Privacy Policy
Effective date: 11 May 2026 · Version: 2.0
This is the privacy policy for the Fantasy Rowing app and the fantasyrowing.com website. It explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it.
We've tried to write this in plain English. If anything isn't clear, please get in touch at admin@fantasyrowing.com.
1. Who we are
Fantasy Rowing is operated by TapDown Ltd, a company registered in England and Wales.
- Company number: 16374353
- Registered office: The Accountancy Partnership, 70 Grange Road East, Wirral, United Kingdom, CH41 5FE
- Contact for privacy requests: admin@fantasyrowing.com
- ICO registration number: [to be added once registered]
TapDown Ltd is the data controller for personal data processed through the Fantasy Rowing app and website.
2. What this policy covers
This policy applies to:
- the Fantasy Rowing mobile app on iOS and Android
- the fantasyrowing.com website
- any emails or push notifications we send you
- any other Fantasy Rowing service that links to this policy
It does not cover third-party websites or services we link out to (for example, partner regatta sites or merchandise stores). Those have their own privacy policies.
3. What we collect
We collect three kinds of data: information you give us, information we collect automatically when you use the app, and information we receive from third parties.
Information you give us
When you create an account, you provide your email address and password. You'll be asked to pick a display name, which is shown to other players (you can change this at any time, and you don't have to use your real name). You can optionally upload a profile photo.
When you play, you create predictions, league memberships, squad memberships, follows, and (where applicable) race reactions. This content is associated with your account.
If you buy a premium subscription or a regatta pass, the in-app store (Apple or Google) handles the payment. We receive a purchase record and entitlement status via RevenueCat — we do not see your card details.
If you contact us by email, we keep a record of that correspondence.
Information we collect automatically
When you use the app or website we automatically collect:
- Device and technical data — app version, operating system, device model, language, time zone, crash logs.
- Usage data — which screens you visit, which features you use, and when. This is captured by PostHog and is associated with your user ID once you sign in.
- Approximate location — inferred from your IP address (city/country level only). We do not collect precise GPS location.
- Push notification token — if you grant notification permission, your device gives us a token so we can send you push notifications. We store this on our backend.
- Session and authentication data — login tokens, last-active timestamps, IP address at sign-in.
Information from third parties
- Apple App Store and Google Play confirm to us (via RevenueCat) when you purchase, renew, or cancel a subscription.
- Sign-in providers (if you sign in via email magic link) hand us back a verified email address.
4. How we use your data — and our legal basis
UK GDPR requires us to have a legal basis for every use of your data. Here's how we use it and the basis we rely on.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and run your account; let you log in | Email, password (hashed), display name, profile photo | Performance of a contract with you |
| Let you make predictions, join leagues/squads, follow friends, see leaderboards | Game content you create, follow graph, league/squad memberships | Performance of a contract |
| Process subscriptions and regatta passes | Purchase records via RevenueCat, user ID | Performance of a contract |
| Send transactional notifications (predictions closing, race results, league activity) | Push token, email, prediction data | Performance of a contract |
| Send occasional service-similar promotional emails (e.g. "the next regatta is open") | Email, basic profile | Soft opt-in under PECR — only to existing users for similar Fantasy Rowing content, with a clear unsubscribe link in every email |
| Send marketing email outside the soft-opt-in (e.g. partner offers, sponsor messages) | Consent — only if you have ticked an opt-in box, and you can withdraw consent at any time | |
| Understand how the app is used and improve it | Usage data via PostHog (identified to your user ID) | Legitimate interest in improving the product. You can ask us to stop processing your data this way — see section 8. |
| Prevent abuse, fraud, and breaches of our terms | Account data, IP address, usage data | Legitimate interest in protecting the service |
| Comply with legal obligations (tax records, lawful requests) | Purchase records, account data | Legal obligation |
We do not use your data for automated decision-making that has legal or similarly significant effects on you. We do not sell your data.
5. Who we share it with
We use a small number of trusted service providers (sub-processors) to run Fantasy Rowing. Each is bound by a data processing agreement with us. We do not sell or rent your data to anyone.
