Privacy Policy

Last updated: April 20, 2026 Effective date: April 20, 2026

In plain English: We collect as little as possible. We don't sell your data. We use Cloudflare Analytics (no cookies, no tracking) by default. Google Analytics is optional and fully anonymized. Your bracket, your choice.

1. Introduction

This Privacy Policy describes how Bracket 2026 ("we," "us," or "our"), operator of the website bracket2026.com (the "Service"), collects, uses, and shares information about you when you access or use our website, tools, and features.

We are committed to protecting your privacy and complying with applicable laws, including the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service. You may contact us at contact@bracket2026.com with any questions before using the Service.

2. Information We Collect

We collect the minimum amount of information needed to provide our bracket predictor and related features. We have organized the categories below to make it clear what we collect, what we never collect, and why.

2.1 Information You Provide Voluntarily

• Bracket selections: The teams you pick to advance at each round of the tournament. This is stored locally in your browser (via localStorage) so you can return to your bracket, share it with others, and compare it against public picks. If you opt in to save your bracket to an account, a copy is also stored on our servers.
• Display name (optional): A name shown on public leaderboards or inside private leagues. If omitted, you are assigned a randomly generated anonymous name (e.g., "Swift-Puma-4812"). Display names should not contain personally identifying information about anyone other than yourself.
• Email address (optional): Only if you choose to create an account to save brackets across devices or create a private league. We use email only for login (magic links) and critical service updates. We do not send marketing emails.
• League data: League names, invitation codes, and member scores (if you create or participate in a private league).
• Support messages: If you contact us, we keep the content of your message and your email address for the purpose of responding.

2.2 Information Collected Automatically

• Technical data: Approximate country (derived from Cloudflare's CF-IPCountry header at request time, never stored), browser type, operating system, referring URL, pages viewed, and timestamps.
• Local storage: We use localStorage to save your current bracket so you can return to it without logging in. This data stays on your device and is not sent to our servers unless you explicitly create an account and save it.
• Session cookies: If you log in, we use a secure session cookie to keep you logged in for that session.
• Analytics: Cloudflare Analytics collects aggregate, privacy-first metrics without cookies or persistent identifiers. Google Analytics 4 (GA4), if enabled, collects anonymized and IP-truncated usage metrics. You can opt out of GA4 at any time through our cookie banner or your browser's Do Not Track signal (see §5).

2.3 Information We Do Not Collect

• We do not store your full IP address on our servers.
• We do not use Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, or any third-party retargeting pixels.
• We do not sell, rent, or license your personal data to anyone, ever.
• We do not profile you for advertising purposes beyond Google AdSense's standard contextual ad placements.
• We do not collect precise geolocation data (GPS), biometric data, or any category of sensitive personal information as defined by CCPA/CPRA or GDPR Article 9.
• We do not knowingly collect any information from children under 13 (see §8).

3. How We Use Your Information

We use the information we collect for the following specific purposes, and only these purposes:

1. Provide the Service: Save your bracket, calculate scores as match results come in, display public and private leaderboards, operate private leagues, and generate shareable images and links.
2. Improve the Service: Analyze aggregate usage patterns to fix bugs, identify confusing UI flows, and prioritize new features. This analysis is always performed on aggregated data, never on individual users.
3. Communicate with you: Send transactional emails such as login magic links, private league invitations, and critical service announcements (for example, if we have a data breach to disclose). We do not send marketing emails unless you explicitly opt in.
4. Serve contextual ads: We display Google AdSense ads to cover our operating costs. Google may use cookies to personalize ads based on your browsing on other sites; you can manage those preferences at Google Ads Settings.
5. Protect the Service: Detect and prevent fraud, spam, brute-force login attempts, and abuse. This may involve temporarily storing IP-level rate-limit counters in Cloudflare KV.
6. Comply with legal obligations: Respond to lawful requests from law enforcement or regulatory authorities, and meet our tax, accounting, and record-keeping obligations.

Under GDPR, our legal bases for processing are (a) performance of a contract with you when you use the Service, (b) our legitimate interest in operating and improving the Service, and (c) your consent (for non-essential cookies and analytics).

4. Cookies and Tracking Technologies

We use the following cookies and similar technologies. You can manage cookie preferences through our cookie consent banner on first visit, or at any time by opening the "Cookie Settings" link in the footer.

Type	Name	Purpose	Duration
Necessary	session	Keeps you logged in	Session
Necessary	locale	Remembers language preference	1 year
Necessary	localStorage: bracket2026	Saves your current bracket locally	Until cleared
Analytics	Cloudflare aggregate metrics	Anonymous page-level analytics	Not a cookie
Analytics	_ga, _ga_* (optional)	Google Analytics 4, anonymized	2 years
Advertising	__gads, _gcl_au (AdSense)	Contextual ads	13 months

Necessary cookies cannot be disabled because the Service cannot function without them (for example, keeping you logged in). Analytics and advertising cookies are opt-in in the EU, EEA, UK, and any other region where opt-in consent is required.

