Privacy Policy

1. Who We Are & Scope

The Service is operated by the commissioners of the yoy Sports Federation:

• Gabriel Shatunovsky
• Daniel Ogden
• Dylan Ferrante

ySF is a privately organized, closed-membership dynasty fantasy sports league consisting of twelve team owners. The Service is a private dashboard built for those members. It is not a public platform and does not solicit accounts from the general public.

Data Controller (GDPR). The commissioners listed above act jointly as the “data controller” for personal information processed through the Service. Contact: commission@ysffantasy.com.

Business (CCPA/CPRA). For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act, ySF is a “business.”

2. Information We Collect

2.1 Account Information (provided when an account is created)

• Username (chosen by you or assigned by the commission)
• Display name and optional preferred name
• A cryptographic hash of your password (bcrypt; we never store your actual password)
• Email address (optional; used for league notifications)
• Phone number (optional; used for commission contact)
• Assigned team identifier within the league
• Role (commission member or team owner)
• Time zone and timestamp of last login (for display purposes)

2.2 OAuth Linked Accounts (optional)

If you choose to link a Google or Apple account for sign-in, we store:

• The provider name (“google” or “apple”)
• The provider-specific user identifier (an opaque string — not your Google/Apple password)
• The email address associated with that provider (for display only; Apple may substitute a private relay address, which we honor)

We do not receive or store your Google or Apple password. OAuth links can be removed at any time from your profile page.

2.3 Push Notification Tokens (iOS App only)

If you grant notification permission in the App, Apple generates a device token that we store for the sole purpose of delivering push notifications about trades, proposals, memos, and other league events. You can revoke notification permission at any time in iOS Settings or by signing out. When you sign out, the token is deleted from our servers.

2.4 League Activity Data (generated by use of the Service)

• Trades you submit, accept, reject, or rescind
• Proposals you author and votes you cast
• Commission memos you author (commissioners only)
• Other governance actions within the league

This data is necessary for the functioning of the league and is visible to other authenticated league members.

2.5 Fantasy Sports Data (pulled from Fantrax)

Rosters, standings, matchup scores, playoff brackets, and player statistics are retrieved from the Fantrax fantasy sports platform via its API. This data reflects public factual information about the league’s fantasy performance on Fantrax and is not personally identifying beyond the league context.

2.6 Server Logs

Our web servers automatically log standard request metadata (IP address, user-agent, timestamp, requested URL, HTTP status) for security and operational troubleshooting. These logs are retained for a short period (typically 30–90 days) and are not used for advertising, tracking, or profiling.

2.7 What We Do NOT Collect

• We do not use analytics SDKs (no Google Analytics, no Firebase Analytics, no Segment, etc.).
• We do not use advertising identifiers (IDFA, AAID) or cross-app tracking.
• We do not collect precise or approximate location data.
• We do not access your contacts, photos, microphone, camera, calendar, or other device sensors.
• We do not use cookies for tracking. The Website uses only essential session cookies for authentication on the member portal.
• We do not sell, rent, or share your personal information with advertisers, data brokers, or any third party for advertising or profiling purposes.

3. How We Use Information

We use the information described above strictly for the following purposes:

• Authentication — to verify your identity when you sign in
• League operation — to associate your actions (trades, votes, memos) with your team and display them to the twelve league members
• Communication — to send email notifications about trades, proposals, and memos (if you have opted in via your profile)
• Push notifications — to notify you of league events on your iOS device (if you granted permission)
• Display — to show your display name and team logo to other authenticated league members
• Security & integrity — to detect, prevent, and respond to abuse, fraud, unauthorized access, or technical issues
• Legal compliance — to comply with applicable law, legal process, or enforceable governmental requests

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the General Data Protection Regulation:

Contract (Art. 6(1)(b))

Processing is necessary to provide the Service you have requested — including authentication, displaying league data to you, and recording your trades, votes, and memos.

