Privacy Policy

1. Data Controller

Last Man Leagues (';we';, ';us';, ';our';) is the data controller responsible for your personal data. If you have any questions about this policy or wish to exercise your data rights, you can contact us here.

We do not currently have a designated Data Protection Officer (DPO) as we do not meet the thresholds under Art. 37 GDPR that would require one. All data protection enquiries are handled directly by the controller.

2. Personal Data We Collect

We collect personal data that you provide directly and data generated automatically through your use of the Platform:

• -Account information: email address, display name, and optionally a profile avatar.
• -Authentication data: login credentials and session tokens managed securely via Supabase.
• -Game activity: team picks, pick history, game membership, round progress, and player status.
• -Technical data: IP address, browser type, device type, and operating system - collected automatically via server logs.
• -Communications: name, email address, and message content submitted via our contact form.
• -Notification data: in-app notification records including title, message, type, and read status, retained per your account.
• -Push subscription data: if you grant notification permission, your browser's push subscription endpoint and encryption keys are stored to enable device notifications. No notification content is stored in the subscription itself.
• -Email engagement data: our transactional emails contain a 1×1 tracking pixel and tracked links. If your email client loads remote images, we record the time your email was opened. If you click a link in one of our emails, we record the time of that click. Both events are linked to the unique email record in our audit log by a random identifier - not to any external profile. You can prevent open tracking by disabling remote image loading in your email client, and you can opt out of all email communications via your Notifications page.

All personal data is collected directly from you. We do not obtain data about you from third parties, except where Supabase passes authentication data to us as part of the login process.

3. Why We Process Your Data & Our Legal Basis

We process your personal data under the following legal bases as defined in Art. 6 GDPR:

Contract (Art. 6(1)(b)) — most processing is necessary to provide the service you signed up for. This includes managing your account and login, recording your game participation (picks, results, and standings), delivering deadline reminders and game notifications, and maintaining your notification preferences.

Legitimate interests (Art. 6(1)(f)) — we process certain data where we have a legitimate interest that is not overridden by your rights and freedoms: maintaining the security and integrity of the platform; improving performance through anonymised analytics; responding to support enquiries; and tracking whether our transactional emails are delivered and read, so we can improve their quality and relevance. You have the right to object to processing carried out under this basis at any time (see Section 8).

Consent (Art. 6(1)(a)) — we send browser push notifications and optional marketing emails only where you have given explicit permission. You can withdraw consent at any time via your Notifications page or your browser settings.

We also process personal data where required to comply with a legal obligation (Art. 6(1)(c)).

4. Data Sharing & International Transfers

We do not sell your personal data. We share data only with the following categories of third-party processors who assist us in operating the Platform:

All third-party processors are bound by Data Processing Agreements (DPAs) that require them to process your data only on our instructions and in compliance with GDPR. We may also disclose personal data where required by law, court order, or to protect the rights or safety of our users.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in line with Art. 5(1)(e) GDPR:

• -Account and profile data: retained for the duration of your account, plus up to 12 months after deletion to handle any outstanding disputes or legal claims.
• -Game activity and picks: retained for the duration of the relevant game season, then anonymised for statistical purposes.
• -Technical/log data: retained for security and debugging purposes. Personal identifiers in server logs are anonymised when your account is permanently deleted.
• -Authentication tokens: managed and expired by Supabase per their session policies.
• -In-app notifications: retained while your account is active and removed when your account is closed.
• -Push subscriptions: retained until you revoke notification permission in your browser, delete your account, or a delivery failure indicates the subscription is no longer valid (in which case it is deleted immediately).
• -Email engagement data (open and click timestamps): retained as part of the email audit log for the duration of your account and permanently deleted when your account is closed.

Upon account deletion, we will action your request within 30 days. Anonymised, aggregated data (from which you cannot be identified) may be retained indefinitely.

How account closure works: When you delete your account, your login access is revoked immediately. Your email address is retained for up to 30 days for security and compliance purposes, after which it is permanently anonymised. Your game participation records (picks, standings, round history) are retained in anonymised form to preserve the integrity of competitions you participated in for other players.

6. Automated Decision-Making & Profiling

We do not carry out automated decision-making or profiling as defined under Art. 22 GDPR that produces legal or similarly significant effects on you. Game results (win/loss/elimination) are determined automatically by the outcome of real-world football matches, not by any assessment of you as an individual.

7. Children's Data

The Platform is intended for users aged 18 and over. If you believe a child has provided us with personal data without appropriate consent, please contact us immediately and we will delete it without undue delay.

8. Your Rights

Under the EU GDPR (Articles 15–22), you have the following rights:

• -Right of access (Art. 15): Request a copy of the personal data we hold about you.
• -Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• -Right to erasure (Art. 17): Request deletion of your data where there is no compelling reason to continue processing it.
• -Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• -Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• -Right to object (Art. 21): Object to processing based on legitimate interests. We must stop unless we can demonstrate compelling legitimate grounds.
• -Right to withdraw consent (Art. 7(3)): Withdraw any consent you have given at any time, without affecting the lawfulness of prior processing.
• -Rights related to automated decisions (Art. 22): Not to be subject to solely automated decisions that produce significant effects on you. As noted above, we do not carry out such processing.

To exercise any of these rights, please contact us. We will respond within one calendar month, as required by Art. 12 GDPR. We may need to verify your identity before actioning a request.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have not handled your personal data in accordance with applicable law. We would appreciate the opportunity to address your concerns before you contact a regulator - please contact us first.

• -Ireland: Data Protection Commission (DPC) - dataprotection.ie
• -Other EU member states: Your local national data protection authority. A full list of EU supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en

10. Security

We implement appropriate technical and organisational measures as required by Art. 32 GDPR to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include encrypted connections (HTTPS), access controls, and authentication managed via Supabase. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, and notify the relevant supervisory authority within 72 hours, as required by Arts. 33–34 GDPR.

The Platform operates as a Progressive Web App (PWA) and registers a service worker on your device. The service worker enables offline capability and delivery of push notifications. It does not store personal data locally beyond what is technically necessary for these functions. Push notification payloads are encrypted in transit using the Web Push Protocol (RFC 8030) and can only be decrypted on your device.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Where changes are material, we will notify you via the Platform or by email before they take effect. The date at the bottom of this page reflects the most recent update.