Fantasy Rivals — Privacy Policy
Effective date: 22 May 2026 Last updated: 22 May 2026
This Privacy Policy explains how Fantasy Rivals ("the App," "we," "us," or "our") collects, uses, stores, and shares your personal data. We are committed to protecting your privacy and handling your data transparently.
Contact: support@fantasyrivals.app Website: fantasyrivals.app
1. Who This Policy Applies To
This policy applies to everyone who uses the Fantasy Rivals mobile application. You must be at least 13 years old to use the App. We do not knowingly collect data from children under 13. If we discover that we have collected personal data from a child under 13, we will delete that data and the associated account promptly.
2. Data We Collect
2.1 Data you provide directly
| Data | Purpose | Required? |
|---|---|---|
| Phone number | Account creation and login via one-time passcode (OTP) | Yes |
| Display name | Shown on your profile, in leagues, and on leaderboards | Yes |
| Date of birth | Age verification (13+ age gate) | Yes |
| Profile photo / avatar | Displayed on your profile and in leagues | No (optional) |
2.2 Data we collect automatically
| Data | Purpose |
|---|---|
| User ID | Internal identifier assigned at registration; used across our services to link your data |
| App usage analytics | Screen views, feature usage, and interaction events — collected to understand how people use the App and to improve it |
| Crash and error data | Stack traces and device context when something goes wrong — used to identify and fix bugs |
| Push notification token | A device-specific token used to deliver push notifications to your device |
| Device identifiers (advertising) | Used by Google AdMob to serve advertisements; subject to Google's advertising policies |
| Subscription and purchase history | Records of subscription status and transactions, managed by RevenueCat |
2.3 Data we do NOT collect
- We do not collect your precise GPS location.
- We do not collect contacts, call logs, or messages from your device.
- We do not collect any financial or payment card information — all payments are processed by Apple or Google through their respective app stores.
3. How We Use Your Data
We use personal data for the following purposes:
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Creating and managing your account | Contract — necessary to provide the service you signed up for |
| Verifying your identity via OTP | Contract — necessary to authenticate you and secure your account |
| Enforcing the age gate (13+) | Legal obligation — we are required to prevent children under 13 from using the service |
| Displaying your profile to other users in leagues and leaderboards | Contract — core functionality of the service |
| Sending push notifications about matchdays, results, and league activity | Legitimate interest — keeping you informed about activity relevant to you; you can disable notifications in your device settings at any time |
| Showing advertisements (free-tier users) | Legitimate interest — advertising funds the free version of the App; you can limit ad personalisation in your device settings or subscribe to remove ads |
| Analysing app usage to improve the product | Legitimate interest — understanding usage patterns helps us build a better experience; analytics are identified by user ID only and do not include your phone number or name |
| Detecting and fixing crashes and errors | Legitimate interest — maintaining a stable, reliable app; crash reports include user ID only (no phone number, no display name, PII is scrubbed) |
| Managing your subscription | Contract — necessary to deliver and maintain the subscription you purchased |
| Responding to your support requests | Contract — fulfilling our obligations to you |
| Complying with legal obligations | Legal obligation — for example, responding to lawful requests from authorities |
4. Third-Party Services and Data Sharing
We use the following third-party services to operate Fantasy Rivals. Each receives only the minimum data necessary for its function.
4.1 Supabase (database and authentication)
- Data shared: Phone number, user ID, display name, date of birth, avatar photo, picks, league memberships, and all other app data
- Purpose: Primary database and authentication provider
- Hosting: European Union
- More info: supabase.com/privacy
4.2 Twilio Verify (OTP delivery)
- Data shared: Phone number
- Purpose: Sending one-time passcodes for login verification
- Note: Twilio processes your phone number solely to deliver the OTP. We do not share any other personal data with Twilio.
- More info: twilio.com/legal/privacy
4.3 PostHog (analytics)
- Data shared: User ID, anonymous usage events (screen views, feature interactions)
- Purpose: Product analytics to understand how the App is used and to guide improvements
- Hosting: European Union
- Note: Analytics events are identified by your internal user ID only. Your phone number, display name, and date of birth are not sent to PostHog.
- More info: posthog.com/privacy
4.4 Sentry (crash reporting)
- Data shared: User ID, crash data (stack traces, device model, OS version)
- Purpose: Identifying and fixing application errors
- Note: Sentry receives your user ID to help us correlate crash reports. Your phone number, display name, and other personal details are scrubbed before data is sent.
- More info: sentry.io/privacy
4.5 RevenueCat (subscription management)
- Data shared: User ID, purchase and subscription history
- Purpose: Managing subscription status, receipt validation, and entitlements
- Note: RevenueCat does not receive your phone number, display name, or date of birth.
- More info: revenuecat.com/privacy
4.6 Google AdMob (advertising)
- Data shared: Device identifiers and advertising signals as determined by Google's SDK
- Purpose: Serving advertisements to free-tier users
- Note: AdMob may use device-level identifiers to personalise ads in accordance with Google's advertising policies. You can limit ad personalisation through your device's privacy settings. Subscribing to the ad-removal plan stops all ad-related data collection by AdMob.
