Clever Punts

Cookie Policy

Last updated: March 2026 · Applies to: www.cleverpunts.com

Plain-English Summary: We use a small number of cookies — primarily to keep you logged in and to protect your account. We do not use advertising cookies, tracking pixels, or analytics networks. The only third-party cookies on this site come from Stripe (payment processing) and Cloudflare (security & DDoS protection), both of which are strictly necessary to operate the service safely.

1. What Are Cookies?

Cookies are small text files placed on your browser or device when you visit a website. They allow the site to remember information between page loads and visits — for example, that you are logged in. Cookies cannot execute code or deliver viruses; they are simply data files.

We also make use of server-side sessions: your browser holds only an opaque session identifier in a cookie, while the actual session data (your login state, CSRF tokens, etc.) is stored securely on our server and never transmitted to your browser directly.

2. How We Use Cookies

Clever Punts uses cookies exclusively for the following purposes:

Maintaining your authenticated session after you log in
Keeping you signed in between browser restarts if you select “Remember Me”
Protecting your account against cross-site request forgery (CSRF) attacks
Processing subscription payments securely via Stripe
Protecting the site from bots and DDoS attacks via Cloudflare

We do not use Google Analytics, Facebook Pixel, advertising networks, or any behavioural tracking cookies.

3. Cookies We Set (First-Party)

These cookies are set directly by cleverpunts.com.

Authentication & Session Cookies

Cookie Name	Category	Lifetime	Purpose
`MEMBER_SESSION`	Essential	Browser session (cleared on close)	Your core authentication session cookie. Set when you log in and automatically deleted when you close your browser. Contains only an encrypted session ID — no personal data is stored inside the cookie itself. The corresponding server-side session expires after 4 hours of inactivity regardless. Flagged `HttpOnly` (inaccessible to JavaScript), `Secure` (HTTPS only), and `SameSite=Strict` (never sent on cross-site requests).
`remember_token`	Functional	30 days	Only set if you explicitly tick “Remember Me” on the login form. Contains a hashed, single-use token that allows you to remain signed in across browser restarts. The token is rotated on every use and permanently invalidated on logout or password change. Also flagged `Secure`, and `SameSite=Strict`.
`cleverpunts_saved_team`	Functional	1 year	Used in the Football landing page to save your team selection to save you having to reselect on every page load. Also flagged `HttpOnly`, `Secure`, and `SameSite=Strict`.

No personal data in cookies: Neither cookie stores your name, email address, subscription plan, or any other personal information. They contain only opaque identifiers that map to your account data held securely in our database.

Security (CSRF Protection)

Cookie Name	Category	Lifetime	Purpose
CSRF token (session-bound)	Essential	1 hour	A Cross-Site Request Forgery token is generated for every authenticated action (login, registration, subscription changes, account settings). It is stored inside your encrypted server-side session — not as a separate browser cookie — and validated on every form submission to prevent malicious third-party sites from acting on your behalf.

4. Third-Party Cookies

The following cookies are set by third-party services we use to operate the site. We have no control over their content, but list them here for full transparency.

Stripe — Payment Processing

When you access subscription or payment pages, the Stripe.js library is loaded to handle payment card fields securely. Stripe may set the following cookies for fraud detection.

Cookie Name	Category	Lifetime	Purpose
`__stripe_mid`	Third-Party	1 year	Fraud prevention. Stripe uses this to identify your browser across sessions when assessing payment risk.
`__stripe_sid`	Third-Party	30 minutes	Fraud prevention. Short-lived session identifier used during the active Stripe checkout flow.

Stripe processes payments on our behalf under their own Privacy Policy. These cookies are strictly necessary to accept online payments; without them we cannot offer subscriptions.

Cloudflare — Security & Performance

Our site is proxied through Cloudflare, which protects against DDoS attacks, bot abuse, and malicious traffic. Cloudflare may set the following cookies.

Cookie Name	Category	Lifetime	Purpose
`__cf_bm`	Third-Party	30 minutes	Bot management. Distinguishes human visitors from automated bots to protect the site from abuse.
`cf_clearance`	Third-Party	1 year	Set after a successful Cloudflare security challenge to avoid repeated challenges for returning visitors.

Cloudflare’s data use is governed by their Privacy Policy. These cookies are strictly necessary for the availability and security of this website.

No advertising or analytics networks: We do not load Google Analytics, Facebook Pixel, TikTok Pixel, Twitter/X tags, or any advertising network scripts. No cookie from any of these providers will be set on your device when visiting Clever Punts.

5. Membership & Subscription Data

Your membership status, subscription plan, billing history, and account preferences are stored in our secure database — not in cookies. When you are logged in, your session cookie contains only a reference ID; the site retrieves your account details server-side on each page load.

Server-side session data includes: your user ID, login timestamp, and CSRF token. This data is discarded when your session expires (4 hours of inactivity, or when you close your browser).

6. Legal Basis (UK GDPR & PECR)

Under the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR, we rely on the following bases for the cookies we set:

Cookie Type	Legal Basis	Can You Opt Out?
Essential session & CSRF cookies (`MEMBER_SESSION`)	Strictly necessary — no consent required under PECR Regulation 6(4)	No — disabling these prevents login and account access
Remember Me cookie (`remember_token`)	Activated only by your explicit opt-in action on the login form	Yes — simply do not tick “Remember Me”, or clear cookies at any time
Stripe fraud-prevention cookies	Strictly necessary — required to process payments securely	No — disabling these prevents checkout from functioning
Cloudflare security cookies	Strictly necessary — required for site security and availability	No — set transparently at network level

Because all cookies on this site are either strictly necessary or activated only by your own deliberate action, we do not display a cookie consent banner for these categories. Should we introduce any optional cookies (e.g. analytics) in the future, we will update this policy and obtain your prior consent.

7. How to Manage or Delete Cookies

You can control and delete cookies at any time through your browser settings. Please note that disabling essential cookies will prevent you from logging in or using your account.

Browser cookie management guides:

To end your Clever Punts session, use the Sign Out link in the navigation. This destroys your server-side session immediately and removes the session cookie from your browser.

8. Changes to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or the services we use. When we make material changes we will update the “Last updated” date at the top of this page. Continued use of Clever Punts after any changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about our use of cookies or this policy, please get in touch:

Email: privacy@cleverpunts.com
Website: www.cleverpunts.com
Registered in: England & Wales

You also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office (ICO), if you believe your rights have not been respected.