| Provider | What they do | Data they process |
|---|---|---|
| Supabase (Supabase Inc.) | Backend database, authentication, file storage, server-side functions | All account data, content, push tokens, IP at sign-in |
| PostHog (PostHog Inc.) | Product analytics | User ID, email, display name, device data, screen/event data (in the app); page views and clicks (on this website, configured cookielessly — no persistent analytics cookies are set) |
| RevenueCat (RevenueCat, Inc.) | Subscription and in-app purchase management | User ID, App Store / Play Store purchase data |
| Apple and Google | App distribution and payment processing for in-app purchases | Purchase information, store-level identifiers |
| Expo (650 Industries, Inc.) | Push notification delivery to devices | Push tokens, notification payloads |
| Cloudflare | Hosting, CDN, and DDoS protection for fantasyrowing.com | IP addresses and request metadata for users visiting the website |
| GitHub (GitHub, Inc.) | Source code hosting and deploy pipeline | No personal data in normal operation |
We may also share data:
- with professional advisers (lawyers, accountants) where necessary and under confidentiality
- with authorities if required by law or to respond to a valid legal request
- with a successor entity if Fantasy Rowing is ever sold, merged, or restructured (you'll be told beforehand and your rights will carry over)
6. International transfers
Several of our sub-processors are based outside the UK, primarily in the United States. Where personal data is transferred outside the UK, we rely on safeguards approved under UK GDPR — usually the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. You can ask us for a copy of the relevant safeguards by emailing admin@fantasyrowing.com.
7. How long we keep it
| Data category | Retention |
|---|---|
| Active account data (profile, predictions, leagues) | For as long as your account is active |
| Account data after you request deletion | Removed from our live systems within 30 days. Backups age out within a further 30 days. |
| Push notification tokens | Removed automatically after 90 days of inactivity |
| Analytics events (PostHog) | Up to 7 years, in line with PostHog's default retention (we will review and shorten this where practical) |
| Email correspondence with support | Up to 2 years from the last message |
| Purchase records | 6 years, to meet HMRC tax-record obligations |
| Sent / failed notifications in our outbox | 7 days |
After the retention period, data is deleted or fully anonymised so it can no longer be linked to you.
8. Your rights
Under UK GDPR you have the right to:
- Access — ask for a copy of the personal data we hold about you
- Rectification — ask us to correct data that's wrong
- Erasure — ask us to delete your data ("right to be forgotten")
- Restriction — ask us to pause processing while a query is resolved
- Portability — ask for a machine-readable copy of data you provided to us
- Object — object to processing based on legitimate interests, including analytics
- Withdraw consent — where we rely on consent, you can withdraw it at any time
- Complain to the ICO — you can complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113. We'd appreciate the chance to fix things first, but you don't have to come to us first.
To exercise any of these rights, email admin@fantasyrowing.com. We'll respond within one month.
You can delete your account directly in the app: go to Profile → Account → Delete account. Your data is removed from our live systems within 30 days of the request. Some information may be retained for longer where the law requires (for example, tax records).
9. How we keep your data safe
We use a number of technical and organisational measures to protect your data:
- TLS (HTTPS) encryption in transit for all traffic to the app and website
- Encryption at rest on our database and file storage
- Row-level security policies in the database, so users can only see their own data
- OAuth2 / JWT for authentication, with password hashing handled by Supabase Auth
- Restricted administrative access — only one named administrator account has elevated privileges
- Logging and monitoring for unusual activity
No system is 100% secure. If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and tell affected users without undue delay, as required by Article 33 and 34 of the UK GDPR.
10. Children
Fantasy Rowing is not intended for children under 13. You must be at least 13 years old to create an account. If you are under 18, please check with a parent or guardian before signing up.
If we find out we've collected data from a child under 13, we'll delete the account. If you believe a child under 13 has registered, please email admin@fantasyrowing.com so we can remove the account.
11. Cookies and device identifiers
The fantasyrowing.com website uses a small number of strictly necessary cookies to run the site (for example, to remember your cookie preferences). We do not currently use advertising or third-party tracking cookies on the website.
The mobile app does not use web cookies, but it does store an anonymous installation identifier and your authentication tokens locally on your device so you stay signed in. It may also receive advertising identifiers from your device (Apple's IDFA on iOS, Google's Advertising ID on Android) if you have enabled tracking and consented via Apple's App Tracking Transparency prompt. We do not currently use these identifiers for advertising and do not share them with ad networks.
12. Marketing and communications
There are three kinds of message you may get from us:
- Transactional notifications (push and email) — things like "your predictions are closing," "race results are in," "someone followed you." These are part of the service and you can manage them in Profile → Notifications.
- Service-similar promotional emails — occasional emails about new regattas or features, sent under the PECR soft opt-in. Every one has an unsubscribe link. Click it and we stop.
- Marketing emails outside the soft opt-in — for example, third-party sponsor offers. We only send these if you have ticked an opt-in box. You can withdraw consent at any time.
You can opt out of any non-essential communication at any time, and we will continue to send you transactional messages necessary to operate the service.
13. Changes to this policy
We may update this policy from time to time. Material changes (for example, new sub-processors, new categories of data, or new uses of your data) will be communicated to you in advance by email or in-app notice, and the effective date and version number at the top of this page will be updated. A changelog is maintained internally and is available on request.
14. Contact us
Privacy questions or requests: admin@fantasyrowing.com
Postal address:
TapDown Ltd
The Accountancy Partnership
70 Grange Road East
Wirral
CH41 5FE
United Kingdom
If you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.