Consent (Art. 6(1)(a))

Email notifications, push notifications, and OAuth linking are processed on the basis of your consent, which you may withdraw at any time.

Legitimate Interests (Art. 6(1)(f))

Operating, maintaining, and securing the Service; preserving the permanent historical record of the league; preventing abuse. We have determined these interests are not overridden by your rights and freedoms given the closed, consensual nature of the league membership.

Legal Obligation (Art. 6(1)(c))

Where necessary to comply with applicable laws and legal process.

5. Sharing & Disclosure

We share personal information only in the following limited circumstances:

• Within the league. Your display name, team assignment, trade history, voting record, and memo authorship are visible to other authenticated league members through the Service.
• Service providers. With the third-party service providers identified in Section 6, strictly to deliver the Service.
• Legal process. When required by subpoena, court order, or other legally binding request, or to protect the rights, property, or safety of the Service, its members, or the public.
• Business transfer. If control of the Service is transferred (e.g., to a successor commission), personal information may be transferred as part of that transition. You will be notified of any such change.

We do not disclose personal information to advertisers, data brokers, or any party for advertising or profiling purposes.

6. Third-Party Services

The Service integrates with the following third parties. Each operates under its own privacy policy.

Apple Push Notification Service (APNs)

Delivers push notifications to your iOS device. See Apple Privacy Policy.

Sign in with Apple

Optional authentication method. Apple may substitute a private relay email, which we honor.

Sign in with Google

Optional authentication method. See Google Privacy Policy.

Fantrax (Fantrax, LLC)

Provides league rosters, standings, matchup data via its API. See Fantrax Privacy Policy.

Gmail SMTP (Google LLC)

Used to send transactional league notification emails.

Cloudflare, Inc.

Provides DNS resolution and edge caching for the Website. See Cloudflare Privacy Policy.

DigitalOcean, LLC

Hosts the Service’s servers in the United States. See DigitalOcean Privacy Policy.

Telegram Messenger, Inc.

Optional channel for commissioner notifications. See Telegram Privacy Policy.

7. No Sale or Sharing of Personal Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising or “targeted advertising” as those terms are defined under:

• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Florida Digital Bill of Rights (FDBR)
• Texas Data Privacy and Security Act (TDPSA)
• Oregon Consumer Privacy Act (OCPA)
• Any other comparable U.S. state privacy law

We have not sold or shared personal information in the preceding twelve (12) months and we do not use personal information for “profiling” that produces legal or similarly significant effects.

8. Data Retention

We retain information only as long as necessary for the purposes described in this policy:

• Account information — retained for as long as you remain a member of the federation.
• Contact information (email, phone) — deleted upon departure from the league at your request.
• League activity records (trades, votes, memos, historical standings) — retained indefinitely as part of the permanent historical record of the league. These are considered historical facts of league governance and will remain in the archive to preserve the integrity of the league’s history even after you leave.
• Push notification tokens — deleted when you sign out of the App or when Apple reports the token as invalid.
• OAuth links — deleted when you unlink the provider.
• Server logs — retained 30–90 days, then rotated out.

9. Security

We implement reasonable technical and organizational measures to protect personal information:

• Passwords are hashed with bcrypt; plaintext passwords are never stored or logged.
• All communication between your device and our servers uses HTTPS with TLS 1.2 or higher.
• Session cookies are set HTTP-only and Secure with SameSite=Lax.
• OAuth id_token values are cryptographically verified against Google and Apple’s public JSON Web Key Sets (JWKS) on the server.
• API authentication uses short-lived JWT bearer tokens (7-day expiry).
• Secrets (OAuth client secrets, the Apple APNs private key) are stored outside the web root with restrictive file permissions.
• Database connections are local-only and credentialed.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Data breach notification. If we become aware of a breach affecting your personal information, we will notify you without undue delay in accordance with applicable law (including GDPR Art. 33–34 and U.S. state breach-notification statutes).

