Cards
No data available
No H2H data available
Back

Privacy Policy

Last updated: 24 April 2026 · Effective date: 24 April 2026

This Privacy Policy explains how WalkWeb Digital Ltd ("we", "us", "our") collects, uses, stores, and shares personal data when you use yellow.cards (https://yellow.cards), our associated Telegram channel, and our X (formerly Twitter) account (together, the "Service").

yellow.cards is a football statistics tool. It is a data product; it is not a betting, gambling, or financial advice service and does not provide tips or recommendations.

1. Who we are

Data Controller: WalkWeb Digital Ltd, a company registered in England and Wales.
Contact for privacy matters: [email protected]

We are the controller of the personal data described in this policy.

2. Children's data

The Service is not directed at children. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact [email protected] and we will delete it.

3. What personal data we collect

We collect the following categories of personal data:

Account data (if you register or subscribe):

  • Email address
  • Hashed password
  • Account creation date and login timestamps
  • Subscription tier (Free, Pro monthly, Pro annual) and trial status

Payment data (if you subscribe or start a free trial):

  • Billing name
  • Billing country and postcode
  • Last four digits of your payment card, card brand, and expiry
  • Transaction IDs, amounts, currency, and status
  • We do not store full payment card numbers, CVV codes, or bank details. These are collected and processed directly by Stripe.

Telegram data (if you link your Telegram to access the Pro channel):

  • Your Telegram user ID
  • Your Telegram username (if set)

Usage and technical data (collected automatically):

  • IP address (truncated where possible)
  • Device type, browser, operating system, and screen size
  • Pages viewed, features used, filters applied, session duration
  • Referring URL
  • Approximate location derived from IP (country or region level)

Communications data:

  • Emails you send us and our replies
  • Support requests and related correspondence

Marketing data (if you opt in):

  • Marketing preferences and consent records
  • Engagement with marketing emails (opens and clicks) where technically available

We do not intentionally collect special category data (such as health data or political opinions).

4. How we collect personal data

  • Directly from you when you register, subscribe, contact us, or link your Telegram account.
  • Automatically when you use the Service, via cookies and similar technologies (see section 9).
  • From Stripe when you make a payment (billing metadata and transaction status).
  • From Telegram when you connect a Telegram account (your user ID and username).

5. Why we use your personal data and our lawful bases

Under the UK GDPR, we must have a lawful basis for each use of your personal data. Our uses and bases are:

Purpose Lawful basis
Creating and operating your accountPerformance of a contract
Providing Pro features, including the Telegram channelPerformance of a contract
Taking payment and managing billing, refunds, and chargebacksPerformance of a contract; legal obligation
Sending service emails (trial ending, payment receipts, cancellation confirmations)Performance of a contract
Detecting and preventing fraud, abuse, and unauthorised accessLegitimate interests (protecting our Service and users)
Measuring how the Service is used to improve itConsent (via cookies, where required)
Sending marketing emails about yellow.cardsConsent
Responding to support queriesLegitimate interests; performance of a contract
Complying with legal, tax, and accounting obligationsLegal obligation
Establishing, exercising, or defending legal claimsLegitimate interests

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You can ask for details of this assessment at [email protected].

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

6. Who we share personal data with

We share personal data only with the following categories of recipient, and only where necessary:

Stripe Payments Europe Ltd — payment processing. Stripe acts as a separate controller for certain payment and fraud-prevention purposes. See https://stripe.com/gb/privacy.

Google Ireland Ltd (Google Analytics 4) — analytics and usage measurement. GA4 data is used in an aggregated form to understand how the Service is used. See section 9 (cookies) and section 10 (international transfers).

Telegram FZ-LLC — if you choose to use our Telegram channel, your interactions there are subject to Telegram's own privacy policy. We do not control Telegram. See https://telegram.org/privacy.

Email and hosting providers — infrastructure providers that host the Service, send transactional emails, and store backups. These providers act as processors under our instructions.

Professional advisers — accountants, lawyers, and auditors where engaged, bound by confidentiality.

Regulators, law enforcement, and other authorities — where we are legally required to disclose personal data, or to protect our legal rights.

Acquirers — if the business or its assets are sold or transferred, personal data may be transferred as part of that transaction. You will be notified.

