FantasyLeague

Privacy Policy

Last updated: April 1, 2026

1. Information We Collect

We collect the following categories of information:

  • Account data: Username, email address, hashed password (bcrypt, cost factor 12).
  • Profile data: Community handle, Telegram username, wallet address (optional).
  • Activity data: Team submissions, booster usage, leaderboard positions.
  • Device data: IP address, hashed device fingerprint (hashed client-side before transmission).

2. How We Use Your Information

  • Operating and improving the Platform.
  • Preventing duplicate accounts and fraudulent activity.
  • Distributing prizes to your wallet address.
  • Sending email notifications (match opens, lock reminders, points, rewards).
  • Providing customer support and handling disputes.

3. Authentication & Security

Passwords are hashed with bcrypt at cost factor 12 and never stored in plaintext. Authentication uses JWT tokens stored in httpOnly cookies with 60-minute access tokens and 7-day refresh tokens. Error messages are deliberately generic to prevent user enumeration.

4. Rate Limiting

To protect accounts and prevent abuse, we enforce the following limits:

  • Login: 5 attempts per 15 minutes.
  • Registration: 3 attempts per hour.
  • Team submission: 10 attempts per hour.

5. Data Sharing

We do not sell your personal data. We may share limited data with:

  • Email providers (Mailgun or SendGrid) for transactional emails.
  • Cloud storage (AWS S3 or Cloudflare R2) for file hosting.
  • Blockchain networks when distributing prize payouts (wallet addresses and transaction amounts are publicly visible on-chain).

6. Public Information

The following information is publicly visible: your username, leaderboard rank, team submissions (after match completion), and prize winnings (including blockchain transaction hashes). Wallet addresses associated with prize payouts are published on the blockchain.

7. Data Retention

  • Account data is retained for the lifetime of your account.
  • Activity logs and audit trails are retained for 90 days.
  • Database backups are retained for 7 days on a nightly cycle.
  • Unclaimed reward records are retained for 48 hours before forfeiture.

8. Your Rights

You may request to view, correct, or delete your personal data by contacting us at privacy@fantasyleague.com. Account deletion will remove your profile but public leaderboard history and on-chain transactions are permanent.

9. Cookies

We use httpOnly cookies for authentication tokens only. We do not use advertising or tracking cookies. No third-party cookies are set.

10. Changes

We may update this policy as needed. Material changes will be communicated via email notification at least 14 days before taking effect.