Legal

Privacy policy

Last updated: 9 May 2026

Plain English. The site is a personal project; we collect as little as possible, and we don't sell anything to anyone.

If you don't sign in

You can use the entire site without an account. We don't set tracking cookies. We don't run analytics that identify you. The only data we see is your IP address and browser User-Agent — which Cloudflare (our host) logs automatically for the standard reasons (rate limiting, abuse prevention). We don't store, analyse, or share that data ourselves.

If you sign in

An account stores three things:

• Your email address (used as your login identifier)
• A hashed password (we never see the original, even briefly)
• Your match predictions (private to you; not shared with other users)

Your data lives in our database (Supabase, hosted in the EU). It's protected by row-level security: even if our app code has a bug, the database itself refuses to leak your data to anyone but you.

We never email you. We don't have a "newsletter". We don't sell your address. If we ever add password reset or account-related emails, we'll update this policy first.

Cookies

We use two cookies, both essential to sign-in:

• sb-access-token — a short-lived JWT identifying your session
• sb-refresh-token — a long-lived token to keep you signed in across visits

Both are HTTPOnly + Secure + SameSite=Lax. We don't use any other cookies — no analytics cookies, no advertising cookies, no third-party cookies. If we ever add advertising (we may eventually serve display ads), we'll add a consent banner at that point and update this policy.

External data sources

We pull cricket data from several public sources. None of them receive any data about you in return:

• Cricsheet (ball-by-ball cricket data)
• Wikidata + Wikipedia (player bios)
• Google News RSS (recent mentions)
• CricAPI (live scores)
• Podcast RSS feeds (audio for transcript extraction)

Service providers

Three services touch our infrastructure:

• Cloudflare — hosts the site, processes requests. Sees your IP + User-Agent for routing and abuse prevention.
• Supabase — stores account + prediction data (EU-hosted Postgres). Sees your email + hashed password + predictions.
• Groq — LLM provider used for transcript / bio processing. Never sees any data about you; only public source text from Wikipedia / podcasts.

Your rights

If you have an account, you can delete it at any time — email us (well, eventually — see the contact note below) and we'll delete your account and all your prediction data within 7 days. The standard GDPR rights apply (access, rectification, erasure, portability) for accounts created from the EU/UK.

Changes

Material changes (new processors, new cookie types) will be reflected here, and the "last updated" date at the top will move forward. Trivial copy changes won't.

Contact

The site doesn't yet have a support email. When it does, we'll list it here. For account-deletion or data-access requests, watch this page or check the about page for an updated contact channel.