Privacy Policy

Last updated: February 2026

1. Who We Are

World Cup Sweepstake 2026 is operated by H2 Concepts Ltd, a company registered in England and Wales, company number 17019070. H2 Concepts Ltd is the data controller for personal information collected through this service.

This platform is independent and is not affiliated with, endorsed by, or connected to any football governing body or the organisers of the 2026 men's football World Cup.

You can contact us at hello@sweep.football.

2. What We Collect

We collect the following personal information:

  • Organisers: Name, email address
  • Participants: Name, email address, phone number, profile photo (optional)
  • Payment data (organiser only): The organiser's Β£20 platform fee is processed securely by Stripe. We do not store card numbers β€” only a Stripe PaymentIntent reference. Participants make no payment through us.
  • Usage data: Pages visited, device type, and IP address (for rate limiting and security).

3. How We Use Your Data

  • To run and manage your sweepstake (team allocations, eliminations, redraws)
  • To send you SMS notifications about your teams and match results (via Twilio)
  • To send you email updates with detailed information (via SendGrid)
  • To process the organiser's Β£20 platform fee (via Stripe)
  • To prevent fraud and abuse (rate limiting, CAPTCHA verification)

4. Third-Party Services

We share data with the following processors:

  • Stripe β€” Organiser platform fee processing (name, email, payment details)
  • Twilio β€” SMS notifications (phone number)
  • SendGrid β€” Email notifications (email address, name)
  • Google Firebase β€” Database and file storage (all participant data)
  • Cloudflare β€” CAPTCHA verification (IP address, browser data)

All processors are GDPR-compliant and process data under data processing agreements.

5. Data Retention

We retain sweepstake data (including draw history) for 12 months after the tournament ends to allow participants to review results. Payment records are retained for 7 years as required by UK tax regulations. You can request deletion of your personal data at any time by contacting us.

6. Your Rights (GDPR)

Under UK/EU data protection law, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise any of these rights, email us at hello@sweep.football.

7. Cookies

We use essential cookies only (session management, admin authentication). We do not use advertising or tracking cookies. Cloudflare Turnstile may set a cookie for CAPTCHA functionality.

8. Security

All data is encrypted in transit (TLS) and at rest (Firebase encryption). Payments use 3D Secure authentication. API endpoints are rate-limited and protected by CAPTCHA. We conduct regular security reviews of our infrastructure.

9. Changes

We may update this policy from time to time. Material changes will be communicated via email. The "Last updated" date at the top indicates when the policy was last revised.