Privacy Policy
Data Controller
ChampSheep is operated by Castillo Shell, LLC, a Delaware limited liability company, registered at 131 Continental Dr, Suite 305, Newark, DE 19713, United States. For privacy questions, contact us at hello@champsheep.com.
Information We Collect
When you create an account we collect your email address and a username you choose. We store the match predictions you submit, the pools you join or create, the points you earn, and any badges you unlock.
If you sign in with Google, we receive your name, email, and profile picture from your Google account.
Our servers automatically log your IP address, user agent, and request metadata for security and abuse prevention. These logs are retained for 30 days.
Legal Basis for Processing (GDPR)
We process your data on the following legal bases under GDPR Article 6:
- Contract — to provide the prediction service you signed up for (account, predictions, leaderboards, pools).
- Legitimate interest — to keep the service secure, prevent abuse, and measure aggregate usage with cookieless analytics.
- Legal obligation — to comply with applicable laws and respond to lawful requests.
- Consent — for any optional processing where we explicitly ask. You can withdraw consent at any time.
How We Use Your Information
- To create and manage your account
- To save and display your predictions
- To calculate scores and show leaderboards
- To send important account-related emails (sign-in links, email-change verifications)
- To prevent fraud, spam, and abuse
- To improve the service through aggregated, anonymous usage statistics
- To measure our advertising and reach similar audiences using advertising pixels (Meta, X, Google Ads, Reddit)
Data Sharing
Your username, avatar, predictions, and points are visible to other users on leaderboards and within pools you join. We do not sell, rent, or trade your personal information.
Service Providers
We rely on the following third-party processors:
- Plausible Analytics (EU-hosted, cookieless) — aggregate usage statistics, no IP storage.
- Google LLC — Google Sign-In (only if you choose this method).
- Amazon Web Services (EU region) — application hosting, database, and email delivery.
- flagcdn.com — country flag images displayed on match cards.
- Meta Platforms, Inc. (Meta/Facebook Pixel) — measures ad performance and builds audiences. Loads only with your consent in the EU/EEA and UK.
- X Corp. (X/Twitter Pixel) — advertising conversion measurement. Loads only with your consent in the EU/EEA and UK.
- Google LLC (Google Ads tag, including Enhanced Conversions) — advertising conversion measurement; your email is hashed in your browser before it is sent. Loads only with your consent in the EU/EEA and UK.
- Reddit, Inc. (Reddit Pixel) — advertising conversion measurement. Loads only with your consent in the EU/EEA and UK.
Each provider is bound by a data-processing agreement and may only use your data to deliver the service to us.
International Data Transfers
Some of our service providers (e.g. Google) are based in the United States. When data is transferred outside the EEA/UK we rely on the European Commission's Standard Contractual Clauses (SCCs) and additional safeguards consistent with the Schrems II ruling.
How Long We Keep Your Data
- Account data — until you delete your account.
- Predictions, scores, badges — until you delete your account, then removed within 30 days from backups.
- Server logs — 30 days.
- Magic-link tokens and session tokens — until they expire (typically minutes to weeks).
Local Storage on Your Device
We store a sign-in token, a cache of match data, and small UI preferences in your browser's local storage so the app works offline. Outside the EU/EEA and UK, our advertising partners (Meta, X, Google, Reddit) may also set cookies; in the EU/EEA and UK these are used only with your consent. Local data is cleared when you sign out or clear your browser storage.
Your Rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of the data we hold about you.
- Portability — download your data in a structured, machine-readable format (use Profile → Edit → Download my data).
- Rectification — correct inaccurate information from your profile page.
- Erasure — delete your account and all associated data (Profile → Edit → Delete my account).
- Restriction — ask us to limit how we process your data.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — for any consent-based processing.
- Lodge a complaint — with your local data-protection authority.
To exercise any right not available in-app, email hello@champsheep.com. We respond within 30 days.
Children
ChampSheep is not directed at children under 13. We do not knowingly collect personal data from children under 13. In some EU member states the threshold is higher (up to 16) — in those countries, users below the local threshold need verifiable parental consent. If you believe a child has signed up without parental consent, please contact us and we will remove the account.
California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights under the CCPA/CPRA:
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of personal information.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising these rights.
Categories of personal information we collect: identifiers (email, username, IP, device IDs), internet activity (predictions, page views), inferences (your engagement level). Sources: directly from you, from Google when you use Google Sign-In, from your device. We use advertising pixels (Meta, X, Google Ads, Reddit); outside the EEA/UK they load by default, and in the EEA/UK only with your consent — these platforms receive standard request data (IP, user agent, page URL) and advertising identifiers.
We do not sell your personal information. We use advertising pixels (Meta, X, Google Ads, Reddit); California residents can opt out of personalized advertising through each platform's ad settings and via browser-level controls such as Global Privacy Control.
Brazilian Residents (LGPD)
If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) including access, correction, anonymization, portability, deletion, and information about sharing. Our controller details are in the Data Controller section above. Email hello@champsheep.com to exercise these rights.
UK Residents (UK GDPR)
If you are in the United Kingdom, the UK GDPR and Data Protection Act 2018 apply. You have the same rights as EEA users, and you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
Right to Lodge a Complaint
If you believe we have not handled your data properly, you may complain to the data-protection authority where you live, work, or where the alleged infringement happened. The European Data Protection Board lists national authorities at edpb.europa.eu.
Data Security
We use industry-standard measures including TLS in transit, encrypted databases at rest, hashed credentials, and least-privilege access controls. No system is 100% secure — if we ever discover a breach affecting your data we will notify you and the relevant authority within 72 hours.
Sign-in Security Logging
When you sign in, we record the approximate location (country and first-level region, e.g. "US-CA") derived from your IP address. We do not store the IP itself. This data is used solely for account-security and fraud-prevention purposes — e.g. flagging a sign-in from an unexpected country. The legal basis is our legitimate interest under GDPR Art. 6(1)(f). Records are kept for 12 months and are deleted automatically when you delete your account.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email. The "last updated" date below reflects the most recent revision.
Last updated: May 2026