Privacy Policy
Last updated: May 19, 2026 (version 2026-05-19)
1. Who we are
Fantasy Gold is a non-custodial fantasy competition platform that lets Fantasy Premier League ("FPL") managers compete in on-chain leagues settled in our FGLD token on the Solana network. In this policy "we", "us", and "the platform" refer to the operators of fantasygold.io. Contact for privacy questions: privacy@fantasygold.io.
2. What we collect
We try to collect the minimum needed to run leagues and settle prizes. Concretely, depending on how you use the platform, we hold the following:
| Category | Examples | When |
|---|---|---|
| Account identity | Name, email, profile image, Dynamic.xyz user id | On signup |
| Phone number | Mobile number (e.g. M-Pesa deposits) | Only when you initiate a mobile money transaction |
| FPL link | Your FPL manager id, team name, manager name, public gameweek scores, transfers, captain selections | When you link your FPL account |
| Wallets | Solana wallet addresses you connect or that Dynamic creates on your behalf (we never see your private key) | On wallet connect |
| Session telemetry | IP address and user-agent attached to each session and to security-relevant events (logins, admin actions) | Each session |
| Fiat ledger | Deposit and withdrawal records (amounts, currency, provider, transaction status) | When you on- or off-ramp via M-Pesa, NOWPayments, or Kotani Pay |
| KYC | Verification status flag (full documents, if required for higher limits, are handled by the verification provider and not stored by us) | Only when a transaction triggers a KYC check |
| Behavioural | League memberships, predictions, notification preferences, achievements | As you use the product |
| On-chain records | Wallet addresses, league memberships, transfers, prize payouts — visible to anyone on the Solana blockchain | Every league action on-chain |
We do not run third-party analytics, ad pixels, or behavioural tracking. We do not sell personal data.
3. How we use it
- Authenticate you and maintain your session.
- Read your public FPL data so we can score gameweeks and pay out winners.
- Move FGLD into and out of leagues on the Solana program you signed.
- Settle fiat deposits and withdrawals via the provider you chose.
- Send transactional emails if you opt in.
- Detect duplicate accounts, abuse, fraud, and meet legal obligations (sanctions screening, anti-money-laundering).
4. Who processes data on our behalf
- Dynamic.xyz — wallet authentication and embedded-wallet MPC key management.
- Supabase — managed PostgreSQL database (encrypted at rest, EU region).
- Vercel — application hosting and edge CDN.
- Solana network — public blockchain for FGLD transactions and league state.
- Fantasy Premier League — public team and gameweek data via the official FPL API.
- NOWPayments — card and crypto on-ramp.
- Safaricom M-Pesa — mobile money in Kenya.
- Kotani Pay — fiat off-ramp for African markets.
Each processor has its own privacy policy and we recommend reviewing them.
5. Retention
- Account, league, and ledger records are retained while your account is active.
- Sessions and short-lived auth artefacts expire within 4 hours.
- FPL team caches refresh on demand and are typically less than an hour old.
- Financial records may be retained longer where required by tax or anti-money-laundering law.
- On-chain records (wallet addresses, transfers, league entries) cannot be deleted because the Solana blockchain is immutable.
6. Cookies
We use a small number of strictly-essential cookies to keep you signed in, to remember your referral source, and to maintain CSRF protection on auth flows. We do not use advertising cookies or third-party analytics cookies.
7. Blockchain transparency
Any time you join a league, deposit FGLD, or receive a payout, a record is written to the public Solana blockchain. Anyone — not just us — can see the wallet address, amount, and timing of those transactions. This is a property of public blockchains we cannot remove, and you should keep it in mind before linking a wallet you treat as private.
8. Your rights
Subject to local law (GDPR for EU/UK users, equivalent regimes elsewhere), you can:
- Request a copy of the data we hold about you.
- Correct inaccurate information.
- Request deletion of your account and off-chain data (on-chain records are immutable).
- Object to processing or withdraw consent for marketing.
- Lodge a complaint with your local data protection regulator.
To exercise any of these, email privacy@fantasygold.io. We aim to respond within 30 days.
9. Security
- HTTPS / TLS in transit for all requests.
- Encryption at rest on the managed database.
- Strict Content-Security-Policy, HSTS, and frame-ancestors.
- Session tokens are HttpOnly, Secure, and short-lived.
- Admin actions are JWT-gated and rate-limited; failed attempts are logged.
If you discover a vulnerability, please disclose responsibly by emailing security@fantasygold.io.
10. Age
Fantasy Gold is for users 18 years and older. We do not knowingly collect data from anyone under 18; if you believe a minor has registered, contact us and we will delete the account.
11. Changes
When we make material changes we bump the version above and notify active users. Continued use after the effective date means you accept the new version.