10. Your Privacy Rights (General)

Subject to applicable law, you may at any time:

• Edit your profile information from the portal Profile page
• Change your password
• Link or unlink OAuth providers (Google, Apple)
• Disable email notifications in your profile
• Disable push notifications in iOS Settings
• Request access to, correction of, or deletion of your personal information by contacting the commission (see Section 13)

11. U.S. State Privacy Law Applicability

11.1 Applicability Statement

ySF is a small, volunteer-operated fantasy sports league. We do not meet the business, revenue, or consumer-volume thresholds that trigger formal application of any U.S. state comprehensive consumer privacy law, including:

• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — applies to businesses with $25M+ annual revenue, 100,000+ consumers, or 50%+ revenue from selling/sharing personal information.
• Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA) — each require processing the personal data of 100,000+ consumers (or 25,000+ combined with revenue from data sales).
• Utah Consumer Privacy Act (UCPA) — $25M revenue and 100,000+ consumers.
• Texas Data Privacy and Security Act (TDPSA) — applies to entities that are not Small Business Administration (SBA) small businesses and sell sensitive personal data; ySF does neither.
• Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, and other state comprehensive privacy statutes — all impose similar 100,000/25,000 consumer thresholds that ySF does not meet.

Accordingly, none of these statutes impose obligations on ySF. We nevertheless voluntarily extend a baseline set of privacy rights to all U.S. residents, as described in Section 11.2.

11.2 Voluntary Rights for U.S. Residents

Regardless of your state of residence and regardless of whether any state privacy law technically applies to us, ySF will honor the following requests from any U.S. resident who can verify their identity (see Section 13):

• Access — a copy of the personal information we hold about you.
• Correction — rectification of inaccurate personal information.
• Deletion — removal of your personal information, subject to narrow exceptions (preservation of league historical records, legal hold, security logs).
• Portability — a structured, machine-readable copy of the information you provided directly.
• Opt-out of sale or sharing — not implicated because we do not sell or share personal information as those terms are defined under any U.S. state privacy law.
• Non-discrimination — exercising any right above will not result in denied service, altered pricing, or degraded service quality.
• Authorized agent — you may designate a representative to submit a request on your behalf; we may require verification of both your and your agent’s identity.

We will respond within 45 days of receipt, subject to a single 45-day extension with notice if reasonably necessary. Responses are free of charge. If we decline a request we will explain why and, where applicable, how to appeal.

11.3 California “Shine the Light” & Minor Content Removal

Two California statutes apply to websites regardless of business-size thresholds and are therefore honored by ySF:

• California Civil Code § 1798.83 (“Shine the Light”). California residents may request a notice disclosing which categories of personal information we shared with third parties for their direct marketing purposes in the preceding calendar year. We do not share personal information for third-party direct marketing.
• California Business & Professions Code § 22581 (Minor Content Removal). California residents under 18 may request removal of content they publicly posted to the Service. Submit such requests per Section 13 below.

11.4 Breach Notification

If personal information we maintain is subject to unauthorized access that triggers a notification obligation under the breach notification statute of any U.S. state or jurisdiction in which an affected individual resides, we will provide notice consistent with that statute’s requirements and timing (typically the most expeditious time possible and without unreasonable delay).

12. International Privacy Rights

12.1 European Union / United Kingdom / Switzerland (GDPR & UK GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR (and UK GDPR for UK residents):

• Access — obtain confirmation of whether your personal data is processed and a copy of that data
• Rectification — correct inaccurate or incomplete data
• Erasure (“right to be forgotten”) — subject to legal exceptions including preservation of the league’s historical record
• Restriction of processing — in certain circumstances
• Data portability — receive data you provided in a structured, machine-readable format
• Object to processing — including processing based on our legitimate interests
• Withdraw consent — at any time, where processing is based on consent, without affecting the lawfulness of prior processing
• Lodge a complaint with your national supervisory authority (e.g., the UK ICO, the Irish DPC, or your local Data Protection Authority)

We will respond within one (1) month, extendable by two (2) further months where necessary, as provided under GDPR Art. 12(3). We do not engage in solely automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22).

