Privacy
Privacy Policy
Last updated: 2026-05-29
The short version
CupDays is a free schedule, picks game, and printable wallchart for the FIFA World Cup 2026. The public site is browsable without an account or cookies. If you sign in to play the picks game, we store the minimum needed to identify you between sessions — your email, a display name, and the picks you make.
What we collect
- Account data (only if you sign in) — email address, display name, URL slug, avatar URL, time-zone, and the identifier of the provider you signed in with (Google or X). We also store the picks you make, your score, and your streaks.
- Anonymous print counts — when you download a PDF or trigger a browser print, we record (edition, template, action, duration) in Cloudflare Analytics Engine. No IP, no user-agent, no cookie, no fingerprint. Used to show the live print counter on the homepage and to report aggregate verified-prints to sponsors.
- Browser
localStorage— your time-zone preference, language, custom title, highlighted team, PDF style preference, and (on preview deploys only) a copy of your session token. This data lives in your browser and is not sent to our servers except when used to authenticate API calls. - Sponsor waitlist signups — when you submit the form on
/sponsor, we store the email, business name, edition of interest, and slot interest. Used solely to notify you when sponsor inventory becomes available. - Cloudflare server logs — Cloudflare automatically records standard request metadata (URL, status, response size, region) for operational purposes. We don't query or export this data; it's used by Cloudflare for abuse prevention and traffic shaping. Their own privacy policy applies.
Sign in with Google
If you choose "Continue with Google" on /signup, you authenticate through Google's standard OAuth 2.0 flow. We request these scopes only:
openid— required to identify the Google accountemail— your verified email addressprofile— your name and profile photo
From the data Google returns, we store:
- Your verified email address
- Your name (used as your default CupDays display name)
- The URL of your Google profile photo (used as your default avatar)
- Your Google account identifier (the
subclaim) — a stable, opaque ID used to recognize you on return visits
What we do not access: we do not request and have no ability to read your Gmail, Google Drive, Google Calendar, Google Contacts, YouTube account, or any other Google service. We do not post on your behalf. We do not contact you outside of CupDays product email.
CupDays' use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Sign in with X (Twitter)
If you choose "Continue with X", we receive your X user ID, username, display name, and profile image URL via the standard OAuth 2.0 flow. We use these for the same purposes as the Google equivalents above and store the same shape of data. We do not request tweet.write or any other write scope and cannot post on your behalf.
Sign in with a magic link
You can also sign in by entering your email and clicking a one-time link we send to that address. The link is valid for 30 minutes and can be used once. We store the email, a hashed token, and the link's expiry time. No password is ever set, stored, or transmitted.
Cookies
The public, unauthenticated site sets no cookies. Once you sign in, our API origin (play.cupdays.com) sets a single session cookie:
wc26_sid— an HMAC-signed JWT that proves who you are.HttpOnly,Secure,SameSite=None, 30-day lifetime, refreshed on use. Cleared when you sign out.
On preview deploys (where browsers block third-party cookies), the same token is held in localStorage instead and sent as an Authorization: Bearer header. The production site uses the cookie path.
Public profile
By default, your CupDays profile is public: anyone with a link can view your display name, avatar, picks for matches whose kickoff has passed, and your score and streak at cupdays.com/u/<your-slug>. Your email address is never shown publicly. You can make your profile private from /settings; private profiles return a 404 to non-owners.
Third parties
- Cloudflare — hosting (Pages + Workers), D1 database, Analytics Engine, Browser Rendering for PDF generation. Cloudflare privacy policy.
- Google — OAuth sign-in (as described above) and AdSense display ads on the public site. Google may set its own cookies and use ad-personalization. Google privacy policy.
- X (Twitter) — OAuth sign-in (as described above). X privacy policy.
- flagcdn.com — country flag images are hot-linked from this CDN. Each request reveals the requester's IP to the CDN.
Your rights
You can:
- View your data — your profile page (
/u/<your-slug>) and the picks list (/my-picks) show everything tied to your account. - Edit your display name and time-zone at
/settings. - Make your profile private at
/settings. - Delete your account by emailing hello@cupdays.com from the address tied to your account. We remove your account row, your picks, your auth identities, and your scores within 7 days. The anonymous print counters contain nothing identifiable and are not affected.
- Remove a sponsor-waitlist submission by emailing the same address.
This applies whether you're in the EU (GDPR), California (CCPA), or anywhere else.
Email we send you
If you sign in, we may send transactional email (the magic link itself, and occasional service notices like a major schedule correction). You can opt out of non-transactional email from /settings. Magic-link emails are never optional — they're how you sign in.
Children
The site is not directed at children under 13. We don't knowingly collect any data from children. The picks game and waitlist form are intended only for users old enough to enter into the relevant provider's terms (Google: 13+ in the US, varies by region; X: 13+).
Data retention
Account data is retained for as long as your account exists. Inactive accounts (no sign-in for 2 years) may be deleted with 30 days' notice to the account email. Magic-link tokens expire after 30 minutes and are deleted on first use or expiry. Anonymous print counters are kept indefinitely in aggregate form.
Changes
We update this page when our practices change. The "Last updated" date at the top reflects the most recent change. Material changes (new third party, new data type, new scope from a sign-in provider) will also be noted in a banner on the homepage for 30 days.
Contact
Questions, deletion requests, anything else? hello@cupdays.com