

WC2026 Predictor is operated as an independent prediction game at itsonlyagameson.com. We are the data controller for personal information collected through this website.

If you have any questions about this policy or how we handle your data, contact us at: [email protected]

We collect the following categories of personal data:

• Account data: Your display name (nickname), email address, and chosen favourite team when you register.
• Payment data: When you pay the £3 entry fee, Stripe processes your card details directly. We store only the Stripe session ID and payment intent ID — never your raw card number, CVV, or full card details.
• Prediction & game data: Your score predictions, quiz answers, mini-game selections, and creative challenge submissions.
• Usage data: Pages visited, actions taken within the app, and approximate session timing — used to improve the service.
• Charity vote: Which charity you voted for (linked to your account, visible only to administrators).
• Communications: Any messages you send us via email or feedback forms.

We use your personal data for the following purposes and legal bases:

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

We share limited data with the following trusted third-party processors:

• Stripe (stripe.com): Payment processing. Stripe is PCI-DSS Level 1 certified. Your card data goes directly to Stripe — we never see it. Stripe's privacy policy: stripe.com/gb/privacy
• GoDaddy / Airo (godaddy.com): Hosting and infrastructure. Our application runs on GoDaddy's Airo platform.
• football-data.org: Live World Cup 2026 fixture and result data. No personal data is shared with this service.

All processors are contractually bound to handle your data only on our instructions and in accordance with applicable data protection law.

• Account data: Retained for the duration of your account. You may delete your account at any time from your Profile page.
• Payment records: Retained for 7 years to comply with UK financial record-keeping obligations.
• Game data (predictions, quiz, mini-games): Retained for the duration of the competition and up to 12 months after it ends for audit and prize verification purposes.
• Usage/log data: Retained for up to 90 days.

As a UK resident you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure: Ask us to delete your data ("right to be forgotten"). You can also delete your account directly from your Profile page.
• Right to restriction: Ask us to restrict processing of your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).

We use the following cookies and browser storage:

• Session cookie (better-auth): Strictly necessary. Keeps you logged in. Expires when you sign out or after 30 days of inactivity.
• Local storage (app state): Stores UI preferences (e.g. dark mode, scroll position). No personal data. Cleared when you clear your browser data.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption in transit, hashed passwords (bcrypt), HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy), rate limiting on sensitive endpoints, and server-side validation of all user inputs. Payment data is handled exclusively by Stripe and never stored on our servers.

This service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated via a notice on the homepage. Continued use of the service after changes constitutes acceptance of the updated policy.