Privacy Policy

This Policy applies to personal information processed by BaseballFantasy in connection with your use of the Service, including the website at baseballfantasy.com, our mobile apps, our APIs, and any other product, feature, or experience we operate that links to this Policy.

This Policy does not cover information that you provide to, or that is collected by, any third party (such as advertising partners, social networks, payment processors, or data providers) that we link to or integrate with. The use of any such third party's services is governed by that third party's own terms and privacy policy.

We collect personal information in three ways: (i) information you give us, (ii) information we collect automatically as you use the Service, and (iii) information we receive from third parties.

We use the information we collect to:

• Provide, operate, and maintain the Service — including account creation, contest scoring, leaderboards, lineup saving, and credit balance management.
• Authenticate you and protect your account against unauthorized access.
• Process payments, refunds, and credit-balance adjustments.
• Verify your age, identity, and jurisdictional eligibility where required.
• Detect, investigate, and prevent fraud, multi-accounting, collusion, bot activity, and other behavior that violates our Terms.
• Communicate with you about your account, transactions, contests you have entered, security alerts, and service-related notices.
• Send you marketing and promotional messages, subject to your communication preferences and applicable law (you can opt out at any time).
• Personalize your experience — recommended contests, leagues, players, and homepage layout.
• Measure, analyze, and improve the Service — A/B testing, feature performance, error monitoring, and aggregate usage analytics.
• Comply with legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information on one or more of the following legal bases under the General Data Protection Regulation (GDPR) and equivalent local law:

• Contract. Processing necessary to perform our agreement with you — for example, running contests you have entered, processing your credit purchases, and providing your account.
• Legitimate interests. Processing necessary for our legitimate interests, balanced against your rights — for example, securing the Service against fraud, improving our product, and direct marketing to existing users.
• Consent. Where we ask for your consent (e.g., marketing email opt-in, optional cookies, precise location). You may withdraw consent at any time.
• Legal obligation. Processing necessary to comply with applicable law — for example, tax reporting, anti-money-laundering checks, and responding to lawful requests from authorities.
• Vital interests / public interest. In rare cases where processing is necessary to protect someone's life or for reasons of substantial public interest.

We do not sell your personal information for monetary consideration. We share personal information only in the following circumstances:

• Service providers. We share information with third-party vendors that perform services on our behalf — cloud hosting, payment processing, fraud detection, identity verification, customer support tooling, analytics, error monitoring, transactional email delivery, and similar functions. These providers act on our instructions and are bound by contract to confidentiality and security obligations.
• Other users. Your username, avatar, public display name, lineups in completed contests, leaderboard rank, and contest history may be visible to other users.
• Legal and safety. We may disclose information if required to comply with law, regulation, subpoena, or other legal process; to enforce our Terms; to protect our rights, property, or safety, or that of our users or third parties; or to investigate suspected fraud or wrongdoing.
• Business transfers. If we are involved in a merger, acquisition, reorganization, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (e.g., by email and/or notice on the Service) before your information becomes subject to a different privacy policy.
• With your consent or at your direction. For any purpose disclosed to you at the time of collection, or with your specific consent.
• Aggregated or de-identified data. We may share aggregated, de-identified, or anonymized data — which cannot reasonably be used to identify you — for any purpose, including research, marketing, or analytics.

We retain personal information for as long as needed to provide the Service, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the type of information and the purpose for which it was collected.

• Account information is retained for the lifetime of your account and for a limited period after deletion (typically 30–90 days) to allow for account recovery and fraud investigations.
• Transaction records are retained for at least 7 years to comply with tax and anti-money-laundering requirements.
• Contest history and lineups associated with closed contests are retained for at least 3 years to enable dispute resolution and integrity audits.
• Marketing preferences are retained for as long as you have an account or until you opt out.
• Server logs containing IP address and similar diagnostics are typically retained for up to 90 days.

Where we are required to delete information sooner — for example, pursuant to a valid request to exercise your rights — we will do so promptly, subject to limited exceptions described below.

We implement administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include encryption of data in transit, encryption of passwords at rest, network firewalling, least-privilege access controls, regular security reviews, and intrusion monitoring.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected unauthorized access.

BaseballFantasy is operated from the United States and may use service providers located in other countries. Your personal information may be transferred to, stored in, and processed in countries other than the country in which you reside, including the United States, where data protection laws may differ from those in your country.

Where we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards — typically the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms — to ensure your data receives an essentially equivalent level of protection.

Depending on where you live, you may have one or more of the following rights regarding your personal information:

• Access. You can request a copy of the personal information we hold about you.
• Correction. You can request that we correct inaccurate or incomplete information.
• Deletion. You can request that we delete your personal information, subject to certain legal exceptions (e.g., we may need to retain records for tax or anti-fraud purposes).
• Portability. You can request a machine-readable copy of certain information you provided to us.
• Restriction and objection. You can ask us to restrict or object to certain uses of your information, including direct marketing and processing based on legitimate interests.
• Withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Opt out of sale or sharing. California, Colorado, Connecticut, Virginia, and other US state residents can opt out of any "sale" or "sharing" of personal information as defined by their law. We do not sell or share personal information for cross-context behavioral advertising.
• Non-discrimination. We will not discriminate against you for exercising your rights.
• Lodge a complaint. If you are in the EEA/UK and believe our processing is unlawful, you can complain to your local supervisory authority.

To exercise any of these rights, please email privacy@baseballfantasy.com or use the in-product controls available in your Account Settings. We will respond within the time frame required by applicable law (typically 30–45 days). We may need to verify your identity before fulfilling your request.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), provides additional rights. In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 above for the business and commercial purposes described in Section 3.

• Categories collected: identifiers, customer records, commercial information (transactions), internet/network activity, geolocation (approximate), inferences, professional/employment-related information (if you apply for a job), and protected classifications (date of birth for age verification).
• Sources: directly from you, automatically from your devices, and from third-party service providers as described above.
• Sale or sharing of personal information: We do not sell or share personal information as defined by the CCPA, including for the purposes of cross-context behavioral advertising. We do not knowingly sell or share personal information of minors under 16.
• Sensitive personal information: We use sensitive personal information (such as government ID for verification, and account credentials) only for the limited purposes described in Section 3 and as permitted by Cal. Civ. Code § 1798.121.

To submit a verifiable consumer request, email privacy@baseballfantasy.com. You may designate an authorized agent to make requests on your behalf.

The Service is intended for users who are at least 18 years old (or 21 in jurisdictions that require a higher age for paid fantasy contests). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will promptly delete that information.

If you believe a child under 13 may have provided us with personal information, please contact us at privacy@baseballfantasy.com.

The Service may contain links to or embeds from third-party websites, products, or services that we do not own or control. This Policy does not apply to information that you provide to, or that is collected by, those third parties. We are not responsible for the privacy practices of any third party, and we encourage you to read each third party's privacy policy before using their services.

The Service does not currently respond to "Do Not Track" browser signals. We do, however, honor recognized Global Privacy Control (GPC) signals in jurisdictions where required by law, treating them as an opt- out of any "sale" or "sharing" of personal information.

We may update this Policy from time to time. If we make material changes, we will notify you by email (sent to the address associated with your account) or by means of a prominent notice on the Service prior to the change becoming effective, and we will update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

If you have questions, comments, or requests regarding this Privacy Policy or our handling of your personal information, please contact:

BaseballFantasy — Privacy Team
Email: privacy@baseballfantasy.com
General legal: legal@baseballfantasy.com

If you are an EEA/UK user and prefer to contact our designated Data Protection representative, please use the same email addresses above and indicate "GDPR / DPO request" in the subject line.