We do not sell your personal data, and we do not share it with advertising networks for cross-site behavioural advertising.

Note on our data source: Football statistics displayed in the Service are sourced from SportMonks via PlayerStats.Football (also operated by WalkWeb Digital Ltd). This data relates to footballers, teams, and fixtures; it is not your personal data and is not shared with SportMonks or any third party in connection with your account.

7. Bookmaker odds and affiliate links

The Service displays bookmaker odds for informational purposes. If we introduce affiliate links to bookmakers in future, clicking those links may cause the bookmaker to set its own cookies or collect data from you under its own privacy policy. We will update this policy and, where required, seek your consent before such links are enabled.

We do not currently share your personal data with any bookmaker.

8. How long we keep personal data

We keep personal data only as long as necessary for the purposes set out above:

  • Account data: while your account is active, and for up to 24 months after closure, unless a longer period is required by law.
  • Payment and transaction records: at least 6 years from the end of the relevant financial year, to comply with UK tax and accounting law.
  • Support correspondence: up to 3 years from the last contact.
  • Marketing consent records: while consent is in force, and for up to 3 years after withdrawal, to evidence compliance.
  • Analytics data (Google Analytics): retained for 14 months at event level, then aggregated.
  • Server logs: typically 30 to 90 days.

When the retention period ends, personal data is deleted or irreversibly anonymised.

9. Cookies and similar technologies

We use cookies and similar technologies. These fall into two categories:

Strictly necessary cookies — required for the Service to function (for example, keeping you logged in, remembering your subscription status, security). These are set without consent because the Service cannot operate without them.

Analytics cookies — set by Google Analytics 4 to help us understand usage patterns (pages visited, features used, session length, approximate location). These are set only with your consent, collected via our cookie banner. You can withdraw consent at any time via the "Cookie settings" link in the footer.

We do not currently use advertising or cross-site tracking cookies. If this changes, we will update this policy and request fresh consent where required.

Cookie settings and behaviour are governed by UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

10. International transfers

Some of our service providers are based outside the UK. Where personal data is transferred outside the UK, we rely on one or more of the following safeguards:

  • UK adequacy regulations — where the destination country has been deemed adequate by the UK government (for example, the EU and EEA).
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with appropriate technical and organisational measures.
  • The UK Extension to the EU-US Data Privacy Framework, for transfers to certified US-based providers where applicable.

Google Analytics processes data on infrastructure that may be located in the US and other jurisdictions. We rely on the UK Extension to the EU-US Data Privacy Framework and/or Standard Contractual Clauses for these transfers. A copy of the relevant transfer mechanism is available on request from [email protected].

11. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data, subject to legal retention obligations.
  • Restriction — ask us to limit how we use your data in certain circumstances.
  • Portability — receive your data in a structured, commonly used, machine-readable format, or have it sent to another controller where technically feasible.
  • Objection — object to processing based on legitimate interests, including profiling, and to any direct marketing.
  • Withdraw consent — where we rely on consent, withdraw it at any time.
  • Not be subject to solely automated decisions — we do not make decisions about you using solely automated means that produce legal or similarly significant effects.

To exercise any of these rights, email [email protected]. We will respond within one month. We may ask for information to verify your identity.

If you are unhappy with how we have handled your personal data, you can complain to the UK Information Commissioner's Office:

  • Website: https://ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the chance to address your concerns first, so please consider contacting us before approaching the ICO.

12. Security

We use appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, hashed passwords, access controls, isolated production environments, regular backups, and Stripe's PCI-DSS compliant payment infrastructure. No system is perfectly secure, and we cannot guarantee absolute security; if a personal data breach occurs that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and, where required, notify you.

13. Marketing communications

We will only send you marketing emails about yellow.cards if you have opted in, or if you are an existing customer and we are marketing similar services (the "soft opt-in" under PECR). Every marketing email includes an unsubscribe link, and you can opt out at any time by clicking it or by emailing [email protected]. Opting out of marketing does not affect service emails (such as billing receipts and trial reminders), which we must send to provide the Service.

14. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. If the changes are material, we will notify active subscribers by email at least 14 days before the changes take effect. Continued use of the Service after the effective date means you accept the updated policy.

15. Contact

For any questions about this Privacy Policy or how we handle your personal data:

WalkWeb Digital Ltd
Email: [email protected]