Saturday, 13 June 2026

Legal

Privacy Policy

Last updated: 28 April 2026

This Privacy Policy ("Policy") explains in detail how The Half Spaces ("we", "our", "us") collects, uses, shares, retains, transfers, and protects personal data when you visit thehalfspaces.com (the "Site"), and what rights you have over that data. This Policy is binding on every visitor and forms part of our Terms of Service. By accessing or using the Site, you acknowledge that you have read, understood, and accepted this Policy. If you do not agree, do not use the Site.

1. Identity of the data controller

The data controller responsible for personal data processed in connection with the Site is The Half Spaces ("we"). For all data-protection enquiries, complaints, rights requests, and breach notifications, contact us by email at [email protected]. We will respond within thirty (30) days, or as required by applicable law.

2. Categories of personal data we process

2.1 Information you provide to us directly

  • Email address — provided when you submit a newsletter sign-up form on the Site.
  • Email correspondence — the contents of any message you send us, together with associated metadata (timestamp, sending address, subject line).

2.2 Information collected automatically

  • Server / CDN log data — when you request a page, our hosting and content-delivery provider automatically logs your IP address, the user-agent string sent by your browser, the URL requested, the referrer (if any), the response status code, the size of the response, and the timestamp. This is standard for any website on the public internet and is necessary to deliver the Site to you and to defend it against abuse.
  • Strictly-necessary security cookies — our hosting provider sets a cookie named __cf_bm for bot-management and security purposes. This cookie is short-lived (typically thirty minutes), is not used to track you across sites, and cannot be disabled without breaking the security layer that protects the Site.
  • Local storage — interactive features on the Site (the Starting XI Builder, Tactical Debate voting, World Cup 2026 Predictor, Tactical Glossary saved-state, and similar) write to your browser's local storage so your inputs persist across visits. This data is stored only on your device, never transmitted to our servers, and is not personal data we control.

2.3 Information we do NOT collect

We do not run third-party advertising, retargeting pixels, behavioural-tracking scripts, social-media-tracking SDKs, analytics platforms that profile individual readers, or any tool that fingerprints your device. We do not collect payment-card data because the Site does not currently transact with users. We do not knowingly collect data from children under thirteen (13) years of age (or under sixteen (16) in the European Economic Area / United Kingdom).

3. Lawful bases for processing (UK GDPR / EU GDPR)

Where the UK General Data Protection Regulation ("UK GDPR") or the EU General Data Protection Regulation ("EU GDPR") applies, we rely on the following lawful bases under Article 6:

  • Consent (Art. 6(1)(a)) — for sending you the newsletter, where you have submitted your email address through one of our sign-up forms. You may withdraw consent at any time by emailing us or using any unsubscribe link in a newsletter; withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Legitimate interests (Art. 6(1)(f)) — for processing server / CDN log data to operate, secure, and defend the Site, and for replying to email correspondence you initiate. Our legitimate interest is the operation and protection of the Site and the Publication's reasonable communication with its readers; we have weighed this against your rights and freedoms and believe the processing is proportionate.
  • Contract (Art. 6(1)(b)) — to the extent necessary to perform the obligations under our Terms of Service with you when you use the Site.
  • Legal obligation (Art. 6(1)(c)) — where we are required to process personal data to comply with applicable law, including law-enforcement requests that meet legal requirements.

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the UK / EU GDPR.

4. Purposes for which we process personal data

  • To deliver the newsletter you have subscribed to and to confirm, update, or terminate that subscription.
  • To respond to email or other correspondence you initiate, and to follow up where reasonable.
  • To operate, maintain, secure, monitor, and defend the Site against fraud, abuse, scraping, denial-of-service activity, and similar threats.
  • To produce aggregated, non-identifying traffic statistics so that we can understand which articles readers spend time on and improve coverage accordingly.
  • To comply with our legal obligations and enforce our Terms of Service, including investigating suspected breaches.

5. Recipients and data sharing

We share personal data only with the limited set of service providers necessary to operate the Site, and only to the extent necessary for them to perform their function. Each provider is contractually obliged to process personal data only on our instructions and to maintain appropriate security measures.

  • Hosting and content delivery — DNS resolution, CDN distribution, and the static-page hosting that serves the Site. The provider may process IP addresses, request metadata, and the strictly-necessary security cookie referred to above. Provider's privacy policy: cloudflare.com/privacypolicy.
  • Email-delivery providers (future) — when we begin sending the newsletter, we will use a third-party email-service provider (such as a transactional or marketing email platform) to deliver mail to you. We will update this Policy and notify subscribers before any newsletter provider is engaged.
  • Sports-data providers — we license match data, league tables, and certain player and team imagery from licensed third-party data feeds. We do not share reader information with these providers; the data flow is one-way (provider → us).

