Privacy Policy

Last updated: April 20, 2026 Effective date: April 20, 2026

In plain English: We collect as little as possible. We don't sell your data. We use Cloudflare Analytics (no cookies, no tracking) by default. Google Analytics is optional and fully anonymized. Your bracket, your choice.

1. Introduction

This Privacy Policy describes how Bracket 2026 ("we," "us," or "our"), operator of the website bracket2026.com (the "Service"), collects, uses, and shares information about you when you access or use our website, tools, and features.

We are committed to protecting your privacy and complying with applicable laws, including the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service. You may contact us at contact@bracket2026.com with any questions before using the Service.

2. Information We Collect

We collect the minimum amount of information needed to provide our bracket predictor and related features. We have organized the categories below to make it clear what we collect, what we never collect, and why.

2.1 Information You Provide Voluntarily

• Bracket selections: The teams you pick to advance at each round of the tournament. This is stored only in your browser (via localStorage). Nothing is sent to our servers unless you explicitly click Share — in which case the bracket state is encoded into a share URL that travels with the link.
• Support messages: If you contact us via email, we keep the content of your message and your email address for the purpose of responding.

2.2 Information Collected Automatically

• Technical data: Approximate country (derived from Cloudflare's CF-IPCountry header at request time, never stored), browser type, operating system, referring URL, pages viewed, and timestamps.
• Local storage: We use localStorage to save your current bracket so you can return to it. This data stays on your device and is never sent to our servers.
• Analytics: Cloudflare Analytics collects aggregate, privacy-first metrics without cookies or persistent identifiers. Google Analytics 4 (GA4), if enabled, collects anonymized and IP-truncated usage metrics. You can opt out of GA4 at any time through our cookie banner or your browser's Do Not Track signal (see §5).

2.3 Information We Do Not Collect

• We do not store your full IP address on our servers.
• We do not use Facebook Pixel, TikTok Pixel, LinkedIn Insight Tag, or any third-party retargeting pixels.
• We do not sell, rent, or license your personal data to anyone, ever.
• We do not profile you for advertising purposes beyond the contextual placements served by our ad partners.
• We do not collect precise geolocation data (GPS), biometric data, or any category of sensitive personal information as defined by CCPA/CPRA or GDPR Article 9.
• We do not knowingly collect any information from children under 13 (see §8).

3. How We Use Your Information

We use the information we collect for the following specific purposes, and only these purposes:

1. Provide the Service: Render the bracket predictor, let you download printable PDFs, and generate shareable OG images and short-link URLs.
2. Improve the Service: Analyze aggregate usage patterns to fix bugs, identify confusing UI flows, and prioritize new features. This analysis is always performed on aggregated data, never on individual users.
3. Respond to support requests: If you email us, we use your message and email address to reply.
4. Serve contextual ads: We display third-party display ads to cover our operating costs. Our ad partners may set their own cookies; you can manage tracking preferences through your browser settings or, where applicable, through industry opt-out tools such as the Network Advertising Initiative opt-out.
5. Protect the Service: Detect and prevent fraud, spam, and abuse. This may involve temporarily storing IP-level rate-limit counters in Cloudflare KV.
6. Comply with legal obligations: Respond to lawful requests from law enforcement or regulatory authorities, and meet our tax, accounting, and record-keeping obligations.

Under GDPR, our legal bases for processing are (a) performance of a contract with you when you use the Service, (b) our legitimate interest in operating and improving the Service, and (c) your consent (for non-essential cookies and analytics).

4. Cookies and Tracking Technologies

We use the following cookies and similar technologies. You can manage cookie preferences through our cookie consent banner on first visit, or at any time by opening the "Cookie Settings" link in the footer.

Type	Name	Purpose	Duration
Necessary	locale	Remembers language preference	1 year
Necessary	localStorage: bracket2026	Saves your current bracket locally	Until cleared
Analytics	Cloudflare aggregate metrics	Anonymous page-level analytics	Not a cookie
Analytics	_ga, _ga_* (optional)	Google Analytics 4, anonymized	2 years
Advertising	Third-party ad partner cookies	Contextual display ads	Set by ad partner

Necessary cookies cannot be disabled because the Service cannot function without them (for example, keeping you logged in). Analytics and advertising cookies are opt-in in the EU, EEA, UK, and any other region where opt-in consent is required.

5. Your Rights

5.1 Under GDPR (EU / UK / Switzerland)

If you are located in the European Union, European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten"), subject to legal retention obligations.
• Restrict or object to processing based on legitimate interest.
• Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Withdraw consent at any time (for example, for analytics cookies).
• Lodge a complaint with your national data protection authority. A list is available at edpb.europa.eu.

