Privacy Policy

Bracket Goblin (“Bracket Goblin,” “we,” “us,” or “our”) is a bracket pool web app operated by bracketgoblin.com. This Privacy Policy explains what information we collect when you use the website at bracketgoblin.com and related subdomains (the “Service”), how we use it, and the rights you have over it.

If you have questions about this policy or your data, contact us at [privacy@bracketgoblin.com].

We collect only what we need to run the Service:

• Account information. When you sign up or are invited to a league, we collect your email address, a display name, and an encrypted password (or, if you sign in with a third-party provider, the basic profile information that provider returns).
• League activity. The leagues you belong to, your role in those leagues (member, admin), your bracket picks, bonus picks, and any related timestamps.
• Authentication metadata. Login timestamps, password reset and email confirmation events, and similar lifecycle data used to operate and secure your account.
• Email delivery metadata. Limited delivery status information (sent, delivered, bounced) for transactional emails we send to you, such as invites and password resets.
• Technical data. Standard server logs from our hosting provider, including IP address, browser user agent, and request timestamps, used for security and debugging.
• Bug reports. When you voluntarily submit a bug report (either by clicking “Report a bug” or the “Report this bug” button on an error screen), we collect the page URL, browser user agent, viewport size, app version, and a short window of recent browser console output to help us diagnose the issue. Console output is a technical log from your browser session and may incidentally include identifiers tied to your account; we make reasonable efforts to filter out sensitive values such as authentication tokens and email addresses before storage, but cannot guarantee complete redaction. Screenshots are never captured automatically — they are included only if you explicitly attach one to your report. Bug reports are linked to your account (user ID and email) so we can investigate and follow up with you if needed.

We do not use third-party advertising networks, analytics trackers, or social tracking pixels.

• To create and maintain your account and your leagues.
• To record and display your bracket picks, scores, and leaderboards.
• To send transactional emails (invites, password resets, email confirmations, league notifications).
• To secure the Service against abuse, fraud, and unauthorized access.
• To respond to your support requests.
• To comply with legal obligations.

We do not sell your personal information, and we do not share it with third parties for their own marketing.

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Contract: processing necessary to provide you the Service you signed up for.
• Legitimate interests: securing the Service, preventing abuse, and improving reliability.
• Consent: where required, e.g. for optional communications. You can withdraw consent at any time.
• Legal obligation: where applicable law requires us to retain or disclose information.

We use a small number of vendors to operate the Service. These providers process data on our behalf under their own privacy and security commitments:

• Hosting and database: our application, database, authentication, and file storage are provided through Lovable Cloud (which is built on Supabase) and the underlying cloud infrastructure they use.
• Email delivery: transactional emails are sent through our email delivery provider.

We share with these providers only the data they need to deliver their services to us.

We keep your account information and league data for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within a reasonable period, except where we are required to keep it for legal, security, or fraud-prevention reasons. Server logs are retained for a limited period for security and debugging.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal information (subject to limited exceptions).
• Export your information in a portable format.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at [privacy@bracketgoblin.com]. We will respond within the time period required by applicable law.

If you are a California resident, you have the right to know what personal information we collect, the right to request deletion of your personal information, the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights.

Categories of personal information we collect are described in Section 2 above. We do not “sell” or “share” personal information as those terms are defined under California law, and we do not use or disclose sensitive personal information for purposes that require a right to limit under the CPRA.

To submit a request, email [privacy@bracketgoblin.com] from the email address associated with your account so we can verify your identity. Authorized agents may submit requests on your behalf with written proof of authorization.

We use a small number of strictly necessary cookies and similar storage (for example, to keep you signed in). We do not use advertising cookies or third-party analytics cookies.

We use industry-standard safeguards including encryption in transit, hashed passwords, and role-based access controls to protect your information. No system is perfectly secure, however, and we cannot guarantee the absolute security of your data.

The Service is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

We and our service providers may process your information in countries other than your own, including the United States. Where required, we rely on appropriate safeguards such as standard contractual clauses to protect your information.

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and, where appropriate, notify you through the Service or by email.

Questions, requests, or complaints? Email [privacy@bracketgoblin.com].