Privacy notice
What we know about you
(very little)
Last updated: 18 May 2026
Highbury Bound is an independent fan website run by a solo operator domiciled in the United Kingdom. This notice explains precisely what data the site handles, why, and what your rights are. There is no corporate parent, no advertising network, and no data broker relationship.
What we collect and why
Locale cookie (hb-locale)
When you select a language, a cookie called hb-locale is stored in your browser so the site loads in the right language next time. This is a strictly-necessary functional cookie under the UK PECR. No consent banner is required because it performs no tracking. Expires after 12 months and is never read by any third party.
Saved pubs (hb-saved-v1)
When you save a pub, its slug is stored in your browser's localStorage under hb-saved-v1. It never leaves your device and is never associated with an account, email address, or any identifier. Clearing your browser data removes it permanently.
Theme and UI preferences
Your theme choice (hb-theme) and install-prompt dismissal (hb-install-dismissed) are stored in localStorage. Same scope: functional, device-local, never transmitted.
Location (one-shot, never stored)
If you use “Find pubs near me,” your browser requests your approximate location via the standard navigator.geolocation API. We use it only to sort the results on that page. Not stored, not logged, not shared. The request goes nowhere except your own screen.
Waitlist email (optional, when active)
If you sign up for launch notifications via /api/waitlist, we collect your email address and, optionally, your city. Stored in Cloudflare KV, keyed by email. Used only to notify you when a feature launches. Never shared, sold, or marketed beyond that single purpose. You can request deletion at any time by emailing hello@highburybound.com.
Venue submissions (optional, when active)
If you submit a venue or correction via /api/submissions, the details you provide are held for editorial review. Same retention principles as the waitlist: single purpose, never shared.
Cloudflare server logs
Cloudflare records standard HTTP access logs (IP, user-agent, request path, status code) as part of delivering the site. We do not export or analyse these beyond incident debugging. Retention is governed by Cloudflare's own policies.
What we do not collect
No analytics today (a Plausible scaffold is in the codebase, inactive unless enabled — Plausible is cookie-free and collects no personal data if activated). No advertising pixels. No social-media tracking. No biometric or financial data.
Legal basis (UK / EU GDPR)
| Data | Basis |
|---|---|
| Locale cookie | Legitimate interest · strictly necessary |
| localStorage preferences | Legitimate interest · strictly necessary UI state |
| Geolocation | Consent (browser prompt, one-shot, never stored) |
| Waitlist email | Consent (form submission) |
| Cloudflare logs | Legitimate interest · security & abuse |
Sub-processors
Third parties we use to operate the site. Each processes data only as necessary for the stated purpose.
- Cloudflare (US-headquartered, UK/EU data centres) — domain registration, DNS, edge hosting, email routing, DDoS mitigation. DPA in place per Cloudflare's standard terms.
- GitHub Actions — CI/CD pipeline. Source repo is private. GitHub's DPA covers this.
- OpenStreetMap tile server — serves map tiles. Your browser's standard HTTP request (IP, referer) is sent to OSM's infrastructure. OSM's privacy policy governs.
Future processors (not active today): Plausible Analytics (EU-domiciled, cookie-free), Stadia Maps (Sweden), or Mapillary (Meta-owned, Switzerland). We will update this notice before activating any of these.
Your rights
If you are in the UK, EU, California (CCPA), Canada (PIPEDA), or Australia, you have the right to:
- Access — ask what data we hold about you.
- Deletion — ask us to delete your data.
- Portability — request a copy in a readable format.
- Objection — object to legitimate-interest processing.
- Withdraw consent — for any consent-based processing.
There are no paid tiers, accounts, or profiles in v1, so the practical scope of most requests is limited to any waitlist or submission data you provided. To exercise any right, email hello@highburybound.com. We will respond within 30 days.
UK residents may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Children
Highbury Bound is not directed at children under 13 (US COPPA) or under 16 (UK/EU). We do not knowingly collect data from minors. If you believe a minor has submitted data, email us and we will delete it promptly.
Updates
We will update this page when data flows change materially. The “Last updated” date at the top reflects the current version. We will not reduce your rights without clear notice.
Contact
Highbury Bound is operated from the United Kingdom. English law governs this notice.
Disclaimer: Highbury Bound is independent and not affiliated with Arsenal FC.