Privacy Policy

Last Updated: April 9, 2026

At Offseason ("we", "us", or "our"), we respect your privacy and we keep our data practices as boring as possible. This Privacy Policy explains what information we collect, how we use it, and the controls you have over it when you use the Offseason mobile app or this website (collectively, the "Service").

What We Collect

We only collect what we genuinely need to run the Service. Here's the full list:

Category	What it is	Why we have it
Account info	Email address, hashed password, chosen username, profile emoji	To create and authenticate your account, and so your league commissioner can find you.
Pick'em data	Your predictions, bracket picks, and selections for any tournament you enter (e.g. group-stage scores, knockout bracket, champion pick)	To score your entry, show you on the leaderboard, and let your league compare picks.
League membership	Which leagues you're in, your role (member or commissioner)	To grant you access to the right leaderboards and pick views.
Device info	Device type, OS version, app version, language preference	To send you the right notifications, debug crashes, and serve the right localized experience.
Server logs	IP address, request timestamp, error codes	Standard web-server logs for security, abuse prevention, and uptime debugging. Rotated regularly.

That's it. We do not collect: real names, phone numbers, dates of birth, contact lists, location data, photos, microphone access, advertising IDs, or anything else not in the table above.

How We Use It

We use your data for exactly these purposes, nothing more:

• Run the Service: Score your picks, render leaderboards, sync your data across your devices, and let you compare picks with your league.
• Account security: Log you in, recover your password, detect suspicious access attempts.
• Communication: Send you operational emails (password resets, league invites, important account notices). We don't send marketing emails, so there are no marketing emails to opt out of.
• Improve the app: Look at aggregate, anonymized usage patterns to fix bugs and improve features. We do not profile individual users.

Data Sharing

We do not sell your personal data. Ever. To anyone. Full stop.

We share data only in these limited circumstances:

• Within your league: Your username, profile emoji, picks, points, and rank are visible to other members of leagues you join. That's the entire point of a pick'em.
• Service providers: We use a small set of trusted vendors (cloud hosting, transactional email delivery, crash reporting). They process data only on our behalf, under contract, and only the minimum needed to do their job.
• Legal compliance: If we receive a valid legal request (court order, subpoena, etc.) that we are legally required to honor, we may disclose the specific data the request covers. We will resist overbroad requests where we can.
• Business changes: If Offseason is ever acquired by or merged into another company, your data may transfer as part of the deal. The new owner inherits this Privacy Policy and your rights under it.

Security

We take security seriously and use industry-standard practices:

• Encryption in transit: All traffic between your device and our servers uses HTTPS (TLS 1.2+).
• Encryption at rest: Sensitive fields (including hashed passwords) are encrypted in our database.
• Password hashing: We never store plaintext passwords. We use a modern, salted, slow hash (bcrypt or equivalent).
• Access control: Only a small number of authorized engineers can access production data, and only when necessary for support or security work.
• Regular review: We review our security posture regularly and patch dependencies promptly.

That said, no system is bulletproof. If we ever discover a security incident that affects your data, we will notify you and the appropriate authorities promptly.

Your Rights

You have control over your data. You can, at any time:

• Access: Request a copy of the personal data we hold about you. We'll send it within 30 days.
• Correct: Update your username, email, password, and profile emoji from inside the app. For anything else, email us.
• Delete: Request that we permanently delete your account and all associated data. We'll do it within 30 days, except where we are legally required to retain something (e.g., for fraud-prevention records).
• Export: Request a portable copy of your account data in JSON format.
• Object: Ask us to stop processing your data for any non-essential purpose.

To exercise any of these rights, email privacy@offseason.org. We don't make you fill out forms or wait for a ticket queue.

Data Retention

We keep your data for as long as your account is active. If you delete your account, we permanently delete your personal data within 30 days, with two narrow exceptions:

• Anonymized aggregate stats: Things like "120,000 users played a given tournament pick'em". These contain no personal data and may be retained.
• Legal records: If we're legally required to keep certain records (e.g. for tax or fraud-prevention reasons), we retain only the minimum necessary for the legally required period.

Children

Offseason is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, please email us at privacy@offseason.org and we will delete the account.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you via email and update the "Last Updated" date at the top of this page. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, our data practices, or you'd like to exercise any of your data rights, get in touch: