Privacy Policy

Last Updated: May 29, 2026

The short version: Your data is yours. We collect the bare minimum to run your account: an email, a password, a username, and the picks you make. We don't sell your data or share it with anyone outside of the people in your own league. The rest of this page is the legalese version of that.

At Offseason ("we", "us", or "our"), we respect your privacy and we keep our data practices as boring as possible. This Privacy Policy explains what information we collect, how we use it, and the controls you have over it when you use the Offseason mobile app or this website (collectively, the "Service").

What We Collect

We only collect what we genuinely need to run the Service. Here's the full list:

Category	What it is	Why we have it
Account info	Email address, hashed password, chosen username, profile emoji	To create and authenticate your account, and so your league commissioner can find you.
Pick'em data	Your predictions, bracket picks, and selections for any tournament you enter (e.g. group-stage scores, knockout bracket, champion pick)	To score your entry, show you on the leaderboard, and let your league compare picks.
League membership	Which leagues you're in, your role (member or commissioner)	To grant you access to the right leaderboards and pick views.
Device info	Device type, OS version, app version, language preference	To send you the right notifications, debug crashes, and serve the right localized experience.
Server logs	IP address, request timestamp, error codes	Standard web-server logs for security, abuse prevention, and uptime debugging. Rotated regularly.

That's it. We do not collect: real names, phone numbers, dates of birth, contact lists, precise location, photos, microphone access, advertising IDs, or anything else not in the table above.

Analytics

We run our own first-party analytics so we can understand how the Service is used and make it better. We do not use Google Analytics, Mixpanel, Segment, Meta Pixel, or any other third-party tracker. No data about your use of the Service is shared with any third party for advertising or profiling purposes.

Our analytics are aggregate-only. When you use the Service we count events (for example, "pageview of /home") in hourly buckets. For each event we store:

What happened: event name (from a fixed allowlist like page_view, picks_submitted, league_created) and an optional short label (e.g. the page path or team code).
Approximate where: country (2-letter code from our CDN's edge header, never your IP), and if our CDN provides it, state/province. We never store your IP address in analytics.
Approximate who: the primary language from your browser's Accept-Language header, collapsed to a 2-letter code (en, es, pt-BR, etc.). No user ID is attached.
Platform: web, iOS, or Android — so we can tell platforms apart in aggregate.

We explicitly do not store in our analytics: IP addresses, user IDs, device fingerprints, user agents, advertising IDs, or any other identifier that could single you out. Counts are updated in-place, so the same row represents many people's activity at once. Analytics rows are kept for as long as they remain useful for product decisions, but they are never de-anonymized, sold, or shared with third parties.

If your browser sends a Do-Not-Track signal, our web tracker skips itself and records nothing on that page load. In our mobile apps, analytics is disabled when the OS reports that analytics tracking is off in device settings.

Waitlist (retired)

Before Offseason launched we ran a pre-launch waitlist that collected email addresses, the date of signup, and the IP and browser used to sign up (IP and browser stored only for spam detection). The waitlist form was retired when the product went live; no new entries are being collected at any URL on this site.

For historical waitlist entries: we used the address for exactly one thing — one operational email telling the recipient that picks were open — and archived the row when the recipient created a full Offseason account. Any addresses still in the waitlist table will be deleted within 30 days. You can remove yours immediately by emailing privacy@offseason.org.

How We Use It

We use your data for exactly these purposes, nothing more:

Run the Service: Score your picks, render leaderboards, sync your data across your devices, and let you compare picks with your league.
Account security: Log you in, recover your password, detect suspicious access attempts.
Communication: Send you operational emails (password resets, league invites, important account notices). We don't send marketing emails, so there are no marketing emails to opt out of.
Improve the app: Look at aggregate, anonymized usage patterns (see the Analytics section above) to fix bugs and improve features. We do not profile individual users, and we do not combine analytics data with your account data.
Share data points publicly: We may occasionally publish aggregate, anonymized stats to social (e.g. "top 3 champion picks across all our users"). These are computed at the same aggregate level — no single user is identifiable.

We do not sell your personal data. Ever. To anyone. Full stop.

We share data only in these limited circumstances:

Within your league: Your username, profile emoji, picks, points, and rank are visible to other members of leagues you join. That's the entire point of a pick'em.
Service providers: We use a small set of trusted vendors. As of this update, the list is: our hosting provider (the server that runs offseason.org), SendGrid for transactional email (verification links, password reset notices), and Apple when you choose Sign in with Apple. Each one only receives the minimum data needed to do its job — SendGrid sees only your email address and the email content; Apple sees only the sign-in token. None of them are allowed to use your data for their own purposes.
Legal compliance: If we receive a valid legal request (court order, subpoena, etc.) that we are legally required to honor, we may disclose the specific data the request covers. We will resist overbroad requests where we can.
Business changes: If Offseason is ever acquired by or merged into another company, your data may transfer as part of the deal. The new owner inherits this Privacy Policy and your rights under it.

Security

We take security seriously and use industry-standard practices:

Encryption in transit: All traffic between your device and our servers uses HTTPS (TLS 1.2+). HSTS is enabled so your browser refuses to downgrade.
Password hashing: We never store plaintext passwords. We use bcrypt — a modern, salted, deliberately slow hashing algorithm — so even a database leak wouldn't expose your password.
Token hashing: Session tokens, email verification links, and password reset links are all stored as SHA-256 hashes, not as the raw value. The link you click in your email still works, but a copy of our database wouldn't let anyone reuse it.
Access control: Only a small number of authorized engineers can access production data, and only when necessary for support or security work.
Regular review: We review our security posture regularly, patch dependencies promptly, and welcome responsible disclosure at security@offseason.org (see SECURITY.md for our disclosure policy).

That said, no system is bulletproof. If we ever discover a security incident that affects your data, we will notify you and the appropriate authorities promptly.

Your Rights

You have control over your data. You can, at any time:

Access: Request a copy of the personal data we hold about you. We'll send it within 30 days.
Correct: Update your username, email, password, and profile emoji from inside the app. For anything else, email us.
Delete: Request that we permanently delete your account and all associated data. We'll do it within 30 days, except where we are legally required to retain something (e.g., for fraud-prevention records).
Export: Request a portable copy of your account data in JSON format.
Object: Ask us to stop processing your data for any non-essential purpose.

To exercise any of these rights, email privacy@offseason.org. We don't make you fill out forms or wait for a ticket queue.

Data Retention

We keep your data for as long as your account is active. If you delete your account, we permanently delete your personal data within 30 days, with two narrow exceptions:

Anonymized aggregate stats: Things like "120,000 users played a given tournament pick'em". These contain no personal data and may be retained.
Legal records: If we're legally required to keep certain records (e.g. for tax or fraud-prevention reasons), we retain only the minimum necessary for the legally required period.

Children

Offseason is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, please email us at privacy@offseason.org and we will delete the account.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we'll notify you via email and update the "Last Updated" date at the top of this page. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, our data practices, or you'd like to exercise any of your data rights, get in touch:

Privacy questions: privacy@offseason.org

General support: support@offseason.org