Privacy Policy

1. Who We Are & Data Controller Identity

World Cup Stats is a sports data analytics and AI-powered statistical modeling platform. We provide informational insights and predictive analytics related to FIFA World Cup 2026 and other global soccer competitions.

For the purposes of applicable data protection laws, including the EU GDPR and UK GDPR, we act as the Data Controller of your personal data — meaning we determine the purposes and means of processing your information.

2. Data We Collect

2.1 Data You Provide Directly

When you join our waitlist, subscribe to our newsletter, or create an account, we collect:

• First name and last name
• Email address
• Country of residence
• Sports and betting preferences (e.g., which sport or competition you follow)
• Subscription tier preference
• Payment information (processed by our payment provider — we do not store card details)
• Communications you send us (support requests, feedback)

2.2 Data Collected Automatically

When you visit our website or use our platform, we automatically collect:

• IP address and derived approximate location (country/city level)
• Browser type, version, and language settings
• Device type, operating system, and screen resolution
• Pages visited, time on page, scroll depth, and click patterns
• Referring website or traffic source
• Date, time, and duration of your visit
• Unique device identifiers and cookie identifiers
• Session recordings (if applicable — you will be notified)

2.3 Data from Third Parties

We may receive data about you from:

• Analytics providers (e.g., Google Analytics) regarding your behaviour on our site
• Advertising platforms if you clicked an ad to reach us
• Payment processors confirming transaction status
• Social media platforms if you interact with our social content

2.4 Special Category Data

We do not intentionally collect special category data as defined under GDPR Article 9 (health, biometric, racial, religious, political, or sexual orientation data). If you voluntarily disclose such information in communications to us, we will handle it with the highest level of protection and delete it unless strictly necessary.

3. Legal Basis for Processing (GDPR)

Where we rely on consent as our legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. You can withdraw consent by emailing us or using the unsubscribe link in any email.

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and determined that our interests do not override your fundamental rights and freedoms.

4. How We Use Your Data

We use your personal data strictly for the following purposes:

4.1 Service Delivery

• Processing your waitlist registration and reserving your founding member discount
• Delivering platform access notifications before launch
• Sending AI-generated match insights and alerts you have subscribed to
• Processing subscription payments and managing your account

4.2 Communications

• Sending transactional emails (confirmations, receipts, account updates)
• Sending marketing communications where you have consented or where permitted by law
• Responding to your support inquiries and feedback

4.3 Platform Improvement

• Analyzing usage patterns to improve our AI prediction models
• Conducting A/B testing on platform features
• Understanding which sports and competitions attract most interest
• Improving the accuracy and relevance of our analytics

4.4 Legal & Security

• Detecting and preventing fraud, abuse, and unauthorized access
• Complying with legal obligations across all applicable jurisdictions
• Establishing, exercising, or defending legal claims
• Enforcing our Terms of Service

4.5 What We Will Never Do

• Sell your personal data to any third party — ever
• Use your data for political advertising or targeting
• Share your data with sportsbooks or gambling operators
• Use your data in ways incompatible with the purposes listed above without your consent

5. Data Sharing & Third Parties

We share your data only in limited, controlled circumstances:

5.1 Service Providers (Data Processors)

We engage trusted third-party processors who act on our instructions only. All processors are bound by Data Processing Agreements (DPAs) compliant with GDPR Article 28:

• Email delivery: [e.g., Mailchimp, Resend, ConvertKit] — for sending newsletters and transactional emails
• Cloud infrastructure: [e.g., AWS, Google Cloud, Vercel] — for hosting our platform
• Analytics: [e.g., Google Analytics, Plausible] — for understanding platform usage
• Payment processing: [e.g., Stripe] — for handling subscription payments securely
• Customer support: [e.g., Intercom, Zendesk] — for managing support tickets
• Data storage: [e.g., Airtable, Google Workspace] — for internal operations

5.2 Legal Disclosure

We may disclose your data if required by law, court order, regulatory authority, or governmental request in any jurisdiction. We will notify you where legally permitted to do so before complying.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the acquiring entity. We will notify you via email and prominent website notice at least 30 days before your data becomes subject to a different privacy policy, and you will have the right to delete your account before the transfer.

5.4 Aggregated & Anonymized Data

We may share aggregated, anonymized, and de-identified data (which cannot identify you) with partners, researchers, or the public for analytical and reporting purposes. This is not personal data and is not subject to this policy.

6. International Data Transfers

Where we transfer personal data internationally, we rely on one or more of the following mechanisms:

• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs incorporated into contracts with all international processors
• UK International Data Transfer Agreements (IDTAs): For transfers from the UK
• Binding Corporate Rules: Where applicable for intra-group transfers
• Derogations under Article 49: Where transfers are necessary for the performance of a contract with you

You may request a copy of the transfer safeguards we use by contacting our DPO at the address in Section 19.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our retention schedule:

After retention periods expire, data is securely deleted or irreversibly anonymized. You may request earlier deletion subject to our legal obligations — see Section 8.

8. Your Rights — Global

Regardless of your location, we extend the following rights to all users of our platform:

To exercise any right, email us at Info@statsworldcup.com with subject line "Privacy Rights Request." We respond within 30 days (extendable to 60 days for complex requests with notice).

