Privacy Policy

The data controller responsible for your personal data is:

For EEA users, FifaBus2026 acts as data controller under Article 4(7) GDPR. We process personal data in accordance with GDPR, the ePrivacy Directive, and applicable EU member state laws.

We collect only the data we need to provide our services. The table below shows what we collect, why, and the legal basis under GDPR Article 6.

We do not intentionally collect or process special category data (Article 9 GDPR) such as health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, or sexual orientation. If you believe we have inadvertently collected such data, please contact privacy@fifabus2026.com.

We do not profile users based on special category data for any purpose, including targeted advertising, in line with Article 9 GDPR and the DSA's prohibition on ads targeting minors using profiling.

We use cookies and similar technologies. Under the ePrivacy Directive (as implemented in EU member states) and GDPR, we obtain your consent before setting any non-essential cookies.

You can change your cookie preferences at any time using the Cookie Preferences button in the footer or by clearing your browser cookies. Withdrawing consent does not affect the lawfulness of processing before withdrawal (Article 7(3) GDPR).

We share personal data only where necessary and with appropriate contractual protections:

We do not sell personal data. We do not share data with law enforcement unless legally compelled to do so, in which case we will attempt to notify you where permitted by law.

FifaBus2026 is based in the United States. When personal data is transferred from the EEA, UK, or Switzerland to the USA or other third countries, we rely on one or more of the following safeguards under Chapter V GDPR:

• Standard Contractual Clauses (SCCs) — approved by the European Commission under Decision 2021/914
• EU–US Data Privacy Framework — where the recipient is certified
• Adequacy decisions — where the European Commission has recognised equivalent protection

You may request a copy of our SCCs or transfer impact assessments by contacting privacy@fifabus2026.com.

If you are in the EEA, UK, or Switzerland, you have the following rights under GDPR (Articles 15–22). You can exercise any right by contacting privacy@fifabus2026.com. We will respond within 30 days (extendable to 90 days for complex requests).

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
• Right to Erasure / 'Right to be Forgotten' (Art. 17): Request deletion of your personal data where there is no compelling reason to continue processing.
• Right to Restriction (Art. 18): Ask us to pause processing your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (applies to consent-based or contract-based processing).
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling. We will stop unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Art. 7(3)): Withdraw any previously given consent at any time without affecting lawfulness of prior processing.
• Right not to be subject to automated decision-making (Art. 22): We do not make solely automated decisions with legal or similarly significant effects. Discount calculations are rule-based, not AI/ML profiling.

We retain personal data only as long as necessary for the purpose it was collected or as required by law (Article 5(1)(e) GDPR — storage limitation).

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact privacy@fifabus2026.com and we will delete it promptly. We do not show targeted advertising to minors in line with DSA Article 26(3) and GDPR Recital 38.

We implement appropriate technical and organisational measures (TOMs) as required by Article 32 GDPR to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access:

• TLS 1.2+ encryption for all data in transit
• Encrypted storage of sensitive fields (payment data handled entirely by Stripe, never stored on our servers)
• HTTP security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy
• Access controls — staff have least-privilege access to production systems
• Regular security scans and dependency auditing
• Incident response plan — we will notify affected users and relevant supervisory authorities within 72 hours of a data breach where required by Article 33 GDPR

The EU Digital Services Act (Regulation 2022/2065) applies to our platform. As a user in the European Union, you have the following additional rights:

• Transparent advertising: We clearly label any advertising content and disclose the advertiser identity and targeting parameters used.
• No profiling-based ads for minors: We never show targeted ads to users we know to be under 18 (DSA Art. 26(3)).
• Recommender system transparency: If we use recommendation algorithms, we inform you of the main parameters and offer a non-profiled alternative view (DSA Art. 27).
• Illegal content reporting: You can report illegal content or behaviour by emailing dsa@fifabus2026.com with the subject "DSA Illegal Content Report". We act promptly under our Notice-and-Action policy.
• Complaints and appeals: If you disagree with a decision we made about your account or content, you may submit a complaint to dsa@fifabus2026.com. We will respond within 14 days.

FifaBus2026 is not a Very Large Online Platform (VLOP) as defined by DSA Article 33. Annual active user counts are reviewed quarterly and reported in our transparency reports if the 45-million-user threshold is reached.

If you believe we have processed your personal data in violation of GDPR, you have the right to lodge a complaint with a supervisory authority (Article 77 GDPR). You may contact the supervisory authority in your EU member state of residence, place of work, or the location of the alleged infringement. Key supervisory authorities include:

• Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
• France: Commission Nationale de l'Informatique et des Libertés (CNIL)
• Spain: Agencia Española de Protección de Datos (AEPD)
• Ireland: Data Protection Commission (DPC)
• Netherlands: Autoriteit Persoonsgegevens (AP)

For online dispute resolution (including cross-border disputes), you may also use the EU ODR platform:

We always encourage you to contact us first at privacy@fifabus2026.com — we aim to resolve all concerns promptly and fairly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting a notice on our homepage or, where feasible, by email at least 30 days before the change takes effect. The "Last updated" date at the top of this page always shows the most recent revision. Continued use of our services after an update constitutes acceptance of the revised policy, except where additional consent is required under GDPR.

For any privacy-related enquiries, data subject requests, or to exercise your rights, please use the relevant contact below: