Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") describes how [COMPANY_LEGAL_NAME], doing business as Hall of Fantasy ("Hall of Fantasy", "we", "us", "our"), collects, uses, discloses, stores, and protects your personal information when you access or use the Hall of Fantasy website at leaguelegacy.app, the "Hall of Fantasy — ESPN Sync" browser extension, and all related services, features, and applications (collectively, the "Service").

This Policy applies to all users of the Service, including league commissioners who purchase subscriptions, league members who access the Service via invite links, and visitors who browse the public-facing portions of the website. It also addresses data we hold about individuals who do not have Hall of Fantasy accounts but whose fantasy league data has been imported by a commissioner.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Service. This Policy is incorporated into and subject to our Terms of Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and either a password hash (for email/password registration) or OAuth identifiers (for social login via Google or Apple). We do not store plaintext passwords.

2.2 Profile Information

You may optionally provide additional profile information, including an avatar image and display preferences. This information is associated with your account and visible to other members of your leagues.

2.3 Fantasy Platform Data

When you connect a fantasy sports platform, we import and store the following categories of data: league names and identifiers, season years, team names, manager names, matchup results and scores, draft picks and draft order, roster compositions, player transactions (trades, adds, drops), and season-level results (standings, records, playoff outcomes, and awards). This data is imported from ESPN, Sleeper, Yahoo, and any other platforms we support. If you connect ESPN through the "Hall of Fantasy — ESPN Sync" browser extension, we also store a cryptographic hash of the API token you generate to authenticate the extension (see Section 5).

2.4 Payment Information

All payment processing is handled by Stripe, Inc. When you purchase a subscription, Stripe collects and processes your payment card information directly. Hall of Fantasy never receives, processes, or stores your full credit card number, CVV, expiration date, or other sensitive payment card data. We receive only payment confirmation details from Stripe, such as the last four digits of your card, card brand, billing email, payment status, subscription status, and transaction amounts.

2.5 Usage and Analytics Data

We collect usage data about how you interact with the Service, including pages viewed, features used, actions taken, session duration, and navigation paths. This data is collected via Posthog and is used for product analytics and improvement.

2.6 Technical Data

We automatically collect certain technical information when you access the Service, including your IP address, browser type and version, operating system, device type, screen resolution, referring URL, and timestamps of access. This data is used for security, abuse prevention, rate limiting, and service optimization.

2.7 Support Communications

When you contact us for support — whether through our in-app chat (powered by Crisp), email, or any other channel — we collect and retain the content of those communications, including any attachments, along with associated metadata (timestamps, email addresses, chat session identifiers).

2.8 Impersonation Session Records

When an administrator uses the impersonation feature for troubleshooting purposes, we log the session (including the admin user, target user, timestamp, and duration). These records are for internal auditing and security purposes only and are not shared with third parties.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Operation: Storing, processing, aggregating, and displaying your historical fantasy football data; generating League Wrapped pages and other analytics features.
• Account Management: Creating and maintaining your account, authenticating your identity, and managing your subscription status.
• Payment Processing: Facilitating subscription purchases, renewals, and cancellations through Stripe.
• Transactional Communications: Sending emails related to your account (welcome emails, password resets), billing (payment confirmations, renewal reminders, cancellation confirmations), and service updates (maintenance notices, feature changes). These are not marketing emails and cannot be opted out of while your account is active.
• Product Updates (Optional): Sending product announcements, feature updates, and newsletters. You may opt in or out of these communications at any time.
• Analytics and Product Improvement: Analyzing usage patterns to understand how the Service is used, identify issues, and improve features and user experience.
• Fraud Prevention and Security: Detecting, preventing, and responding to fraud, abuse, security incidents, and technical issues. This includes rate limiting, IP-based abuse detection, and audit logging.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, or governmental requests.

4. How We Share Information

We do not sell your personal information. We share your data only in the following circumstances and with the following service providers:

4.1 Service Providers

Each service provider processes data in accordance with their own privacy policies and applicable data processing agreements. We select providers who maintain appropriate security measures and limit our data sharing to what is necessary for each provider to perform its function.

