← Back to home

Privacy Policy

Last updated: 18 May 2026

1. Who we are

WC26 ("we", "us") is a fantasy football and match-prediction game for the 2026 FIFA World Cup. This policy explains what data we collect and why.

2. Data we collect

  • Account data — email address, display name, optional avatar, supported nation.
  • Game data — your fantasy XI, transfers, predictions, league memberships, points.
  • Device tokens — if you enable push notifications on iOS/Android, we store an APNs/FCM token tied to your account so we can send you updates (e.g., goals scored by your players, league changes).
  • Authentication metadata — managed by our auth provider (Supabase): hashed password, sign-in timestamps, OAuth provider IDs (Apple, Google) if used.
  • Donation data — if you choose to make a voluntary "Buy me a coffee" donation, the payment is processed by Stripe. We do not see or store your card number, CVC or full billing details. Stripe handles your card data under its own privacy policy and PCI-DSS compliance. We do not link donations to your account or keep any record of who has donated.

We do not collect location, contacts, photos, advertising identifiers, or browsing history.

3. How we use it

  • To run the game (scoring, leaderboards, leagues).
  • To send relevant push notifications (only if you opt in).
  • To prevent abuse and enforce fair-play rules.

We do not sell your data. We do not use it for advertising or profiling.

4. Sharing

Your display name, supported nation, and points are visible to other players on public leaderboards and to members of leagues you join. Your email address is never shown publicly.

Service providers we use:

  • Supabase (database, auth, hosting infrastructure).
  • Apple Push Notification service / Google Firebase (only when you enable notifications).
  • Stripe, Inc. (payment processing — only when you choose to make a voluntary donation).

5. Your rights

  • Access — view your account data inside the app at any time.
  • Correction — change your display name, nation, and avatar from the Profile page.
  • Deletion — permanently delete your account and all associated data from Profile → Delete account. This action is immediate and irreversible.
  • Push opt-out — revoke notification permission in iOS/Android Settings at any time.

6. Security

Data is encrypted in transit (TLS) and at rest. Row-level security policies ensure users can only access their own private rows.

7. Children

WC26 is not directed at children under 13 and we do not knowingly collect personal data from them.

8. Contact

Questions? See our Support page.