Privacy Policy
Last updated: 27 May 2026
1. Who we are
tasy.fan is an independent fantasy sports platform ("we", "us", "our"). tasy.fan is not affiliated with, endorsed by, licensed by, or associated with FIFA, UEFA, any national football federation, or any official tournament organiser.
Contact: support@tasy.fan
2. What data we collect
Account data: email address and display name provided when you sign in via Google OAuth or magic link.
Game data: squad selections, player picks, bracket predictions, captain choices, and transfer history.
Usage data: pages visited, features used, timestamps. Collected in aggregate via Vercel Analytics (no personal identifiers).
Technical data: IP address, browser type, device type — retained for up to 30 days for security purposes only.
We do not collect payment information, phone numbers, or physical addresses.
3. Why we collect it and legal basis (GDPR)
To provide the service (Art. 6(1)(b) — performance of a contract): account creation, saving squads and bracket picks, displaying your rank.
Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, platform improvement.
Consent (Art. 6(1)(a)): marketing emails, if you opt in. You can withdraw consent at any time.
4. How long we keep your data
Account and game data: retained while your account is active and for 90 days after deletion request.
Usage and technical logs: 30 days.
You can request deletion at any time (see Section 7).
5. Who we share data with
We use the following sub-processors, each with their own privacy policies:
- Supabase (database and authentication) — servers in EU West (Frankfurt, Germany)
- Vercel (hosting and edge network) — servers globally; data processed in accordance with Standard Contractual Clauses
- Google (OAuth sign-in only) — governed by Google's privacy policy
- API-Football / API-Sports (football statistics data) — we receive player and fixture data only; your personal data is not shared with them
We do not sell, rent, or trade your personal data. Ever.
6. Cookies
We use a single session cookie to keep you signed in (Supabase auth token). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
Disabling cookies will prevent sign-in but not browsing or using the bracket predictor anonymously.
7. Your rights (GDPR / UK GDPR)
If you are in the EEA or UK, you have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and all associated data
- Portability — receive your game data in a machine-readable format (JSON)
- Object — object to processing based on legitimate interests
- Restriction — request we limit processing while a dispute is resolved
To exercise any of these rights, email support@tasy.fan. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority (e.g. ICO in the UK, or your local EU supervisory authority).
8. Data security
All data is encrypted in transit (TLS) and at rest (AES-256 via Supabase). Row-level security policies ensure users can only access their own data. We conduct periodic security reviews.
9. Children
tasy.fan is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, contact us immediately.
10. Changes to this policy
We will notify registered users by email of any material changes to this policy at least 14 days before they take effect. The "last updated" date above will always reflect the current version.