4.2 Legal Process

We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, search warrants, or lawful requests from law enforcement or governmental agencies. We will make reasonable efforts to notify you of such requests unless prohibited by law or court order.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, asset sale, or similar business transaction, your personal information may be transferred as part of the transaction. We will provide notice to affected users via email before your personal information becomes subject to a different privacy policy.

4.4 Aggregated or De-Identified Data

We may share aggregated or de-identified data that cannot reasonably be used to identify you. This data may be used for industry analysis, research, marketing, or other purposes. For example, we may publish aggregated statistics about fantasy football trends across our user base.

5. Third-Party Platform Data

5.1 ESPN Sync via Browser Extension

ESPN data is imported through the "Hall of Fantasy — ESPN Sync" Chrome extension, which you voluntarily install and which runs entirely in your browser. With respect to ESPN authentication cookies (including the "SWID" and "espn_s2" cookies) and other ESPN credentials, the extension:

• Never reads, accesses, stores, or transmits ESPN cookies or credentials in any form.
• Does not request the browser's cookie permission and is technically incapable of reading cookies.
• Relies on the browser to attach your existing ESPN session to requests the extension makes to ESPN's API — the same way the browser does when you visit espn.com directly.

The fantasy league data returned by ESPN's API is normalized within your browser and transmitted to Hall of Fantasy servers for storage and display, together with your Hall of Fantasy API token (see Section 5.2). No ESPN credentials, cookies, or personal ESPN account data are ever sent to, stored on, or logged by Hall of Fantasy servers (not in application logs, error logs, analytics, or any other system).

Every ESPN sync is initiated by you by clicking a sync button in the extension. There is no automatic, scheduled, or background syncing of ESPN data. The extension is read-only with respect to ESPN: it retrieves data and never modifies anything in your ESPN account (no roster moves, no trades, no lineup changes).

5.2 Hall of Fantasy API Token

The extension authenticates to Hall of Fantasy using an API token that you generate in your account settings. The token is displayed once at the time of generation. Hall of Fantasy stores only a cryptographic hash of the token on its servers — never the token itself — and the extension stores the token locally in your browser. You can revoke or regenerate the token at any time in your account settings.

5.3 Normalized Fantasy Data

Fantasy league data imported from ESPN, Sleeper, Yahoo, and other supported platforms is normalized into a common format and stored on Hall of Fantasy servers (hosted via Supabase on AWS US infrastructure). This stored data includes league metadata, season results, matchup scores, draft information, roster data, and transaction history.

5.4 Disconnecting Platforms and Data Deletion

You may disconnect any connected fantasy platform at any time. You may also request deletion of all data imported from a specific platform or all platforms by contacting privacy@leaguelegacy.app. Deletion requests are processed within thirty (30) days of verification.

6. League Member Data

What We Store. When a commissioner imports a fantasy league, data about all members of that league is stored in Hall of Fantasy, including individuals who do not have and may never create a Hall of Fantasy account. This data includes: manager display names (as they appear on the fantasy platform), team names, scores, win-loss records, draft picks, transaction history, and other historical league statistics.

Commissioner Authorization. Commissioners represent that they have authorization from their league members to import this data, or have a reasonable basis to believe league members would consent. Hall of Fantasy relies on this representation and is not responsible for verifying individual league member consent.

Rights of Non-Account-Holding League Members. If you are a league member whose data has been imported into Hall of Fantasy but you do not hold an account, you may contact us at privacy@leaguelegacy.app to:

• Access: Request a copy of the data Hall of Fantasy holds about you.
• Correction: Request correction of any inaccurate data about you.
• Deletion: Request deletion of your data from Hall of Fantasy.

We will verify your identity through reasonable means (such as confirming your name and the league in which you participated) and honor verified requests within thirty (30) days. Deletion of a league member's data may affect the completeness of historical league records for other members of that league.

