Privacy Policy
Your data, handled with care.
Last updated: May 2026
LuckyMooze collects only what is needed to run the game. Here's exactly what we gather and why.
What we collect
- Google profile — your name, email address, and profile picture, obtained when you sign in with Google.
- Predictions — the score predictions you submit for each match.
- League activity — leagues you create or join, including your league name and invite codes.
- Outright picks — your tournament winner selections.
How we use your data
- To run the prediction game and calculate your scores.
- To display your name and avatar on leaderboards and within leagues.
- To let you and your friends compete in private leagues.
- We do not sell, rent, or share your data for advertising purposes.
Legal basis for processing
- Contract performance (Art. 6(1)(b)) — your name, predictions, and league activity are processed to deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — anonymised usage and performance data is collected via PostHog and Vercel to understand how the app is used and to improve it. Events are not linked to your identity — no
identify()call is made, and person profiles are never created for anonymous visitors. You can opt out at any time by emailing support@luckymooze.com.
How we store your data
Your data is stored in Supabase (PostgreSQL database and authentication service). LuckyMooze is hosted on Vercel. Match data is sourced from the Football Data API. We take reasonable precautions to keep your data secure, but no internet transmission is 100% secure. When you delete your account, all your data is removed immediately and permanently from our database. Supabase, as our database provider, may retain encrypted backups for up to 30 days before they are purged.
Security
We take the security of your data seriously. LuckyMooze implements reasonable technical and organisational measures to protect your information, including encrypted connections (HTTPS), row-level security on the database, and authentication handled by Supabase. We may require our third-party service providers to uphold equivalent security standards. No method of internet transmission is completely secure, and we cannot guarantee absolute security.
Cookies
We use a small number of cookies, all of which are described below. We do not use advertising or third-party tracking cookies.
Supabase Auth session cookie — strictly necessary. Keeps you signed in. Without it the app cannot function.
PostHog analytics cookie (ph_*) — non-essential. Set by PostHog for usage analytics (page views, navigation patterns). It never contains your name or email. For signed-in users it is linked to a pseudonymous account identifier so usage can be measured per user across devices; for logged-out visitors it is not linked to any account. You can opt out by emailing support@luckymooze.com.
We also store a small flag in your browser's local storage to remember that you have accepted our terms on the sign-in page. This contains no personal data and can be cleared at any time by clearing your browser's site data. LuckyMooze uses a service worker to cache static assets (scripts, styles, images) on your device for faster loading. No personal data is stored in this cache. Authentication and API requests are never intercepted by the service worker.
Third-party services
- Google OAuth — handles sign-in and provides your name, email address, and profile picture. Acts as a data processor on our behalf. Governed by Google's Privacy Policy.
- Supabase — stores and manages all user data as our database and authentication provider. Data is encrypted in transit and at rest. Governed by Supabase's Privacy Policy.
- Vercel — hosts the app and collects anonymised page-view and performance data via Vercel Analytics and Speed Insights. No personally identifiable information is sent through these tools. Governed by Vercel's Privacy Policy.
- PostHog — provides product analytics (page views, navigation patterns, and in-app actions). For signed-in users, activity is linked to a pseudonymous account identifier — never your name or email — so we can measure unique usage across devices. Logged-out visitors remain anonymous and are not profiled. Data is stored on PostHog's EU infrastructure. You can request deletion of your analytics data, or opt out, by emailing support@luckymooze.com. Governed by PostHog's Privacy Policy.
- Football Data API — provides match fixtures and results only. No personal data is sent to this service.
Your rights
Under GDPR, you have the following rights regarding your personal data:
- Access (Art. 15) — request a summary of the data we hold about you.
- Rectification (Art. 16) — ask us to correct inaccurate data.
- Erasure (Art. 17) — delete your account instantly from your profile settings, or email us to request deletion.
- Restriction (Art. 18) — ask us to pause processing your data.
- Portability (Art. 20) — request a copy of your data in a readable format.
- Objection (Art. 21) — object to processing based on legitimate interests.
To exercise any of these rights, email support@luckymooze.com. We will respond within 30 days.
Children
LuckyMooze is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us data, please contact us and we will delete it promptly.
Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect any changes. If you disagree with any changes, you can delete your account from your profile settings at any time.
At a glance
The short version
We built LuckyMooze for fun, not data mining. Here's what matters most.
No ads, ever
We never sell or share your data for advertising.
Minimal collection
Only what is needed to run the game.
No ad cookies
No advertising or third-party tracking cookies. Analytics never use your name or email, and are opt-out.
Delete anytime
Delete your account instantly from your profile settings.