Privacy Policy

Last updated: 2026-06-08

Summary

We collect the minimum we need to run a fantasy sports platform. We don't sell your personal data. We host on Cloudflare and Vercel, use Supabase for auth + database, and PostHog for product analytics. You can delete your account anytime by emailing us.

What we collect

• Account data: email address (required for sign-in) and display name (you choose per league).
• League data: leagues you create or join, surfers you draft, picks you make, trades you propose. This is the actual product.
• Usage data: pages you view, features you use, league interactions. Collected via PostHog (no IP or location enrichment).
• Technical logs: standard server logs (request paths, response codes, timestamps) retained for 30 days for debugging and abuse prevention.

What we don't collect

• Real names (unless you put one in your display name)
• Phone numbers
• Payment information (the platform is currently free)
• Precise location
• Data from anyone under 13

Why we collect it

• To operate the Service: serve pages, run drafts, score contests
• To send transactional email (signup confirmation, password reset, league invites)
• To understand which features users actually use (PostHog product analytics)
• To prevent abuse + investigate security incidents

Who we share it with

We use the following third-party processors. We share only the data each one needs to do its job:

• Supabase — auth + database hosting (US-East). Stores email, hashed password, league + draft data.
• Vercel — application hosting + edge network. Sees request metadata.
• Cloudflare— DNS, cron, email routing. Sees request metadata; routes inbound mail to the founder's personal inbox.
• PostHog (US) — product analytics. Sees pageviews + custom events with a stable random identifier (your auth user ID). No PII other than email.
• Resend (planned) — transactional email delivery. Will see your email address.

We do not sell your data. We don't use ad-network trackers, retargeting pixels, or third-party analytics beyond the above.

Data sources we pull from

FSG aggregates publicly available data from the World Surf League and other surfing data sources to power the live tracker, scoring, and predictions. We do not associate WSL or other public-source data with your personal account.

How long we keep it

• Account + league data: as long as your account is active.
• Analytics events: 90 days (PostHog default), then aggregated.
• Server logs: 30 days.
• After deletion: we remove your account record, your draft picks, your trades, and any personally-identifiable analytics within 30 days. League records (e.g. final standings) may stay visible as historical data with your display name retained or anonymized — your choice when you request deletion.

Your rights

You can view and edit basic profile data from your leagues page. To export, correct, or delete your data, email bryce@fantasysurfgames.com— we'll respond within 30 days. If you're in California, the EU, or another jurisdiction with specific data-protection laws, you have the rights granted by those laws and can invoke them via the same email.

Cookies

We use cookies that are strictly necessary to keep you logged in (Supabase Auth session cookies) and one cookie for our admin dashboard. We don't use advertising or cross-site tracking cookies.

Security

Passwords are hashed by Supabase Auth (Argon2). Database connections require TLS. We enable Row-Level Security on every public table, gated by league membership. We don't store any credit card or banking information.

Changes to this policy

We'll update the "Last updated" date and notify active users by email for material changes.

Contact

Privacy questions, deletion requests, or anything else: bryce@fantasysurfgames.com.