Privacy Policy

Last updated · 24 April 2026

This is the honest version. No dark patterns, no 40-page legal wall. Here's what FootballFirst collects, why, and what you can do about it.

FootballFirst (“we”, “us”, “the site”) is operated by Andrew Morrissey, a sole trader based in Ireland. If you need to reach us about anything in this policy, email andrewlaniganbusiness@gmail.com.

What we collect

When you use the site without signing in:

  • Your approximate location (country and city), detected from your IP address via Vercel's edge geolocation. We use this to default currency and show relevant fixtures.
  • A cookie storing that location and your chosen currency, so you don't get re-detected on every page load.
  • Standard server logs (IP address, browser type, page visited, timestamp) held by our hosting provider Vercel for operational and security purposes.

When you sign in with a magic link:

  • Your email address, stored by our authentication provider Supabase.
  • A display name (defaults to the part of your email before the @, editable later).
  • Session cookies that keep you signed in across visits.

When you save a trip:

  • The trip details (destination, stadium, league, match, status) and the full AI-generated trip card data, stored against your user account in Supabase.

When you join the waitlist:

  • Your email address, your detected home city, the form you submitted from (e.g. “footer”).
  • A one-way hash of your IP address (SHA-256 of ff:<ip>) used for abuse control. We never store the raw IP.

When you chat with the AI scout:

  • Your message is sent to Anthropic (the AI provider) along with your detected geo so the scout can answer with relevant currency and airport context. Anthropic's data handling is governed by their privacy policy at anthropic.com/legal/privacy.

What we don't collect

  • Payment information. We never charge users and never touch card details.
  • Anything you don't give us. No third-party trackers, no advertising pixels, no Facebook/Meta SDK.
  • Your browsing outside this site.

Who we share data with

A small number of infrastructure providers, each with their own privacy terms:

  • Vercel (hosting)
  • Supabase (database + authentication)
  • Anthropic (AI chat)
  • Resend (email delivery for magic links)
  • Cloudflare (DNS and email routing)
  • API-Football (fixture data — we only send fixture queries, never your personal data)

We don't sell your data. We don't share it for marketing. We'd rather keep the site honest than make an extra few quid.

Affiliate links

When you click a “Book flight”, “Book hotel” or “Get tickets” link, you're sent to a partner site (Aviasales, Booking.com, P1 Travel, Viagogo) with a tracking marker that tells them the referral came from us. They drop their own cookies on your browser per their own policies. We don't see your booking details, your card, or what you actually paid. We just get told “someone referred from FootballFirst made a booking” and we get a small commission.

More detail on the Affiliate Disclosure page.

Cookies

  • ff-geo — your detected country, city, and currency. Expires after 7 days.
  • ff-currency — your manually selected display currency, if different from detected.
  • Supabase auth cookies — keep you signed in. Set when you click a magic link.
  • ff-gate — only exists during pre-launch password gating. Will be removed once the site is fully public.

No tracking cookies. No advertising cookies.

Your rights (GDPR)

If you're in the EU, UK, or anywhere with equivalent data protection law — and honestly even if you're not, we apply the same standard — you have the right to:

  • Access the data we hold on you.
  • Correct anything that's wrong.
  • Delete your account and all associated data.
  • Export your data in a portable format.
  • Object to processing, or withdraw consent.
  • Complain to your local data protection authority (in Ireland, that's the Data Protection Commission at dataprotection.ie).

To do any of the above, email andrewlaniganbusiness@gmail.com from the address on your account. We'll respond within 30 days. Usually much faster — it's a one-person operation.

Data retention

  • Waitlist emails: kept until you ask us to delete them, or until the waitlist is retired.
  • User accounts + saved trips: kept until you delete your account.
  • Server logs: Vercel retains these per their standard policy (typically 30 days).
  • Chat messages: not stored by us after the response is generated. Anthropic may retain them per their own policy.

Kids

The site isn't aimed at anyone under 16. We don't knowingly collect data from children. If you think we have, email us and we'll delete it.

Changes

If we change this policy materially, we'll update the “Last updated” date and, if you have an account, email you. Minor tidy-ups (typos, clarifications) happen without notice.

Contact

Andrew Morrissey — andrewlaniganbusiness@gmail.com