Privacy Policy — FPL Dugout
Last updated: 3 June 2026
1. Who we are
FPL Dugout ("we", "us", "the service") is a personal Fantasy Premier League companion that turns your public FPL data into a season review and related insights.
- Controller: Matthew Studdert, operating FPL Dugout as a sole trader (United Kingdom)
- Contact for privacy questions: hi@fpldugout.com
- ICO registration: We have completed the ICO's data-protection-fee self-assessment, which indicates a registration fee is not currently payable. We will register and pay the fee if our processing changes such that registration becomes required.
We are the controller for the personal data described below. This policy is written for UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
2. What this policy covers
This policy covers the FPL Dugout website and app at fpldugout.com. It does not cover the official Fantasy Premier League site or the Premier League — we are not affiliated with them (see our Disclaimer and Terms). When you give us an FPL team ID we read public data from the FPL API; how the Premier League / FPL handles your data on their own site is governed by their policies.
3. The personal data we collect
| Data | Examples | Where it comes from | Why we use it | Lawful basis |
|---|---|---|---|---|
| Account & login | Email address; password (stored only as a salted hash) | You, at sign-up | Create and secure your account; sign you in; send essential service emails | Contract (UK GDPR Art. 6(1)(b)) |
| FPL team ID & public FPL data | Your FPL entry/team ID and the public data the FPL API returns for it (picks, transfers, points, ranks, chips) | You provide the ID; the public FPL API provides the data | Generate and re-display your season review / report | Contract (Art. 6(1)(b)) — performing the service you asked for |
| Generated report data | The season-review snapshot we compute and the AI-written narrative ("Analyst's Read") | Derived by us from the FPL data | Provide, store and re-display your report and share link | Contract (Art. 6(1)(b)) |
| Marketing consent state | Whether you ticked the "email me" box; unsubscribe status | You (opt-in checkbox, unticked by default) | Decide whether we may send you marketing email | Consent (Art. 6(1)(a)) + PECR |
| Usage analytics | Pages viewed, aggregate performance (Web Vitals), referrer / UTM tags | Automatically, cookieless | Understand usage, improve the product, measure how people find us | Legitimate interests (Art. 6(1)(f)) |
| Technical logs | IP address, user-agent, timestamps, request metadata | Automatically | Security, abuse prevention, rate-limiting, debugging | Legitimate interests (Art. 6(1)(f)) |
Note on the FPL team ID. An FPL team is already publicly viewable by anyone who knows its ID — it is not secret. Once we link it to your account email, the combination becomes personal data and is protected as above.
Note on league reviews. When you build a review for one of your FPL mini-leagues, it shows the public FPL data for the other managers in that league — team name, manager name, points, ranks and chips, as they appear on the FPL site — plus standings and awards we work out from those public numbers, so you can share the season with your league. Everything is based on what's already public on FPL — we don't add private information about anyone — and these pages aren't indexed by search engines. If someone has reviewed a league you're in and you'd rather be left out, email hi@fpldugout.com and we'll remove you.
No special-category data. We do not ask for or intentionally process special-category data (health, race, beliefs, etc.). Please don't put such data into free-text fields.
Where we balance legitimate interests (analytics, logs), we have considered your rights and limited the data to what's needed to run a reliable, secure service. You can object — see section 8.
4. The AI narrative ("Analyst's Read")
The written analysis in your report is generated by a large language model run through the OpenAI API (model: GPT-5-mini). To produce it we send your season-review statistics (the FPL-derived numbers) to OpenAI as a sub-processor. We send only the derived season-review statistics together with your public FPL manager and team names — never your account email, password, or any login data. As of June 2026, OpenAI states that data submitted via its API is not used to train its models, and is retained for up to 30 days for abuse monitoring before deletion (we use the standard API, not zero-data-retention).
5. Cookies and analytics (PECR)
We use cookieless analytics (Vercel Web Analytics), which measures page views and basic usage events without storing or reading cookies or other identifiers on your device. Because no non-essential cookies are set, no cookie-consent banner is required under PECR.
We use only strictly-necessary, first-party cookies that are essential for the service to work — for example a session cookie to keep you signed in. These are exempt from the PECR consent requirement.
If we ever introduce non-essential cookies or device storage, we will add a compliant consent mechanism first.
6. Who we share your data with (sub-processors)
We don't sell your data. We use a small set of trusted providers to run the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon, Inc. | Database hosting (Postgres) | United States |
| Vercel, Inc. | Application hosting, serverless compute & cookieless analytics | United States |
| Resend (Plus Five Five, Inc.) | Transactional & marketing email delivery | United States |
| OpenAI, L.L.C. | AI generation of the report narrative (GPT-5-mini) | United States |
We may also disclose data where legally required (e.g. a valid court order) or to protect the service against fraud or abuse.
7. International transfers
Several of our sub-processors are in the United States, so your data is transferred outside the UK. We rely on appropriate safeguards for these transfers — provider certification under the UK extension to the EU–US Data Privacy Framework where available, and/or the UK IDTA / International Data Transfer Addendum to the EU SCCs, as set out in each provider's data-processing agreement.
8. Your rights
Under UK GDPR you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectify — correct inaccurate data (e.g. fix your email).
- Erase — ask us to delete your account and data ("right to be forgotten"). You can delete your account in Account settings, which removes your account, your login, your bound FPL team and the data synced to it, and your contact from our marketing email audience. Your season-review snapshot is generated from public FPL data and stored under your FPL team ID; it may remain at its share link — contact us and we'll remove it.
- Withdraw consent — turn off marketing email at any time, via the unsubscribe link in any marketing email, the one-click unsubscribe page, or Account settings. Withdrawing consent doesn't affect processing done before you withdrew.
- Restrict or object to processing based on legitimate interests (analytics/logs).
- Portability — receive certain data in a portable format.
To exercise any right, contact hi@fpldugout.com. We'll respond within one month. We don't charge a fee unless a request is manifestly unfounded or excessive.
9. How long we keep data
- Account data — for as long as your account exists; deleted from our live database immediately when you delete your account, with residual copies in routine backups expiring within 30 days.
- Report / season-review data — kept while your account is active so you can revisit your report; deleted with the account.
- Marketing contact — kept in our email audience until you unsubscribe or delete your account.
- Technical logs — retained for up to 90 days for security and debugging, then deleted or aggregated.
- Cookieless analytics — stored in aggregate only, with no profile tied to you.
10. Security
Passwords are stored only as salted hashes (via our authentication provider, Better Auth). Data is transmitted over HTTPS. Access to production data is limited. No system is perfectly secure, but we take reasonable measures to protect your data and will notify you and the ICO of a qualifying breach as required by law.
11. Children
FPL Dugout is intended for adults and for Fantasy Premier League players old enough to hold an FPL account. It is not directed at children under 13 (the minimum age to register a Fantasy Premier League account without parental consent, and the UK GDPR digital-consent age). We don't knowingly collect data from children under that age.
12. Changes to this policy
We may update this policy. We'll change the "Last updated" date and, for material changes affecting your rights, take reasonable steps to tell you (e.g. an email or an in-app notice).
13. Complaints
If you're unhappy with how we handle your data, please contact us first. You also have the right to complain to the UK supervisory authority:
Information Commissioner's Office (ICO) — https://ico.org.uk — helpline 0303 123 1113.
14. Contact
Governing law: This policy and any dispute about it are governed by the laws of England and Wales.