5. Your Rights

5.1 Under GDPR (EU / UK / Switzerland)

If you are located in the European Union, European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten"), subject to legal retention obligations.
• Restrict or object to processing based on legitimate interest.
• Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent at any time (for example, for analytics cookies).
• Lodge a complaint with your national data protection authority. A list is available at edpb.europa.eu.

5.2 Under CCPA / CPRA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell.
• Delete personal information we have collected about you.
• Correct inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Limit the use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
• Non-discrimination: We will not deny you service, charge different prices, or provide a different quality of service for exercising your rights.

5.3 Under LGPD (Brazil)

If you are a Brazilian data subject ("titular de dados"), you have the right to:

• Confirmation of the existence of processing.
• Access to your data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Data portability to another service provider.
• Information about public or private entities with which we have shared your data.
• Revocation of consent at any time.

You may also contact the Brazilian Autoridade Nacional de Proteção de Dados (ANPD) if you believe your rights have been violated.

5.4 How to Exercise Your Rights

To exercise any of these rights, email contact@bracket2026.com with your request. We will respond within 30 days for GDPR and LGPD requests, and within 45 days for CCPA/CPRA requests. We may ask you to verify your identity before processing your request by confirming the email address associated with your account or, for anonymous visitors, by providing additional context about your visit.

We do not charge a fee for responding to rights requests, unless a request is manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, as permitted by applicable law).

6. Data Sharing and Third-Party Services

We share your data only in the following limited cases, and only with processors and partners who have contractual obligations to protect it:

• Cloudflare (hosting, edge CDN, D1 database, privacy-first analytics): Cloudflare acts as our infrastructure processor and is subject to Cloudflare's Privacy Policy and Data Processing Addendum.
• Google (AdSense for contextual ads, optional GA4): Subject to Google's Privacy Policy.
• Resend (transactional email, if you create an account): Used only to deliver login magic links and league invitations.
• Legal compliance: If required by law, subpoena, or valid legal process.
• Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction. You will be notified in advance and given the opportunity to delete your account.

We do not share your data with advertisers, data brokers, affiliate networks, or marketing platforms beyond the processors listed above.

7. Data Retention

• Bracket data (local): Retained in your browser's localStorage until you clear your browser data or reset your bracket.
• Bracket data (account-based): Retained as long as your account exists. Deleted within 30 days of an account deletion request.
• Account data: Retained until you delete your account.
• League data: Retained until the league owner deletes the league, or indefinitely if the league is left public.
• Analytics: Cloudflare Analytics stores aggregates only (no individual retention). Google Analytics 4 retains anonymized event data for 14 months (default setting).
• Support messages: Retained for 24 months so we can handle follow-up questions and audit our responses.
• Server access logs: Retained for 30 days for security, fraud prevention, and debugging purposes, then automatically deleted.

8. Children's Privacy (COPPA)

The Service is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that we have collected information from a child under 13, please contact contact@bracket2026.com and we will delete it promptly.

Users aged 13–16 in the European Union and European Economic Area require parental consent under GDPR Article 8. If you are a parent or guardian in the EU/EEA and believe your child has created an account without your consent, please contact us and we will take appropriate action.

9. International Data Transfers

Our servers and Cloudflare's infrastructure are global. Data may be processed in the United States, the European Union, Canada, Brazil, or other jurisdictions where Cloudflare or our subprocessors operate.

Where required by law (for example, transfers from the EU/EEA to the United States), transfers rely on the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, or equivalent safeguards. Cloudflare publishes its cross-border data transfer commitments at cloudflare.com/privacypolicy.

10. Security

We protect your data with layered technical and organizational measures:

• HTTPS encryption (TLS 1.3) for all traffic between your browser and our servers.
• Cloudflare's DDoS protection, Web Application Firewall, and rate limiting.
• Encrypted storage in Cloudflare D1 (at rest).
• Principle of least privilege for internal access, with audit logging.
• Regular dependency and vulnerability review.

No system is perfectly secure. If we become aware of a personal data breach affecting your information, we will notify you and, where required, the appropriate supervisory authority within 72 hours of becoming aware of it (per GDPR Article 33) or as otherwise required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, or legal requirements. When we make material changes, we will announce them via a banner on the site and, if you have an account, by email. The "Last updated" date at the top of this policy always reflects the most recent revision.

Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or to report a concern:

• Email: contact@bracket2026.com
• Mailing address: Bracket 2026, Privacy Team — address available on request for verified data subject requests.

For general questions, see our About page. For our Terms of Service, see bracket2026.com/terms.

---

This Privacy Policy is available in English, Spanish, and Portuguese. In case of any conflict or inconsistency between versions, the English version prevails.