7. Publicly Shareable Content

League Wrapped Pages.Hall of Fantasy provides a "League Wrapped" feature that generates shareable summary pages for fantasy leagues. These pages are accessible to anyone with the URL — no authentication is required to view them. This public accessibility is by design and is the intended use of the feature.

What Is Publicly Displayed. Publicly shared Wrapped pages may display league member names, team names, scores, win-loss records, statistical highlights, awards, and other league data.

Commissioner Responsibility. The decision to generate and share a Wrapped URL is made by the league commissioner. By generating a shareable URL, the commissioner represents that they have authorization from league members to make this data publicly viewable.

Requesting Removal. If you are a league member and do not consent to the public display of your data in a League Wrapped page, you may: (a) contact your league commissioner and request they regenerate the page without your data or stop sharing the URL; or (b) contact Hall of Fantasy at privacy@leaguelegacy.app to request removal of your data from the publicly shared page.

8. Cookies and Tracking

8.1 Strictly Necessary Cookies

These cookies are essential for the operation of the Service. They include authentication session cookies, CSRF protection tokens, and session management cookies. These cookies cannot be disabled as the Service cannot function without them.

8.2 Analytics Cookies

We use Posthog for product analytics. Posthog sets cookies to track usage patterns, feature engagement, and session data across visits. You may opt out of analytics tracking through your account settings. Opting out will prevent future analytics data collection but will not delete previously collected data.

8.3 Support Chat Cookies

Our customer support chat, powered by Crisp, uses cookies to maintain chat session state and link conversations to your identity. These cookies are set only when you open the chat widget and are used solely for support purposes.

8.4 Third-Party Cookies

Embedded third-party services (such as Crisp and Posthog) may set their own cookies when you interact with them. These cookies are subject to the respective third party's privacy policy.

8.5 Do Not Track

Hall of Fantasy does not currently respond to "Do Not Track" (DNT) browser signals. There is no industry-standard technology for recognizing or honoring DNT signals, and this practice is consistent with how most SaaS applications operate. You may opt out of analytics tracking through your account settings as an alternative.

9. Data Storage and Security

Infrastructure. All primary data is stored on Amazon Web Services (AWS) infrastructure located in the United States, provided through Supabase. Application hosting is provided by Vercel, also located in the United States.

Encryption in Transit. All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API communications between our servers and third-party service providers are also encrypted in transit.

Encryption at Rest.Data stored in our database is encrypted at rest using AES-256 encryption, provided through Supabase's infrastructure.

Access Controls. Administrative access to production systems and databases requires multi-factor authentication. Access to user data is restricted to authorized personnel on a need-to-know basis. Row-level security (RLS) policies are enforced at the database level to ensure users can only access data belonging to their own leagues.

Breach Notification. In the event of a confirmed data breach that affects your personal information, we will make reasonable efforts to notify affected users via email within seventy-two (72) hours of confirming the breach. Notification will include a description of the breach, the types of data affected, steps we are taking in response, and recommended steps you can take to protect yourself.

10. Data Retention

10.1 Active Account Data

Your account data, profile information, fantasy league data, and associated records are retained for as long as your account remains active and your subscription is current.

10.2 Deleted Account Data

When you delete your account, your personal information — including your profile, account credentials, consent records, and associated analytics identifiers — is permanently and immediately removed from our active production systems. Some data may persist briefly in encrypted infrastructure backups before being overwritten in the normal course of operations (see Section 10.3 below); this data is not accessible for any operational purpose. Historical league data (game results, matchups, team records, draft picks) you contributed as a commissioner is retained to preserve service continuity for other league members and is no longer associated with your personal identity after your account is deleted. If you wish to remove league-level data as well, contact us at privacy@leaguelegacy.app and we will evaluate such requests on a case-by-case basis given the impact on other users.

10.3 Database Backups

Supabase maintains encrypted point-in-time database backups that are retained for up to seven (7) days. Deleted data may persist in these backups during this window but is not accessible through the Service for any operational purpose, and will be automatically purged as backups expire in the normal course of operations.