5.2 Under CCPA / CPRA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and (if applicable) sell.
• Delete personal information we have collected about you.
• Correct inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.
• Limit the use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
• Non-discrimination: We will not deny you service, charge different prices, or provide a different quality of service for exercising your rights.

5.3 Under LGPD (Brazil)

If you are a Brazilian data subject ("titular de dados"), you have the right to:

• Confirmation of the existence of processing.
• Access to your data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Data portability to another service provider.
• Information about public or private entities with which we have shared your data.
• Revocation of consent at any time.

You may also contact the Brazilian Autoridade Nacional de Proteção de Dados (ANPD) if you believe your rights have been violated.

5.4 How to Exercise Your Rights

To exercise any of these rights, email contact@bracket2026.com with your request. We will respond within 30 days for GDPR and LGPD requests, and within 45 days for CCPA/CPRA requests. Since we do not maintain user accounts, we may ask you to provide additional context (such as the share URL of a bracket you generated, or details about your visit) so we can locate and act on the relevant data.

We do not charge a fee for responding to rights requests, unless a request is manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act, as permitted by applicable law).

6. Data Sharing and Third-Party Services

We share your data only in the following limited cases, and only with processors and partners who have contractual obligations to protect it:

• Cloudflare (hosting, edge CDN, privacy-first analytics): Cloudflare acts as our infrastructure processor and is subject to Cloudflare's Privacy Policy and Data Processing Addendum.
• Third-party advertising partners (for contextual display ads): Each partner is subject to its own privacy policy, which we link to in our cookie consent banner where applicable.
• Google (optional GA4 analytics only): Subject to Google's Privacy Policy.
• Legal compliance: If required by law, subpoena, or valid legal process.
• Business transfers: In the event of a merger, acquisition, or asset sale, data we hold may be transferred as part of the transaction.

We do not share your data with advertisers, data brokers, affiliate networks, or marketing platforms beyond the processors listed above.

7. Data Retention

• Bracket data: Retained in your browser's localStorage until you clear your browser data or reset your bracket. We do not store your bracket on our servers unless you generate a share link (in which case a short-lived shareable copy is stored to render the link).
• Shared bracket links: A serialized snapshot of the shared bracket is stored so the link can be rendered. Stored indefinitely until the link is unused for an extended period or removed on request.
• Analytics: Cloudflare Analytics stores aggregates only (no individual retention). Google Analytics 4 retains anonymized event data for 14 months (default setting).
• Support messages: Retained for 24 months so we can handle follow-up questions and audit our responses.
• Server access logs: Retained for 30 days for security, fraud prevention, and debugging purposes, then automatically deleted.

8. Children's Privacy (COPPA)

The Service is not directed at children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that we have collected information from a child under 13, please contact contact@bracket2026.com and we will delete it promptly.

Users aged 13–16 in the European Union and European Economic Area require parental consent under GDPR Article 8 before using analytics or advertising features. If you are a parent or guardian in the EU/EEA and have concerns about your child's use of the Service, please contact us.

9. International Data Transfers

Our servers and Cloudflare's infrastructure are global. Data may be processed in the United States, the European Union, Canada, Brazil, or other jurisdictions where Cloudflare or our subprocessors operate.

Where required by law (for example, transfers from the EU/EEA to the United States), transfers rely on the European Commission's Standard Contractual Clauses (SCCs), the UK's International Data Transfer Addendum, or equivalent safeguards. Cloudflare publishes its cross-border data transfer commitments at cloudflare.com/privacypolicy.

10. Security

We protect your data with layered technical and organizational measures:

• HTTPS encryption (TLS 1.3) for all traffic between your browser and our servers.
• Cloudflare's DDoS protection, Web Application Firewall, and rate limiting.
• Encrypted storage in Cloudflare D1 (at rest).
• Principle of least privilege for internal access, with audit logging.
• Regular dependency and vulnerability review.

No system is perfectly secure. If we become aware of a personal data breach affecting your information, we will notify you and, where required, the appropriate supervisory authority within 72 hours of becoming aware of it (per GDPR Article 33) or as otherwise required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, new features, or legal requirements. When we make material changes, we will announce them via a banner on the site. The "Last updated" date at the top of this policy always reflects the most recent revision.

Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or to report a concern:

• Email: contact@bracket2026.com
• Mailing address: Bracket 2026, Privacy Team — address available on request for verified data subject requests.

For general questions, see our About page. For our Terms of Service, see bracket2026.com/terms.

---

This Privacy Policy is authored in English. Translations into other site languages, when available, are provided for convenience only — in case of any conflict or inconsistency between versions, the English version prevails.