Privacy Policy

Last updated: March 2026

1. Who We Are

gaffr ("we", "us", "our") is a Fantasy Premier League management tool available at gaffr.dev, operated by an individual based in the United Kingdom. For data protection purposes, we are the data controller of your personal information.

Contact: privacy@gaffr.dev

2. What Data We Collect

Account data

Your email address and, if signing in via Google, your Google profile name. Any display name you choose to set.

Squad and usage data

The FPL squad you build in gaffr, including player selections, captain choices, transfer history, season tracking data, and in-app preferences.

Technical data

Standard server logs including IP address, browser type, and pages visited. Used solely for security and performance monitoring.

Advertising data

We intend to display advertisements on gaffr in the future. When we do, advertising partners may use cookies and similar tracking technologies. We will update this policy and notify you before ads are introduced, and you will be given the opportunity to manage your advertising preferences at that time.

3. How We Use Your Data

  • To provide gaffr — saving your squad, syncing across devices, powering analysis features
  • To authenticate you and keep your account secure
  • To remember your preferences
  • To monitor and improve service performance and reliability
  • To comply with legal obligations

We do not sell your personal data to third parties.

4. Legal Basis for Processing (UK GDPR)

  • Contract — processing your account and squad data is necessary to provide the service
  • Legitimate interests — security monitoring and service improvement
  • Consent — advertising cookies and tracking, where applicable

5. Data Storage and Security

Your data is stored securely using Supabase, a GDPR-compliant cloud database provider with servers within the EEA. Data is encrypted at rest and in transit. We implement row-level security so only you can access your own data. We do not store passwords — authentication is handled by Supabase Auth or Google OAuth.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, your personal data will be permanently deleted within 30 days.

7. Your Rights

Under UK GDPR you have the right to access, rectify, erase, port, restrict, or object to the processing of your personal data. To exercise any of these rights, contact us at privacy@gaffr.dev.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Third-Party Services

  • Supabase — database and authentication
  • Vercel — hosting and deployment
  • Google OAuth — optional sign-in
  • Fantasy Premier League API — player and fixture data (no personal data shared)

9. Cookies

gaffr uses essential cookies for authentication and session management only. When advertising is introduced, we will implement a cookie consent mechanism before setting any non-essential cookies.

10. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via the app. Continued use of gaffr after changes constitutes acceptance of the updated policy.

© 2026 gaffr. All rights reserved.

Privacy PolicyTerms of Service