Privacy Policy
Last updated: February 2026 (Version 2026-02-v1)
1. Data Controller
SmartPlay is operated by the SmartPlay team. It is an independent analytics tool for Fantasy Premier League managers.
Contact for Privacy Matters:
Email: [email protected]
2. Information We Collect
2.1 Information You Provide
| Data Type | Purpose | Legal Basis |
|---|---|---|
| FPL Team ID (numeric) | Fetch your team data for analysis | Legitimate Interest (Art. 6(1)(f)) |
| Feedback (ratings 1-5, comments) | Service improvement | Consent (Art. 6(1)(a)) |
2.2 Information Collected Automatically (with consent)
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Analytics identifiers (Google Analytics, PostHog) | Website analytics | Consent (Art. 6(1)(a)) |
| IP address (anonymised, first 3 octets) | Analytics, fraud prevention | Consent (Art. 6(1)(a)) |
| Browser/device information | Site compatibility | Consent (Art. 6(1)(a)) |
| Page views, session duration | Usage analytics | Consent (Art. 6(1)(a)) |
3. Cookies and Similar Technologies
We use cookies and localStorage to provide functionality and analytics. You can manage your preferences at any time using the "Cookie Settings" link in the footer.
3.1 Essential Cookies (Always Active)
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| smartplay_cookie_consent | Stores your cookie preferences | 1 year | SmartPlay |
3.2 Analytics Cookies (Require Consent)
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| _ga | Distinguishes unique users | 2 years | Google Analytics |
| _ga_* | Maintains session state | 2 years | Google Analytics |
| ph_* | Distinguishes unique users and sessions | 1 year | PostHog |
3.3 Local Storage (Require Consent)
| Key | Purpose | Duration |
|---|---|---|
| smartplay_session | Session tracking for analytics | Session |
| smartplay_user | User preferences and visit history | 2 years |
4. How We Use Your Information
- Service Delivery: To provide FPL team analysis and recommendations
- Analytics: To understand usage patterns and improve our service (with consent)
- Communication: To respond to feedback and support requests
- Security: To detect and prevent technical issues and abuse
5. Data Sharing and Third Parties
We do not sell your personal information. We share data with the following service providers:
Google LLC (Google Analytics)
- Purpose: Website analytics
- Data shared: Anonymised usage data, cookie identifiers
- Location: United States
- Legal basis: Consent
- Safeguards: EU Standard Contractual Clauses, IP anonymisation
- Privacy Policy: policies.google.com/privacy
PostHog Inc. (Product Analytics)
- Purpose: Website analytics
- Data shared: Anonymised usage data, session identifiers
- Location: United States
- Legal basis: Consent
- Safeguards: SOC 2 Type II certified, IP anonymisation, opt-out by default
- Privacy Policy: posthog.com/privacy
Vercel Inc. (Website Hosting)
- Purpose: Frontend hosting and delivery
- Data shared: Request logs, IP addresses
- Location: United States (with global CDN)
- Legal basis: Legitimate interest
- Safeguards: Standard Contractual Clauses
Railway Corp. (Backend Hosting)
- Purpose: API and database hosting
- Data shared: Team IDs, feedback data
- Location: United States
- Legal basis: Legitimate interest
- Safeguards: Encryption at rest and in transit
Fantasy Premier League API (UK)
- Purpose: Fetch publicly available FPL team data
- Data shared: FPL Team IDs only
- Location: United Kingdom
- Legal basis: Legitimate interest
- Note: Team IDs are public identifiers, not personal data
6. International Data Transfers
Your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) with our service providers
- Encryption in transit (TLS/HTTPS) and at rest
- IP anonymisation for analytics data
- Data minimisation practices
You may request a copy of the safeguards by contacting us.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| FPL team data cache | 5 minutes (then deleted) |
| Analytics cookies (Google Analytics, PostHog) | Up to 2 years |
| Session data | Until browser closes |
| User preferences | 2 years or until withdrawal |
| Feedback submissions | 3 years |
| Consent records | 3 years after withdrawal (legal requirement) |
8. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights:
Right of Access (Article 15)
Request a copy of all personal data we hold about you. Email us with subject line "Data Access Request" and we will respond within 30 days.
Right to Rectification (Article 16)
Request correction of inaccurate personal data.
Right to Erasure (Article 17)
Request deletion of your personal data. Email us with subject line "Data Deletion Request".
Right to Restrict Processing (Article 18)
Request that we limit how we use your data.
Right to Data Portability (Article 20)
Request your data in a machine-readable format (JSON).
Right to Object (Article 21)
Object to processing based on legitimate interest.
Right to Withdraw Consent (Article 7(3))
Withdraw your consent at any time by clicking "Cookie Settings" in the footer or emailing us. Withdrawal does not affect the lawfulness of processing before withdrawal.
Response Time: We will respond to all requests within 30 days. This may be extended by 60 days for complex requests.
Cost: Free of charge, unless manifestly unfounded or excessive.
9. Right to Lodge a Complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority:
- UK: Information Commissioner's Office (ICO)
Website: ico.org.uk | Phone: 0303 123 1113 - EU: Your local Data Protection Authority
Find your authority: edpb.europa.eu
10. Automated Decision-Making
Our service uses machine learning algorithms to generate transfer recommendations and captain suggestions. These are advisory only and are not legally binding decisions. You are free to follow or ignore any recommendations. The algorithms do not make decisions that produce legal effects or significantly affect you.
11. Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or for legal compliance. Significant changes will be notified via a banner on the website. We encourage you to review this policy periodically. The version number at the top indicates the current version.
13. Contact Us
For any privacy-related questions or to exercise your rights:
Email: [email protected]
Subject Line Guidelines:
- "Data Access Request" — For a copy of your data
- "Data Deletion Request" — To delete your data
- "Privacy Question" — For general enquiries