We do not sell, rent, lease, or trade personal data. We do not share personal data with advertisers, advertising networks, data brokers, profiling services, or analytics platforms. We will disclose personal data to law enforcement, courts, or regulators where compelled by valid legal process and where, in our reasonable judgement, the request is lawful, narrowly scoped, and proportionate.

6. International transfers of personal data

Our service providers may process personal data in jurisdictions outside your country of residence, including in the United States, the European Union, and the United Kingdom. Where personal data is transferred from the United Kingdom or the European Economic Area to a country that does not have an adequacy decision, we rely on appropriate safeguards, typically the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) maintained by the relevant processor. You may request a copy of the safeguards relied on for any specific transfer by contacting us at the address above.

7. Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required or permitted by law.

  • Newsletter email addresses: retained until you unsubscribe or until our newsletter list is migrated, whichever is sooner. Deleted within thirty (30) days of unsubscription.
  • Email correspondence: retained for up to twenty-four (24) months following the last message in a thread, then deleted, unless the correspondence relates to a legal matter we are required to retain for longer.
  • Server / CDN log data: retained by our hosting provider in accordance with their policy, typically not more than thirty (30) days.

8. Your rights

Subject to your jurisdiction and to applicable conditions and exceptions, you have the following rights over personal data we hold about you:

  • Right of access — to ask for a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification — to ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — to ask us to delete personal data we hold about you in certain circumstances.
  • Right to restrict processing — to ask us to limit how we use your data while a request is being investigated.
  • Right to data portability — to receive a copy of the personal data you provided to us in a structured, commonly used, machine-readable format.
  • Right to object — to object to processing carried out under the legitimate-interests basis, on grounds relating to your particular situation.
  • Right to withdraw consent — for processing carried out on the basis of consent, including newsletter subscription.
  • Right to lodge a complaint — with a supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement, and with the UK Information Commissioner's Office (ICO) if you live in the UK.

To exercise any of these rights, email [email protected]. We may need to verify your identity before fulfilling a request. We aim to respond within thirty (30) days; in complex cases we may extend this by up to a further sixty (60) days, in which case we will tell you within the initial period.

9. California residents — CCPA / CPRA disclosures

If you are a resident of California, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA") gives you specific rights over your personal information. The categories of personal information we have collected in the previous twelve (12) months and how we use them are described in Sections 2 and 4 above; the categories of recipients with whom we share that information are described in Section 5.

  • Right to know what personal information we collect, use, disclose, and share.
  • Right to delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

We do not sell or share personal information within the meaning of the CCPA / CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under California Civil Code Section 1798.121(a)(1)–(7). To exercise any California right, email us as above. You may use an authorised agent to make a request on your behalf, in which case we will require proof of authorisation.

10. Children

The Site is not directed to children. We do not knowingly collect personal data from children under thirteen (13) years of age (under the United States Children's Online Privacy Protection Act / "COPPA") or under sixteen (16) in the European Economic Area or United Kingdom (under Articles 8 of the EU and UK GDPR respectively). If you believe a child has provided us with personal data, contact us and we will delete it promptly.

11. Security and breach notification

We take appropriate technical and organisational measures, calibrated to the risks and to the nature of personal data we process, to protect personal data from accidental loss, unauthorised access, alteration, or disclosure. These measures include encryption of data in transit (HTTPS / TLS), restricted-access credential storage, and regular review of provider security postures.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours where required by law, and we will notify affected individuals without undue delay where the risk is high.

12. Do Not Track signals

Some browsers transmit "Do Not Track" ("DNT") signals. Because there is no industry consensus on how to interpret DNT signals, we do not currently respond differently when one is received. We do not engage in cross-site or cross-device tracking, so the practical effect is the same.

13. Changes to this Policy

We may update this Policy from time to time, including when we add a real newsletter provider, an analytics tool, or other processing activity. The "Last updated" date at the top of the Policy reflects the date of the most recent change. If the change is material, we will give at least seven (7) days' notice on the homepage and (where we have your address) by email before the change takes effect. Your continued use of the Site after a change takes effect constitutes acceptance of the updated Policy.

14. Contact

The Half Spaces · [email protected]