Privacy Policy

Fantasy Heartbeat ("we," "us," "our") is a fantasy football intelligence service covering dynasty, redraft, and guillotine formats. We connect to your fantasy leagues to show you rankings, player intelligence, trade analysis, and waiver/survival recommendations. This policy covers the Fantasy Heartbeat website and app. For any privacy question, contact support@fantasyheartbeat.com or use our contact form.

We collect only what we need to run the service:

• Account information. Your email address and an internal account identifier. You can sign in with Google, with an email and password, or with an emailed magic link. If you choose Google sign-in, we receive your basic Google profile (email address, name, and avatar) to create your account — we never receive your Google password.
• League connections. The platform you connect (Sleeper, FleaFlicker, Yahoo, or ESPN), the league ID(s) you provide, and the league, roster, and transaction data we sync from those platforms to power your views. For platforms that require authorization (such as Yahoo OAuth tokens or ESPN connection tokens), those authorization tokens are stored AES-256 encrypted at rest and are used only to read your league on your behalf. We never ask for or store your password for a connected platform.
• Subscription & billing data. If you subscribe to Pro, payment is handled by Stripe. We never see or store your full card number — we store only your Stripe customer and subscription identifiers, plan, status, and billing-period dates.
• Support messages. If you contact us, we keep your message and the email address you use so we can reply and maintain a support history.
• Email updates (optional). If you sign up for our free email updates, we store your email address and signup source. We use double opt-in and you can unsubscribe at any time.
• Usage & diagnostics. Which pages and features you use (for example, connecting a league or running a trade analysis). When you are signed in, these product events are linked to your account so we can measure active usage; the event details are limited to a fixed safe allowlist and never include your personal content. We also keep short-lived counters to enforce rate limits and prevent abuse, plus error telemetry that helps us fix bugs. Error reports are stripped of personal data before they leave our servers (see Section 4).
• Technical data. Standard request metadata such as IP address, device, and browser type, collected by our hosting provider when you load the site.

We do not sell or share your personal information (as "sell" and "share" are defined under the California CCPA/CPRA), and we do not run third-party advertising networks on the service.

• To connect your leagues and show your rosters, rankings, and intel.
• To generate AI-assisted player intelligence and recommendations (see Section 4).
• To process subscriptions, billing, and cancellations via Stripe.
• To send transactional email (sign-in links, support replies).
• To monitor reliability and security, debug errors, and prevent abuse.
• To comply with legal obligations.

AI-generated player intelligence is a core feature. We use the Anthropic (Claude) and OpenAI APIs in two ways:

• Player intelligence. We generate outlooks and analysis from publicly available NFL data (player stats, news, depth charts). This processing is about NFL players, not about you, and does not include your personal information.
• Support replies. When you message support, the text of your message may be sent to the Anthropic API to draft a suggested reply. A human reviews and approves every reply before it is sent — the AI cannot email you on its own.

We use these providers' business/API tiers. Under their API terms, data you submit is processed to produce the output and is not used to train their models by default.

We rely on the third-party processors below to operate Fantasy Heartbeat. Each receives only the data needed for its function:

These providers process data on our behalf under their own security and privacy commitments. Some may process data outside your country; where required, transfers rely on appropriate safeguards.

We use cookies only for essential functionality. After you sign in, Supabase Auth sets secure, HTTP-only session cookies that keep you logged in across pages; when you connect a league that requires authorization (such as Yahoo), we set a short-lived state cookie to protect the connection flow against cross-site request forgery.

We do not use advertising or cross-site tracking cookies, and we do not load third-party ad or social-tracking pixels. We do not currently show a cookie-consent banner because we use only essential cookies and no ad or tracking cookies. You can clear cookies in your browser at any time, but doing so will sign you out.

• Account & league data is kept while your account is active. When you delete your account, we delete or anonymize it within a reasonable period, except where we must retain certain records by law.
• Billing records are retained as required for tax, accounting, and legal purposes, by us and by Stripe.
• Support correspondence is kept to maintain a history of your requests.
• Error telemetry is retained per our monitoring provider's retention window and is already stripped of personal data.
• Product analytics & email updates. Usage events are kept in aggregate to understand product engagement; your email-updates subscription is kept until you unsubscribe or delete your account.

Depending on where you live (including under the EU/UK GDPR and the California CCPA/CPRA), you have rights over your personal data:

• Access — request a copy of the personal data we hold about you.
• Export — receive your data in a portable format.
• Correction — ask us to fix inaccurate data.
• Deletion — delete your account and personal data yourself from Settings (Settings → Delete account), or ask us to do it. Deletion removes your account, league connections, and stored tokens, subject to legal retention requirements.
• Disconnect & withdraw consent — remove a connected league or revoke platform authorization at any time.

We do not sell or share your personal information, so there is no "sale" or "share" to opt out of, and we will not discriminate against you for exercising any of these rights. To exercise a right, email support@fantasyheartbeat.com or use the contact form. We may need to verify your identity before acting on a request, and you may use an authorized agent where the law allows.

We protect your data with encryption in transit, encryption at rest for sensitive credentials, scoped access controls, and a monitoring layer that removes personal data from error reports. No system is perfectly secure, but we work to limit what we collect and who can access it.

Fantasy Heartbeat is intended for adults managing fantasy football leagues. It is not directed to children, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us personal information, contact support@fantasyheartbeat.com and we will delete it. You must be old enough to form a binding contract in your jurisdiction to purchase a subscription.

We may update this policy as the service evolves. We will revise the "Last updated" date above and, for material changes, provide a more prominent notice. Continued use after an update means you accept the revised policy.

Questions about this policy or your data? Email support@fantasyheartbeat.com or use our contact form.