Privacy

Last updated April 30, 2026

Leaguebase is a clubhouse layered on top of Sleeper and Yahoo Fantasy. We collect only the data we need to run your league's social, editorial, and analytics surfaces — and we never sell that data to advertisers. This page explains, in detail, what we collect, why, who we share it with, and how to get a copy or delete everything.

01The short version

We try to write this the way we'd explain it to a friend in a league chat. The full sections below are authoritative, but here's the gist:

  • We collect what's needed to run your league — sign-in details, your fantasy-league data from Sleeper or Yahoo, the content you post in your clubhouse, and basic device/usage information.
  • We do not sell your data to advertisers, brokers, or anyone else. There are no third-party ad trackers on Leaguebase.
  • We rely on a small set of trusted vendors (Supabase, Stripe, Resend, OpenAI, Inngest, Railway) to run the service. Each is listed below with what they do.
  • You can download a copy of your data or delete your account at any time from Settings → Privacy. Account deletion has a 72-hour cooling-off window so you can change your mind.
  • We email you when something material changes in this policy. No silent rewrites.
Heads up This document covers Leaguebase only. When you connect Sleeper or Yahoo, those platforms collect and process data under their own privacy policies. We summarize what flows between us and them in the Sleeper, Yahoo, and your league data section.

02Who we are

“Leaguebase,” “we,” “us,” and “our” refer to the operator of Leaguebase, an editorial and social clubhouse for fantasy sports leagues. Leaguebase is the “data controller” for the personal information described in this policy — meaning we decide what data is collected and why.

You can reach our team at support@leaguebase.com for any privacy question, including the rights described in section 11.

03What we collect

We try to keep what we collect to what the product genuinely needs. The categories below are everything we store about you in our database.

Account information

  • Email address (required) — used to sign you in, deliver league invitations, and contact you about your account.
  • Display name and profile photo (optional) — what other members of your league see in the feed, on rosters, and in messages.
  • Password hash — only if you sign up with a password. We store a salted bcrypt hash, never the password itself, and we cannot recover it.
  • Magic-link verification tokens — short-lived single-use tokens we generate so you can sign in by email without a password. We delete them after use or expiry.
  • Account status — whether your account is active, suspended, or has been anonymized following a deletion request.

League and team data

  • League configuration — name, scoring rules, roster positions, season year and week, commissioner identity. Pulled from Sleeper or Yahoo when you connect a league.
  • Team roster, transactions, scores, and matchups — synchronized from your fantasy platform so we can render your feed, run analytics (Vault / LAMAR), and write editorial artifacts (Power Rankings, Recaps, Awards, Matchup Previews).
  • League membership and roles — who's a commissioner, member, or fan in each league.
  • Branding profile — if your commissioner customizes the league's palette or uploads a logo, those assets are stored in our object storage.

Content you create

  • Feed posts, comments, reactions, and pinned content.
  • Direct messages between league members. DMs are private to the participants and are not used for advertising or training. They are visible to administrators only when investigating a report or legal request, per section 06.
  • Pick'em picks, calendar event RSVPs, and poll votes.
  • Uploaded media — images you attach to posts or comments. Stored in our object storage (Supabase) under a per-environment prefix.
  • Editorial artifacts — published Power Rankings, Recaps, Awards, and Matchup Previews, including any edits you make to AI-assisted drafts.
  • Reports and moderation actions you file or receive.

Sessions and devices

  • Sign-in sessions — issued/expiry timestamps, an opaque device fingerprint string, and whether the session was created from an installed PWA. Sessions are stored as JWTs in a secure HTTP-only cookie.
  • Push notification subscriptions — the encrypted push endpoint, public keys, and a user agent string for each device that's opted in to push. We use these only to deliver the notification categories you've enabled.
  • Theme preference cookie — a tiny leaguebase_theme cookie so the chrome renders in your chosen theme on the first paint. Marketing pages (this one included) are pinned to light mode regardless of the cookie.

Notification preferences

Per-channel and per-category opt-in state (push, in-app, email) plus optional quiet-hours windows and your IANA timezone. We store quiet-hours timezones so we can deliver notifications in your local rhythm without asking again on every device.

Billing data

  • Subscription state, billing model, period dates, and the Stripe customer/subscription references for the leagues you pay for.
  • Payment records — amount, currency, status, the Stripe charge reference, and success/failure timestamps. Card numbers and bank details never touch our servers; Stripe holds them directly.
  • Sugar Daddy Pass records — when you hold an account-level pass that covers multiple leagues, we store the pass state, period dates, and the count of leagues currently covered.

Operational logs

We log routine technical information — request paths, status codes, latency, and aggregated job outcomes (e.g. sync poll outcomes per league) — to keep the service healthy. These logs are retained for a limited period and are not used for advertising.

04Sleeper, Yahoo, and your league data

Leaguebase doesn't replace your fantasy platform — it sits next to it. To render your feed, write editorial content, and run analytics, we need a copy of your league's structure (rosters, matchups, transactions, settings).