10.4 Analytics Data

Usage analytics data collected via Posthog is de-identified (stripped of direct personal identifiers) after twenty-four (24) months. De-identified analytics data may be retained indefinitely for product improvement and trend analysis.

10.5 Financial Records

Records related to payment transactions, subscription history, invoices, and refunds are retained for a period of seven (7) years after the transaction date, as required for tax reporting and accounting compliance under applicable federal and state law. This retention applies even after account deletion.

10.6 Legal Hold

Data that is subject to a legal hold, litigation preservation notice, or regulatory investigation will be retained for as long as necessary to comply with the applicable legal obligation, regardless of account deletion or other retention periods.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: You may request a copy of the personal information we hold about you by contacting privacy@leaguelegacy.app. We will respond within thirty (30) days of verifying your identity.
• Correction: You may update your profile information directly through your account settings. For corrections to other data, contact support@leaguelegacy.app.
• Deletion: You may delete your account at any time from your account settings page. Account deletion is immediate and irreversible — your personal data is permanently removed from our active systems on request. Alternatively, you may request deletion by contacting privacy@leaguelegacy.app. Some retention exceptions apply (see Section 10), including financial records required for tax compliance and historical league data you contributed as a commissioner.
• Portability: You may request a machine-readable export of your personal data by contacting privacy@leaguelegacy.app. The export format may vary (e.g., JSON or CSV) depending on the data category.
• Opt-Out of Marketing: You may opt out of optional marketing and product update emails at any time via one-click unsubscribe links included in all such emails, or through your account settings. Opting out of marketing does not affect transactional emails (billing, security, service changes).

12. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories of personal information we collect, the purposes for which we collect it, the categories of sources from which it is collected, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain legal exceptions (such as financial record retention).
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out of Sale: Hall of Fantasy does not sell personal information as defined by the CCPA. We do not sell, rent, or trade your personal data to third parties for monetary or other valuable consideration.
• Right to Limit Use of Sensitive Personal Information: We do not collect or process sensitive personal information as defined by the CCPA beyond what is necessary to provide the Service.
• Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, service quality, or access based on exercising your privacy rights.

Authorized Agents.You may designate an authorized agent to submit a request on your behalf. We require the authorized agent to provide written authorization signed by you, along with verification of both your identity and the agent's identity.

Verifiable Consumer Requests. To exercise your rights, contact us at privacy@leaguelegacy.app. We will verify your identity by matching information you provide against information we have on file. We will respond to verifiable requests within forty-five (45) days, with the possibility of a forty-five (45) day extension if reasonably necessary (with notice to you).

13. Children's Privacy (COPPA)

The Service is not directed to, and we do not knowingly collect personal information from, children under the age of thirteen (13). In compliance with the Children's Online Privacy Protection Act ("COPPA"), if we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete such information and terminate the associated account.

If you are a parent or legal guardian and believe that your child under the age of 13 has created a Hall of Fantasy account or otherwise provided personal information to us, please contact us at privacy@leaguelegacy.app. We will promptly investigate and delete any confirmed child accounts and associated data.

14. International Users

Hall of Fantasy is intended for use by residents of the United States only. The Service is operated from, and all data is processed and stored in, the United States. Users located outside the United States are prohibited from using the Service.

If you access the Service from outside the United States despite this restriction, you do so at your own risk and you acknowledge and consent to the transfer, processing, and storage of your personal information in the United States. United States data protection laws may differ from the laws of your country of residence and may not provide the same level of protection.

15. Changes to This Policy

Material Changes. We will notify registered users of material changes to this Privacy Policy via email to the address associated with your account at least thirty (30) days before the changes take effect. Material changes include modifications to the categories of data we collect, how we share data, your rights, or data retention practices.

Minor Changes.Non-material changes (such as clarifications, corrections of typographical errors, or formatting updates) may be made at any time and will be reflected by updating the "Last updated" date at the top of this Policy.

Acceptance. Your continued use of the Service after any changes to this Policy take effect constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you should discontinue use of the Service and delete your account.

16. Contact Information