← Back to home

TopGaffer

Privacy Policy

Last updated: 10 May 2026

TopGaffer ("we", "us") is a strategic football prediction game. This policy explains what we collect, why, and the choices you have. We aim to keep this short and honest. If anything's unclear, email support@topgaffer.com.

1. Who we are

TopGaffer is operated as a sole-trader project based in the United Kingdom. For data protection purposes, the data controller is contactable at support@topgaffer.com. We'll confirm the controller's full legal identity in writing to anyone who requests it for a legitimate purpose (e.g. a UK ICO inquiry).

2. What we collect

  • Account info — email address (so you can sign in), and a username you choose. We don't collect your real name.
  • If you sign in with Google — we receive your email address and Google account identifier from Google. We do not request any other Google profile data.
  • Your picks — every prediction you make is stored against your account so we can compute scores and leaderboards.
  • Group + friend connections — which private groups you're in, and which other players you've added as friends.
  • Server logs — IP address, user agent, and request paths, kept for a short period (≤30 days) for security and abuse prevention.

We do not collect: payment information, location, browsing history, or device IDs.

3. Why we collect it (lawful basis under UK GDPR)

  • To run the service — sign-in, picks, leaderboards, group membership. Lawful basis: contract (necessary to provide the service you signed up for).
  • Transactional emails — magic-link sign-in, deadline reminders, post-match recaps. Lawful basis: contract for sign-in mail; legitimate interest for reminders/recaps. You can disable reminders any time.
  • Security and abuse prevention — server logs. Lawful basis: legitimate interest.

We do not use your data for advertising, profiling, or marketing.

4. Who we share with (sub-processors)

We don't sell your data. The third parties below help us run TopGaffer and are bound by data processing agreements:

  • Supabase (database + authentication, EU-West region)
  • Netlify (web hosting)
  • Resend (transactional email)
  • Cloudflare (DNS + email forwarding for the support address)
  • API-Football (we send fixture/team identifiers; we never send your personal data to them)
  • Google — for sign-in with Google (OAuth, only if you choose it) and, if you accept analytics cookies, Google Analytics 4 for aggregated page-view + feature-usage stats. We do not share user data with Google for advertising purposes.
  • GitHub (CI for our scheduled jobs; no user data is exposed to GitHub)

5. Cookies and analytics

We use two categories of cookies:

  • Strictly necessary — sign-in and session management. These are required for the service to work and don't need consent.
  • Analytics (Google Analytics 4) — page views and a small number of feature events (e.g. account created, pick made) so we can see which parts of the app are used. IP addresses are anonymised. We don't use this for advertising, profiling, or selling data. These cookies only load if you click "Accept" on the cookie banner. Click "Reject" to opt out — the service still works exactly the same.

You can change your decision any time by clearing the tg.consent.v1 entry in your browser's local storage, or by clearing site data. A self-serve "manage cookies" link is on the launch list.

6. How long we keep it

We keep your account data for as long as you have an active account. When you delete your account, we permanently remove your profile and predictions. Past leaderboard standings are anonymised (your username is replaced with "Deleted Gaffer") so historical results stay intact for other players.

Server logs are deleted within 30 days.

7. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and personal data
  • Export your data in a machine-readable format
  • Object to processing or withdraw consent (where consent is the basis)
  • Lodge a complaint with the UK ICO (ico.org.uk)

To exercise any of these, email support@topgaffer.com. Most are also self-serve in your profile settings.

8. Children

TopGaffer is not intended for children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has signed up, contact us and we'll delete the account.

9. International transfers

Your data is stored in the EU (Supabase EU-West region). Some sub-processors (e.g. Resend) may transfer data outside the UK/EU under standard contractual clauses approved by the UK ICO.

10. Changes to this policy

We'll update this page if our practices change and bump the "Last updated" date at the top. Material changes will be communicated by email to active accounts.

11. Contact

Questions or requests: support@topgaffer.com.