Privacy policy

This policy explains what personal data Flagside.football collects when you visit the site, why we collect it, how long we keep it, and the rights you have over it. It is written to comply with applicable data-protection law, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable US state privacy laws.

1. Who we are

Flagside.football ("Flagside", "we", "us") operates flagside.football and its subdomains. Under applicable data-protection law we are the "controller" — or, in US state-law terminology, the "business" — responsible for the personal data described below, meaning we determine the purposes and means by which it is processed.
For privacy matters, you can reach us at privacy@flagside.football. If you would prefer to write to a person, the request will be handled by our editorial lead until a dedicated privacy officer is in place.

2. The personal data we collect

We try to collect as little personal data as we reasonably can. There are three categories.
(a) Visiting the site. When you load a page on flagside.football, our hosting provider records technical details that are unavoidable for the site to work and to keep it secure: your IP address (truncated where reasonable), the page URL, the request method, the response status, the user-agent string of your browser, and a timestamp. These records are kept in server logs for up to 30 days for diagnostic and security purposes.
(b) Analytics. We use a privacy-respecting analytics service to understand which pages are read and roughly where readers are coming from. The metrics we look at are aggregated and pseudonymous — no fingerprinting cookies, no cross-site tracking, no advertising IDs. You can opt out of analytics in your browser at any time.
(c) Communicating with us. If you contact us by email — for instance to send a tip, a correction, or a privacy request — we receive your email address, your message, and any attachments you choose to send. We hold that correspondence for as long as it is operationally useful (typically up to 24 months), then delete it.
We do not knowingly collect health data, biometric data, sexual-orientation data, or any other sensitive personal information as defined under applicable data-protection law. We do not collect any data from anyone we know to be under the age of 16.

3. Why we process your data — and the legal basis

Operating the Service. Server logs and basic technical data are processed on the basis of our legitimate interest in keeping the Service working, secure, and free from abuse.
Aggregated analytics. Pageview and traffic-source statistics are processed on the same legitimate-interest basis. We balance this against your right to privacy by avoiding cross-site identifiers and by keeping reports aggregated.
Newsletter. If we offer a newsletter and you sign up to it, we process your email address solely to send you the newsletter. The legal basis is your consent. You can withdraw consent at any time using the unsubscribe link in every issue.
Correspondence. When you contact us we process your message on the basis of legitimate interest, or to take steps you have asked us to take prior to entering a contract.
Compliance with our legal obligations. Where we are required by law to retain or disclose data — for example, in response to a valid order from a court of competent jurisdiction — we do so on the basis of our legal obligation.

4. Cookies and similar technologies

We use the smallest set of cookies and equivalent storage that allows the site to function. Specifically:
Strictly necessary. A small session cookie used for things like remembering your locale preference (English vs. other locales) and keeping admin users signed in to the editorial dashboard. These cannot be turned off in the cookie banner because the site would not work without them.
Analytics. A pseudonymous identifier set by our analytics provider for de-duplicating pageviews. This cookie is set only after you accept the analytics category in our cookie banner. You can revoke that consent at any time and we will remove it.
We do not set advertising cookies, third-party social-media tracking pixels, or fingerprinting beacons. We do not embed third-party content (YouTube, Twitter widgets, etc.) on our article pages.
You can also manage cookies in your browser settings — but blocking strictly necessary cookies will prevent parts of the site from working.

5. Sharing your data with third parties

We do not sell your personal data, and we do not transfer it to third parties for marketing purposes.
We do, however, rely on a small number of service providers ("processors" or "service providers" in US state-law terminology) who handle some of the data on our behalf and under our written instructions:
Hosting and content delivery — Vercel and its sub-processors host the site and absorb the resulting server logs.
Database — a managed Postgres provider stores editorial data (articles, sources, crawl logs). This database does not contain reader profiles.
Analytics — our analytics provider receives the pseudonymous pageview events described above.
Email — when we reply to correspondence, the email is processed by our email provider.
Where any of these providers process data outside the United States, we rely on appropriate contractual safeguards and other transfer mechanisms recognized under applicable data-protection law to maintain an equivalent level of protection.

6. How long we keep your data

Server logs: up to 30 days, then deleted automatically.
Analytics: aggregated reports are retained for 24 months. The pseudonymous identifier expires after 13 months.
Newsletter list: until you unsubscribe, plus a 30-day grace period in case you change your mind. Unsubscribe records are kept indefinitely so we never re-add an address that has opted out.
Correspondence: up to 24 months, then deleted unless we have a clear legal need to keep it.
Editorial article archive: indefinitely. Published articles are part of a public record. Where an article identifies an individual and that individual asks us to update or remove the article, we handle the request under our Corrections process described in the Responsibility statement.

7. Your rights

Under applicable data-protection law — including, where relevant, the CCPA/CPRA and other US state privacy laws — you may have the following rights in relation to your personal data:
The right to know about what personal data we collect, use, disclose, or sell (this policy is the main source of that information).
The right of access — a copy of the personal data we hold about you.
The right to correction — correction of inaccurate or incomplete data.
The right to deletion — deletion of your data, subject to certain exceptions permitted by law.
The right to restrict or limit processing — to ask us to pause certain processing while a dispute is resolved.
The right to data portability — to receive a machine-readable copy of data you have provided to us.
The right to opt out of the sale or sharing of personal data. We do not sell or share personal data, but you may submit an opt-out request at any time.
The right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect on you. The Service does not make such decisions about readers.
The right not to be discriminated against for exercising any of the rights listed above.
To exercise any of these rights, email privacy@flagside.football. We will respond within 45 days as required under applicable US state privacy law, at no charge for the first request. If we cannot identify you from the data we hold, we may ask for additional information to confirm your identity.
You also have the right to lodge a complaint with the relevant regulatory authority in your state. California residents may contact the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General. Residents of other states should refer to the applicable supervisory authority or Attorney General's office in their state.

8. Security

We protect your data with appropriate technical and organizational measures: encryption in transit (HTTPS everywhere), authenticated access to administrative dashboards, principle-of-least-privilege access for our service providers, and regular review of our hosting provider's security posture. No system is completely secure; if we become aware of a breach affecting your personal data, we will notify you and the relevant regulatory authority within the timelines required by applicable law.

9. Children

The Service is intended for general audiences. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact privacy@flagside.football and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Where the change is material — for instance, if we add a new service provider or a new legal basis — we will publish a banner on the Service for a reasonable period.

11. Contact

For privacy questions, requests, or complaints: privacy@flagside.football.