Security
How We Protect Your Data
Last updated: May 21, 2026
We take security seriously.
PoolCup helps friends and colleagues run private World Cup prediction pools. That only works if your account, predictions, and pool data stay protected. From day one, we built the app with modern security practices and privacy in mind. See also our Privacy Policy.
Authentication & Access
We use secure authentication powered by Supabase.
- Sign-in, sign-up, and session management use industry-standard auth flows
- Password reset is handled through protected email links
- Pool and prediction data is tied to your account; invite links control who can join a given pool
- Server-side checks and database policies limit what each user can read or change
Data Protection
- All traffic to PoolCup is served over HTTPS
- Sensitive data is encrypted in transit between your browser and our providers
- Each user's predictions and membership are isolated; you only see pools you belong to
- Supabase Row Level Security (RLS) helps ensure users can only access rows they are allowed to see or update
- We follow the principle of least privilege for internal access
- We do not store card numbers on our servers
- We do not sell your personal data
Application Security
- API routes validate input and run on the server, not in the public browser
- Authentication tokens and secrets are kept out of client-side code where possible
- We rely on platform and framework defaults to reduce common web risks such as cross-site scripting and injection
- Invite codes and pool slugs are used for sharing; treat invite links like passwords for private pools
We review security as we ship new features, especially around predictions, scoring, and account access.
Infrastructure
PoolCup is built on trusted infrastructure used by modern web applications:
- Next.js application hosted on a secure edge platform (e.g. Vercel)
- Database, authentication, and storage managed by Supabase
Ongoing Improvements
Security isn't a one-time setup. We continuously review and improve our practices as the product and tournament season evolve—including access controls, dependency updates, and incident response.
Report a Security Issue
If you believe you've found a vulnerability or security issue, please reach out. Do not post sensitive details publicly.
For general account help, use our contact page.