12.2 Israel (Protection of Privacy Law, 5741-1981)

If you are an Israeli resident, you have rights under the Protection of Privacy Law, 5741-1981 (“PPL”), as substantially amended by Amendment No. 13 (effective August 14, 2025), and the Protection of Privacy Regulations (Data Security), 5777-2017. These include:

• Access (PPL § 13) — request information held about you in a database.
• Correction or deletion (PPL § 14 and § 14A) — amend inaccurate data or, where the 2024/2025 amendments apply, request deletion.
• Opt out of direct mailing (PPL § 17F) — ySF does not send direct marketing.
• Complaint — lodge a complaint with the Israeli Privacy Protection Authority (Rashut Haganat HaPratiyut) at gov.il/en/departments/the_privacy_protection_authority.

Submit access, correction, or deletion requests under Section 13.

12.3 Russia (Federal Law No. 152-FZ)

ySF does not target users in the Russian Federation, does not localize personal data in Russia as contemplated by Article 18(5) of Federal Law No. 152-FZ “On Personal Data,” and collects only the data voluntarily provided by users who choose to register. To the extent a Russian resident’s personal data is nevertheless processed by us, we honor the following rights under Law 152-FZ:

• Information about processing (Art. 14) — confirmation that your personal data is processed, the purposes, and the categories processed.
• Access, correction, blocking, or destruction (Art. 14 & 21) — of inaccurate, incomplete, or unlawfully processed data.
• Withdrawal of consent (Art. 9) — where processing is based on consent.
• Complaint — lodge a complaint with Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media) at rkn.gov.ru, or seek judicial remedy.

12.4 Canada (PIPEDA & Quebec Law 25)

If you are located in Canada, you have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, if you reside in Quebec, under Act respecting the protection of personal information in the private sector as amended by Law 25. These include:

• Access to personal information held about you and information about how it has been used and to whom it has been disclosed.
• Correction of inaccurate or incomplete information.
• Withdrawal of consent at any time, subject to legal or contractual restrictions and reasonable notice.
• Portability (Quebec residents, under Law 25) — receive computerized personal information you provided in a structured, commonly used technological format.
• Complaint — contact the Office of the Privacy Commissioner of Canada at priv.gc.ca, or, for Quebec residents, the Commission d’accès à l’information at cai.gouv.qc.ca.

12.5 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018, “LGPD”). These include:

• Confirmation and access (Art. 18, I & II) to your personal data.
• Correction (Art. 18, III) of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion (Art. 18, IV) of unnecessary, excessive, or unlawfully processed data.
• Portability (Art. 18, V) to another service or product provider.
• Deletion of personal data processed with your consent (Art. 18, VI), subject to legal preservation exceptions.
• Information about public and private entities with which we shared your data (Art. 18, VII).
• Revocation of consent (Art. 18, IX) at any time.
• Complaint — contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

13. How to Submit a Privacy Request

To exercise any of the rights described above:

1. Send an email to commission@ysffantasy.com with the subject line “Privacy Request”
2. Include your username (or the email address associated with your account) and describe the right you are exercising
3. We may ask you to verify your identity (for example, by signing in and confirming from your account) before acting on the request to prevent unauthorized disclosure

We will respond within 45 days (or sooner where required by applicable law). Responses are provided free of charge. If we deny a request, we will explain the reason and, where applicable, provide instructions for appeal.

14. International Data Transfers

Our servers are located in the United States (DigitalOcean, NYC region). If you access the Service from outside the United States, your information will be transferred to, processed in, and stored in the United States. The United States may not provide the same level of data protection as your country of residence.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms, where applicable.

15. Children’s Privacy

The Service is intended for use by members of the yoy Sports Federation who are at least 16 years of age. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided us with personal information, please contact us and we will delete it.

