Privacy Policy

This Privacy Policy explains how FOOTBALL ∣ CHI ("we", "us", "our") collects, uses, stores, and shares information when you visit football.funybazi.com, generate a match reading, purchase a full report, or otherwise use our website and services (collectively, the "Service").

FOOTBALL ∣ CHI is an entertainment product. It is not a gambling service, and we do not offer betting or financial products.

This Policy should be read together with our Terms of Service (available at `/terms`). If anything here conflicts with mandatory law in your jurisdiction, the law prevails.

Data controller: FOOTBALL ∣ CHI

Website: football.funybazi.com

Privacy contact: legal@funybazi.com

For privacy-related requests (access, correction, deletion, or questions), email us at the address above. We aim to respond within 30 days.

We do not require you to create an account. The Service works with an anonymous browser session and a unique reading link. Depending on how you use the Service, we may collect the following:

3.1 Information you provide indirectly

Team selections — the two teams you choose on the homepage

Reading access token — a random token embedded in your reading URL (e.g. `/reading/{token}`) so you can return to the same report

Payment initiation — when you click to unlock a full report, we create a payment record linked to your reading (amount, currency, status). We do not collect or store full payment card numbers on our servers.

3.2 Information collected automatically

Session cookie (`eo_session`) — a random identifier stored in an HttpOnly cookie so we can enforce daily free-generation limits and associate readings with your browser session

Network and device data — IP address, browser type, and request metadata used for rate limiting, abuse prevention, and server logs

Turnstile verification token — when you generate a reading, Cloudflare Turnstile may process signals to help distinguish humans from bots (see Section 6)

Hosting logs — our infrastructure provider may log requests (timestamps, URLs, status codes) for security and reliability

3.3 Generated and stored content

Report content — teaser previews and full reports (AI- or rule-engine-generated text, including symbolic frameworks such as Five Elements, hexagrams, and score suggestions)

Scenario metadata — match context (e.g. upcoming, completed, or hypothetical framing), tournament snapshot version, and generation timestamps

AI logs (internal) — prompts, model responses, latency, and provider name for debugging and quality improvement; not shown to other users

3.4 What we do not intentionally collect

Real name, postal address, or phone number (unless you include them in an email to us)

Precise geolocation beyond what your IP address may imply

Health, biometric, or government ID data

We use collected information to:

Provide the Service — generate, cache, display, and unlock readings

Manage access — enforce free daily generation limits, paid 24-hour full-report access, and expired-access rules

Process payments — create checkout sessions, confirm successful payments via webhooks, and record payment status

Prevent abuse — rate limiting, bot detection (Turnstile), and investigation of suspicious activity

Improve the product — analyze aggregated usage patterns, fix errors, and tune report quality

Comply with law — respond to lawful requests and protect our rights

We do not use your reading content to train third-party AI models unless a future update explicitly says so and, where required, obtains your consent.

If you are in the European Economic Area or the United Kingdom, we process personal data on these bases:

Contract — to deliver readings and paid access you request

Legitimate interests — security, fraud prevention, service improvement, and caching reports efficiently, balanced against your rights

Legal obligation — where we must retain records for tax, accounting, or regulatory reasons

Consent — where we rely on consent (e.g. non-essential analytics, if enabled), you may withdraw it at any time without affecting core Service use

We use trusted vendors who process data on our behalf. They may only use data as instructed by us:

Vercel — website hosting and edge delivery (United States / global)

Supabase — database storage for reports, sessions, payments, and quotas (region depends on project settings)

Creem — payment checkout and order processing; Creem handles card data according to its own privacy policy

Cloudflare Turnstile — invisible or managed bot challenge when generating readings

Large language model providers (optional) — if configured (e.g. DeepSeek, OpenAI), team metadata and prompt text may be sent to generate or polish report text

Analytics (optional, if enabled) — we may use privacy-focused analytics (e.g. Plausible) or Google Analytics 4 to understand traffic; when active, the provider receives page views and coarse device data

Links to third-party privacy policies are available on their respective websites. We are not responsible for their independent practices.

Essential cookie

`eo_session` — identifies your browser session for quota and reading association. Duration: up to 365 days. Attributes: HttpOnly; Secure in production; SameSite=Lax.

Third-party cookies / storage

Turnstile may set cookies or use local storage as part of Cloudflare's challenge mechanism when you generate a reading.

Payment provider — Creem may set cookies during checkout on their domain.

Analytics (if enabled) — may use cookies or local storage per the analytics vendor's configuration.

You can block cookies in your browser settings, but the Service may not function correctly (e.g. you may be unable to generate readings or maintain session limits).

We do not sell your personal information.

We may share data only in these situations:

Service providers listed in Section 6, under contractual confidentiality and data-processing terms

Legal requirements — if required by law, court order, or governmental request

Protection — to investigate abuse, fraud, or threats to the Service or users

Business transfer — in connection with a merger, acquisition, or asset sale, subject to this Policy or notice to you

We do not share your full paid report content with other users. Reports may be cached internally so the same team pairing and scenario does not require regeneration for every visitor.

We keep data only as long as needed for the purposes above:

Session cookie — up to 365 days from last set, or until you clear cookies

User readings & access tokens — while your reading link remains valid and for a reasonable period afterward for support and dispute resolution

Paid access window — full-report access expires 24 hours after successful payment; after expiry, the reading may revert to teaser-only unless you purchase again

Payment records — retained as required for accounting, tax, and fraud prevention (typically several years, or as mandated by law)

Cached reports — shared report content may be stored until invalidated by tournament updates or manual refresh

Server and AI logs — rotated or deleted on a rolling basis unless needed for an active investigation

You may request deletion of data associated with your session or reading token (see Section 11). Some records must be kept where law requires.

We use industry-standard measures including HTTPS, HttpOnly session cookies, server-side access controls for paid content, webhook signature verification for payments, and restricted database access via service credentials.

No method of transmission or storage is 100% secure. You are responsible for keeping your reading URL private; anyone with the link may access the teaser, and anyone with the link during a paid window may access the full report.

Depending on where you live, you may have the right to:

Access — request a copy of personal data we hold about you

Correction — request correction of inaccurate data

Deletion — request deletion of data we no longer need (subject to legal exceptions)

Restriction or objection — object to certain processing based on legitimate interests

Portability — receive data you provided in a structured, machine-readable format where applicable

Withdraw consent — where processing is consent-based

Complaint — lodge a complaint with your local data protection authority

California (CCPA/CPRA): We do not sell personal information. California residents may request disclosure of categories collected and deletion, subject to exceptions.

To exercise rights, email legal@funybazi.com with enough detail for us to locate your reading (e.g. reading URL or approximate generation time). We may verify your request before acting.

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13.

Purchases require you to be at least 18 (or the age of legal majority in your jurisdiction). See our Terms of Service for age rules on paid content.

Our service providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) for cross-border transfers.

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version.

Material changes will be posted on this page. Continued use after changes means you accept the updated Policy, except where further consent is required by law.

FOOTBALL ∣ CHI

Website: football.funybazi.com

Privacy & data requests: legal@funybazi.com

For Terms of Service questions, use the same contact address or visit `/terms` on this website.