- More info: policies.google.com/privacy
4.7 Firebase Cloud Messaging (push notifications)
- Data shared: Device push notification token
- Purpose: Delivering push notifications about matchdays, results, and league activity
- Note: Firebase receives a device token, not your phone number or personal details.
- More info: firebase.google.com/support/privacy
4.8 Apple App Store and Google Play (payments)
- Purpose: Processing subscription payments
- Note: We never receive or store your payment card information. All payment processing is handled entirely by Apple or Google.
5. Data Transfers
Your personal data is primarily stored in the European Union (via Supabase and PostHog). Some third-party services (Twilio, Sentry, RevenueCat, Google, Firebase) may process data in the United States or other countries.
Where data is transferred outside the UK, we rely on one or more of the following safeguards:
- The recipient country has been deemed adequate by the UK Secretary of State
- Standard contractual clauses approved for UK transfers (the International Data Transfer Agreement or the International Data Transfer Addendum to the EU SCCs)
- The service provider's compliance with recognised frameworks
6. Data Retention
We retain your personal data only for as long as necessary to provide the service and fulfil the purposes described in this policy.
| Data | Retention period |
|---|---|
| Account data (phone, display name, DOB, avatar, picks, leagues) | Until you delete your account |
| Analytics data (PostHog) | Retained for up to 24 months, then automatically deleted |
| Crash data (Sentry) | Retained for up to 90 days |
| Push notification tokens | Until you delete your account or revoke notification permissions |
| Subscription records (RevenueCat) | Retained in accordance with RevenueCat's policies and applicable tax/accounting obligations |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are legally required to retain certain records (for example, transaction records for tax purposes).
7. Your Rights Under UK GDPR
As a user, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at support@fantasyrivals.app.
7.1 Right of access
You can request a copy of the personal data we hold about you. We will respond within one month.
7.2 Right to rectification
If any of your personal data is inaccurate or incomplete, you can ask us to correct it. You can also update your display name and avatar directly within the App.
7.3 Right to erasure ("right to be forgotten")
You can request that we delete your personal data. The simplest way to do this is to delete your account directly within the App, which will remove your profile and all associated data. You can also contact us to request deletion.
7.4 Right to restrict processing
You can ask us to temporarily stop processing your data in certain circumstances — for example, if you are contesting the accuracy of your data or have objected to processing.
7.5 Right to data portability
You can request that we provide your personal data in a structured, commonly used, machine-readable format so that you can transfer it to another service.
7.6 Right to object
You can object to processing based on our legitimate interests (such as analytics or advertising). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
7.7 Rights related to automated decision-making
We do not make any automated decisions that produce legal or similarly significant effects on you. Points and leaderboard calculations are algorithmic but have no real-world legal or financial impact.
7.8 Right to withdraw consent
Where we process data based on your consent, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
7.9 Right to complain
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
8. Account Deletion
You can delete your Fantasy Rivals account at any time from within the App. When you delete your account:
- Your profile, display name, avatar, picks history, league memberships, and challenge data are permanently deleted.
- Your data is removed from our database (Supabase) and queued for deletion from third-party services.
- Anonymised analytics data that can no longer be linked to you may be retained.
- If you have an active subscription, deleting your account does not automatically cancel billing. Please cancel your subscription through your device's account settings (Apple App Store or Google Play) to avoid further charges.
9. Children's Privacy
Fantasy Rivals is not intended for children under 13. We collect date of birth during registration specifically to enforce this age requirement. If we become aware that a child under 13 has created an account, we will delete the account and all associated data as quickly as possible.
If you are a parent or guardian and believe your child under 13 has registered for Fantasy Rivals, please contact us at support@fantasyrivals.app and we will take immediate action.
10. Cookies and Tracking Technologies
Fantasy Rivals is a mobile application and does not use browser cookies. However, the following technologies operate similarly to cookies:
- Device identifiers used by Google AdMob for ad delivery and personalisation
- Analytics identifiers used by PostHog to track usage sessions
- Push notification tokens used by Firebase Cloud Messaging
You can control ad personalisation through your device's privacy settings. You can disable push notifications through your device's notification settings.
11. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Phone number verification for all account access
- Data stored in Supabase with row-level security policies
- Encrypted connections (TLS/HTTPS) for all data in transit
- PII scrubbing in crash reports sent to Sentry
- Access to production systems restricted to authorised personnel only
No system is completely secure. If you become aware of a security vulnerability, please report it to us at techadmin@fantasyrivals.app.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the App or by other reasonable means. The "Last updated" date at the top of this page will always reflect the most recent revision.
Your continued use of Fantasy Rivals after changes are posted constitutes your acceptance of the updated policy. If you disagree with any changes, you should stop using the App and delete your account.
13. Contact Us
Fantasy Rivals is operated by Teny Riak Teny, a sole proprietor based in the United Kingdom. For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), Teny Riak Teny is the data controller.
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your data, please contact:
Teny Riak Teny (Data Controller) Email: support@fantasyrivals.app Website: fantasyrivals.app
You can also contact the ICO if you have concerns about our data practices:
- Website: ico.org.uk
- Helpline: 0303 123 1113