9. EU & UK Residents — Full GDPR Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following additional rights under GDPR/UK GDPR:

• Art. 15 — Right of Access: Obtain confirmation of whether we process your data and a full copy of it
• Art. 16 — Right to Rectification: Correct inaccurate data without undue delay
• Art. 17 — Right to Erasure: Request deletion where data is no longer necessary, consent is withdrawn, or processing is unlawful
• Art. 18 — Right to Restriction: Restrict processing while accuracy is contested or objection is considered
• Art. 20 — Right to Data Portability: Receive data in structured, commonly used, machine-readable format
• Art. 21 — Right to Object: Object to processing based on legitimate interests or for direct marketing at any time
• Art. 22 — Automated Decision-Making: Not be subject to solely automated decisions that significantly affect you — see Section 16
• Art. 7(3) — Withdraw Consent: Withdraw any consent given at any time without detriment

We will respond to all GDPR rights requests within one calendar month as required by Article 12. We will not charge a fee for reasonable requests. For manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee or refuse, with written explanation.

10. California Residents — CCPA / CPRA Rights

If you are a California resident, you have the following rights under the CCPA and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information we collect, use, disclose, and sell about you in the past 12 months
• Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out required.
• Right to Limit Sensitive Personal Information: Limit our use of sensitive personal information to necessary purposes
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights

To submit a CCPA request, email Info@statsworldcup.com with subject "CCPA Request." We will verify your identity before processing. You may designate an authorized agent to make requests on your behalf with written authorization.

Categories of Personal Information Collected (CCPA): Identifiers (name, email, IP address); Internet/electronic activity (browsing behavior, usage data); Geolocation data (country-level); Commercial information (subscription preferences); Inferences drawn to create a profile.

11. Other Jurisdiction-Specific Rights

12. Cookies & Tracking Technologies

12.1 Types of Cookies We Use

12.2 Cookie Consent

On your first visit, we display a cookie consent banner. For users in the EEA and UK, we obtain explicit opt-in consent for all non-essential cookies before placing them, in compliance with the EU ePrivacy Directive and UK PECR. You can change your cookie preferences at any time via our Cookie Preference Centre accessible in the website footer.

12.3 Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. We honor DNT signals where technically feasible. We do not use cross-site tracking for advertising purposes.

13. Children's Privacy

If we become aware that we have collected data from a person under 18, we will immediately delete all such data from our systems. If you believe we have inadvertently collected data from a minor, please contact us immediately at Info@statsworldcup.com.

For users in jurisdictions requiring parental consent for minors (e.g., COPPA in the US for under-13s), we implement additional age verification measures. We do not direct any marketing to minors.

14. Data Security

We implement a comprehensive information security program including the following technical and organizational measures (TOMs) required under GDPR Article 32:

Technical Measures

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Multi-factor authentication (MFA) for all internal systems
• Regular automated vulnerability scanning and penetration testing
• Web Application Firewall (WAF) and DDoS protection
• Access controls based on principle of least privilege
• Automated intrusion detection and monitoring
• Regular encrypted backups with tested restoration procedures

Organizational Measures

• Data protection training for all staff handling personal data
• Signed confidentiality agreements for all employees and contractors
• Privacy by Design and by Default in all new features (GDPR Article 25)
• Data Protection Impact Assessments (DPIAs) for high-risk processing activities
• Documented data processing records (GDPR Article 30)
• Vendor security assessments before onboarding any data processor

While we apply industry-leading security measures, no system is 100% impenetrable. In the event of a breach, we follow the notification procedures in Section 15.

15. Data Breach Notification

In the event of a personal data breach, we follow a strict response protocol:

• Within 72 hours: Notify the relevant supervisory authority (e.g., lead EU DPA, ICO in the UK) where the breach is likely to result in a risk to individuals' rights and freedoms — as required by GDPR Article 33
• Without undue delay: Notify affected individuals directly where the breach is likely to result in a high risk to their rights and freedoms — GDPR Article 34
• Notification content: Nature of the breach, categories and approximate number of individuals affected, likely consequences, measures taken or proposed
• Documentation: All breaches are logged internally regardless of notification obligation

16. Automated Decision-Making & Profiling

Our platform uses AI and automated systems to generate sports analytics and betting insights. We want to be transparent about how this works:

• Our AI models analyze match data, odds, and statistical variables to produce confidence scores and recommendations
• These outputs are informational only — they do not constitute decisions that produce legal or similarly significant effects on individuals
• We do not make automated decisions about individuals' creditworthiness, eligibility for services, or any other legally significant matter based on personal data
• We may create user profiles based on your sport preferences and usage patterns to personalize content — you have the right to object to this profiling under GDPR Article 21

If you wish to object to any profiling activity, contact us at Info@statsworldcup.com.

17. Third-Party Links

Our platform may contain links to third-party websites including sports data providers, sportsbooks, news sources, and social media platforms. These sites have their own privacy policies which we do not control and are not responsible for. We encourage you to review the privacy policy of any third-party site you visit. Our linking to a site does not constitute endorsement of their privacy practices.

18. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send email notification to all registered users and waitlist members at least 30 days before changes take effect
• Display a prominent notice on our website
• Where required by law (e.g., GDPR), seek fresh consent for any new processing activities

Your continued use of the platform after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with changes, you may delete your account before they take effect.

19. Data Protection Officer & Contact

If you are in the EEA or UK and we are required to appoint a Data Protection Officer (DPO) under GDPR Article 37, our DPO contact details are listed above. Our DPO is independent and reports directly to senior management.

20. Supervisory Authority Complaints

You have the right to lodge a complaint with your local data protection supervisory authority at any time. We encourage you to contact us first so we can resolve your concern directly, but you are not required to do so.