Privacy & Cookie Policy

1. Information We Collect

We collect the following categories of information:

Account Information: When you create an account, we collect your email address and a password. Passwords are hashed and encrypted via Supabase Auth — we never store or have access to plaintext passwords.

Voting Data: When you vote on player or draft pick values, we record your ballot responses (HR/BB/K rankings), the format selected, and a timestamp. Votes are tied to your user ID.

Trade Calculator Data: When you use the trade calculator, we log the assets on each side, the format used, and the values at the time of calculation. Authenticated users' calculations are tied to their user ID. Anonymous calculations are not tied to any account.

Usage Data: We automatically collect basic usage information such as pages visited, session duration, browser type, device type, and referring URL. This data is collected by our hosting provider (Vercel) and is used to improve the Service.

Payment Information: When you subscribe to a paid plan, payment is processed by Stripe. We do not collect, store, or have access to your credit card number, bank account details, or other payment credentials. Stripe handles all payment data in accordance with PCI-DSS standards. We receive only a transaction confirmation, subscription status, and billing email from Stripe.

2. Information We Do Not Collect

We do not collect your real name (not required for signup).

We do not collect your physical address.

We do not collect your phone number.

We do not collect precise geolocation data. Our hosting provider (Vercel) provides general geographic information (country-level) from IP addresses for security purposes only.

We do not sell, rent, or trade your personal information to third parties.

3. How We Use Your Information

We use the information we collect for the following purposes:

To create and manage your account.

To provide and maintain the Service, including calculating player values and processing votes.

To process payments and manage subscriptions via Stripe.

To communicate with you about your account, including transactional emails (signup confirmation, password reset, subscription receipts).

To improve the Service based on aggregated, anonymized usage patterns.

To enforce our Terms of Service and protect against misuse.

To comply with legal obligations.

4. How We Store and Protect Your Data

Your data is stored in a Supabase-hosted PostgreSQL database. Supabase provides encryption at rest and in transit, row-level security policies, and secure authentication infrastructure.

The Service is hosted on Vercel, which provides HTTPS encryption for all connections, DDoS protection, and secure deployment infrastructure.

We implement row-level security (RLS) on all database tables to ensure users can only access data they are authorized to see.

While we take reasonable measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

We use the following third-party services that may process your data:

Supabase: Database hosting, user authentication, and API infrastructure. Supabase processes your email, hashed password, and application data. Privacy policy: supabase.com/privacy.

Vercel: Website hosting, deployment, and basic analytics. Vercel processes IP addresses, browser information, and page view data. Privacy policy: vercel.com/legal/privacy-policy.

Stripe: Payment processing for subscriptions. Stripe processes your payment method, billing email, and transaction data. We do not have access to your full payment details. Privacy policy: stripe.com/privacy.

Resend (planned): Transactional email delivery (signup confirmation, password reset). Resend processes your email address for delivery purposes only. If implemented, this policy will be updated prior to activation of this service.

We do not use advertising networks, tracking pixels, or third-party analytics platforms beyond what is described above.

6. International Data Transfers

Your data may be transferred to and processed in the United States, where our Service and third-party providers (Supabase, Vercel, Stripe) operate. If you are accessing the Service from outside the United States, please be aware that your data may be subject to U.S. data protection laws, which may differ from the laws in your jurisdiction. By using the Service, you consent to the transfer of your data to the United States. We take reasonable steps to ensure your data is treated securely and in accordance with this policy regardless of where it is processed.

7. Cookies and Local Storage

The Service uses cookies and browser local storage as follows:

Authentication Cookies: Supabase Auth sets secure, HTTP-only cookies to maintain your login session. These are essential for the Service to function and cannot be disabled.

Local Storage — Format Preference: We store your last-used format selection (e.g., Roto Standard, H2H OBP, Points) in your browser's localStorage so it is pre-selected on your next visit. This data never leaves your browser.

Local Storage — Anonymous Usage Counter: For unauthenticated users, we store a counter in localStorage to track the number of trade calculations performed. This is used to prompt account creation after a limited number of anonymous uses. This data never leaves your browser.

Local Storage — Theme Preference: We store your light/dark mode preference in localStorage. This data never leaves your browser.

We do not use third-party advertising cookies, tracking cookies, or cross-site cookies. We do not participate in ad networks or retargeting programs.

8. Data Retention

We retain your account information and associated data for as long as your account is active.

If you delete your account, we will delete your personal information (email, user ID associations) within 30 days. Anonymized, aggregated data (such as vote tallies that are no longer tied to individual users) may be retained indefinitely to maintain the integrity of the crowdsourced value system.

Trade calculation logs are retained for the purpose of Service improvement and may be anonymized after 12 months.

Stripe retains payment records in accordance with their own data retention policies and applicable financial regulations.

9. Your Rights

You have the following rights regarding your data:

Access: You may request a copy of the personal data we hold about you by contacting us at the email address below.

Correction: You may update your email address or password through your account settings.

Deletion: You may request deletion of your account and associated personal data by contacting us. We will process deletion requests within 30 days.

Export: You may request an export of your data in a machine-readable format.

Opt-Out: You may opt out of non-essential communications at any time. Essential transactional emails (password reset, account security) cannot be opted out of while your account is active.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect, use, and disclose.

The right to request deletion of your personal information.

The right to opt out of the sale of your personal information. We do not sell personal information.

The right to non-discrimination for exercising your CCPA rights.

To exercise these rights, contact us at the email address below. We will respond within 45 days.

11. European Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

The right to access, rectify, or erase your personal data.

The right to restrict or object to processing.

The right to data portability.

The right to withdraw consent at any time.

Our legal basis for processing your data is: (a) performance of a contract (providing the Service you signed up for), (b) legitimate interests (improving the Service, preventing abuse), and (c) your consent (where applicable).

To exercise these rights, contact us at the email address below.

12. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us.

13. Geographic Restrictions

Access to the Service may be restricted from certain geographic regions for security and intellectual property protection purposes. Users attempting to access the Service from restricted regions will receive an access denied response. We do not store or log personal information from blocked requests beyond standard server access logs.

14. Do Not Track

The Service does not respond to "Do Not Track" browser signals. Because we do not use third-party tracking cookies or advertising networks, your browsing experience on the Service is the same regardless of your Do Not Track setting.

15. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users and applicable regulatory authorities as required by law. Notification will be made as promptly as practicable and will include a description of the breach, the types of data affected, and steps we are taking in response.

16. Legal Disclosure

We may disclose your personal information if required to do so by law, in response to a valid legal process (such as a subpoena or court order), or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

17. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Service with a revised "Last Updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

For material changes that significantly affect how we handle your data, we will make reasonable efforts to notify you via email or a prominent notice on the Service.

18. Contact

If you have questions about this Privacy & Cookie Policy or wish to exercise your data rights, contact us at:

40Man LLC — Privacy & Cookie Policy v1.1