Privacy Policy

Last updated: May 14, 2026

This Privacy Policy explains what personal data Club26 collects when you use our website, mobile app, or waitlist, why we collect it, and the rights you have. This document is provided in plain language — placeholder text pending legal review (LEGAL REVIEW).

Data controller

The data controller for Club26 is Club26 (contact: privacy@club26.app). If you have any questions about this policy, you can write to that address at any time.

Data we collect

• Waitlist signup: first name, last name, email address, newsletter opt-in choice. • When you use the app: account email, your predictions, your cards, the groups you create or join. • Technical data: device type, OS version, app version, language, crash reports, and push notification tokens. • Analytics: anonymous usage events to help us understand which features work.

Why we use your data

• To notify you when the app launches and send you the newsletter if you opted in. • To run the prediction game: store your picks, calculate scores, award cards. • To operate friend groups and leaderboards. • To fix bugs, prevent abuse, and improve the product.

Lawful basis (GDPR)

We process your data under one of these bases: your consent (newsletter, optional analytics), performance of a contract (running your account), or our legitimate interest (security, fraud prevention, product improvement).

Third parties we share data with

We share the minimum data needed with these processors: • Supabase — database and authentication (hosted in the EU). • Resend — transactional email and newsletter delivery. • Vercel — website and API hosting. We do not sell your data, and we do not share it with advertisers.

How long we keep your data

Waitlist data is kept until you unsubscribe or the waitlist closes. Account data is kept for as long as your account is active and for up to 30 days after deletion (see Account Deletion). Backups are rotated within 90 days.

Your rights

Under GDPR and similar laws (CCPA in California), you have the right to access, correct, export, or delete your data, and to object to or restrict certain processing. To exercise any of these rights, email privacy@club26.app — we respond within 30 days.

Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted and logged. No system is perfectly secure, but we follow industry best practices and review our setup regularly.

International transfers

Your data is processed primarily in the European Union. Where a processor operates outside the EU, transfers are covered by Standard Contractual Clauses or equivalent safeguards.

Children

Club26 is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has shared data with us, contact privacy@club26.app and we will delete it.

Changes to this policy

We may update this policy from time to time. When we do, we update the date at the top and, for material changes, notify you by email or in-app.

Contact

Questions, requests, or complaints: privacy@club26.app. You also have the right to lodge a complaint with your local data protection authority (in France: the CNIL).