For U.S. users: The Service is not directed to children under 13 and we comply with the Children’s Online Privacy Protection Act (COPPA). For EU users: The Service is not directed to children under 16, in line with GDPR Art. 8.

16. Do Not Track & Global Privacy Control

The Service does not use behavioral advertising or cross-context tracking. Because we do not track users across websites or services, browser “Do Not Track” signals and “Global Privacy Control” (GPC) signals have no additional effect on our practices — your information is not sold or shared regardless of these signals.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, legal requirements, or our practices. When we do, we will update the “Last Updated” date at the top of this page. Material changes will be announced to league members through the portal and/or via email. Your continued use of the Service after a change becomes effective constitutes acceptance of the revised Privacy Policy.

18. Contact Us

For privacy questions, to exercise your rights, or to submit an appeal:

• Email: commission@ysffantasy.com
• Postal mail: Contact the commission via email to obtain a current mailing address.

19. Trademarks & Attributions

19.1 Third-Party Trademarks — General

The Service is a privately operated fantasy sports league dashboard and is not affiliated with, endorsed by, sponsored by, or in any way officially connected to:

• The National Football League (NFL), its teams, or its affiliates
• The National Basketball Association (NBA), its teams, or its affiliates
• The National Hockey League (NHL), its teams, or its affiliates
• Major League Baseball (MLB), its teams, or its affiliates
• Fantrax, LLC, or its affiliates
• Apple Inc., Google LLC, or any other third-party service provider referenced herein

All professional sports league names, team names, team logos, player names, player images, statistics, and related marks are the property of their respective owners. Their use within the Service is limited to:

• Identifying real-world athletes drafted and rostered within this private fantasy league
• Displaying publicly available factual statistics about those athletes
• Referencing the official league associated with each fantasy league (e.g., the NBA season the ySFBA fantasy league follows)

This use constitutes nominative fair use under United States trademark law. No commercial exploitation of these marks is intended or implied. No merchandise is sold. No advertising is served. Access to the member-only portions of the Service is restricted to the twelve registered league owners and the commission.

19.2 Apple Trademarks

Apple, the Apple logo, iPhone, iPad, App Store, TestFlight, and “Sign in with Apple” are trademarks of Apple Inc., registered in the U.S. and other countries and regions. These marks are used in accordance with Apple’s brand guidelines solely to identify Apple services and hardware compatible with the Service.

19.3 Google Trademarks

Google, the Google logo, and “Sign in with Google” are trademarks of Google LLC. These marks are used in accordance with Google’s brand guidelines solely to identify Google services integrated into the Service.

19.4 Fonts

• Palatino — self-hosted under existing license
• Shuttleblock — licensed via Adobe Fonts (Typekit)
• JetBrains Mono — SIL Open Font License, via Google Fonts
• Inter — SIL Open Font License, via Google Fonts

19.5 Original Content

The ySF logo, team logos, team branding, constitution text, the ySFPR Power Rankings methodology, the application source code, the visual design of the Website and iOS App, and all other original creative content are © 2025–2026 Gabriel Shatunovsky, Daniel Ogden, and Dylan Ferrante. All rights reserved.

19.6 Data Attribution

Rosters, standings, matchup scores, player statistics, and transaction records are sourced from the Fantrax fantasy sports platform via its public API. We do not claim ownership over any of this factual data.

19.7 Limitation of Liability

The Service is provided “as is” and “as available” without warranty of any kind, express or implied, including without limitation warranties of merchantability, fitness for a particular purpose, or non-infringement. To the maximum extent permitted by law, the Service operators shall not be liable for any direct, indirect, incidental, consequential, special, or punitive damages arising out of or in connection with the use of, or inability to use, the Service, nor for any errors, omissions, or inaccuracies in displayed content, nor for any actions taken in reliance thereon.

Nothing in this section limits any liability that cannot be limited under applicable law (e.g., liability for fraud, gross negligence, or death or personal injury caused by negligence).