Sleeper

Sleeper's platform exposes a public, read-only API. To connect a Sleeper league we ask for your Sleeper username so we can resolve your league ID. We do not ask for your Sleeper password and we can't change anything in your Sleeper account from Leaguebase. We poll the read-only endpoints on a schedule to keep your clubhouse in sync.

Yahoo Fantasy

Yahoo requires OAuth. When you connect a Yahoo league we redirect you to Yahoo to grant access; on success Yahoo returns a refresh token that we encrypt and store so we can keep reading your league. You can revoke that token at any time from Yahoo's account settings or by disconnecting the league inside Leaguebase. We only request the scopes needed to read fantasy league data.

ESPN

ESPN integration is on the roadmap. As of the effective date of this policy, we do not ingest ESPN league data.

When a league is disconnected we stop polling immediately, mark the connection as inactive, and stop writing new sync data for it. Existing league content (your historical artifacts, posts, calendar events) remains available to your league members under the original visibility settings unless an authorized commissioner deletes it.

05How we use your data

  • To run the service — render your feed, sync your league, deliver notifications, process payments, generate editorial artifacts, and surface analytics.
  • To keep the service safe — detect abuse, enforce our community standards, investigate reports, and respond to security incidents.
  • To improve the product — understand which features get used, debug regressions, and evaluate the quality of editorial content. We use aggregated, internal analytics — never third-party ad-tech trackers.
  • To communicate with you — transactional email about your account (sign-in links, invoices, security notices) and the in-product notifications you've opted into.
  • To meet legal obligations — respond to lawful requests, defend legal claims, and comply with tax and accounting rules.

We do not use your messages, picks, or league content to train external AI models. The AI features we provide (see section 07) operate on per-request prompts and do not opt your content into anyone's training corpus.

06When we share data

We share data only in the limited situations below.

  • Inside your league. Your display name, profile photo, posts, comments, reactions, picks, calendar RSVPs, and editorial bylines are visible to other members of the leagues you've joined. Direct messages are visible only to the participants.
  • With sub-processors. We use the vendors listed in section 07 to operate Leaguebase. Each one only receives the data it needs to do its job.
  • With law enforcement or legal authorities. When we receive a valid legal request (for example, a subpoena or court order) we'll comply, and we'll narrow the disclosure to what the request actually requires. Where legally permitted, we'll notify the affected user.
  • In connection with a business transaction. If Leaguebase is acquired or merges with another business, your data may transfer to the new owner, who will be bound by terms no less protective than this policy.

We do not sell your personal information, we do not share it with advertisers, and we do not run third-party ad pixels on this site.

07Sub-processors

The following service providers help us run Leaguebase. Each one only receives the data needed for its role.

  • Railway — hosting and managed Postgres for our application servers and database.
  • Supabase — object storage for uploaded media (avatars, post images, branding logos) and real-time channels for live feed updates.
  • Stripe — payment processing for league subscriptions. Card details are entered into Stripe directly and are never stored on our servers; we keep only the Stripe customer and subscription references.
  • Resend — delivery of transactional email (sign-in magic links, invitations, billing notices, important account messages).
  • OpenAI — generation of editorial drafts (Power Rankings summaries, Weekly Recaps, Awards, news classification). League-specific context is sent per request and is not used to train OpenAI's general models.
  • Inngest — orchestration of background jobs (sync polls, push dispatches, editorial pipelines). Self-hosted on our infrastructure; no league data leaves our environment for orchestration.
  • Yahoo Fantasy Sports — source of league data for Yahoo-connected leagues, accessed via OAuth with the minimum scopes required.
  • Sleeper — source of league data for Sleeper-connected leagues, accessed via Sleeper's public read-only API with no credentials beyond your Sleeper username.
  • Giphy and Tenor — optional GIF picker inside the feed composer. Only the search query you type is sent; we don't share your account identity with these providers.
  • Web push services — Apple, Google, and Mozilla operate the push gateways that deliver web notifications to your devices. We send only the notification payload and your push endpoint; they don't see the contents of your account.

We'll update this list when we add or remove a sub-processor. Material changes will trigger a notice under section 14.

08Cookies and local storage

We use a small number of first-party cookies and local-storage entries — none for advertising.

  • Sign-in session cookie — issued by Auth.js once you sign in; HTTP-only and secure on production.
  • leaguebase_theme — a tiny string (LIGHT, DARK, or SYSTEM) so the chrome renders in your theme on the first paint without flashing the wrong colors.
  • Active-league cookie — remembers which league's feed you last visited so the sign-in landing redirect goes straight there.
  • Service-worker cache — when you install Leaguebase as a PWA, a service worker caches static assets and API responses for offline reads.

We don't set advertising cookies and we don't embed third-party tracking pixels. Browser extensions or features outside our control (for example, OS-level analytics) are out of scope for this policy.

09Push notifications and email

Push notifications and email are opt-in per category — roster alerts, commissioner announcements, Pick'em prompts, scheduler DMs, billing notices, moderation, feed mentions, and history-mode announces. You control the toggles per league and per channel from Settings → Account → Notifications.

You can configure quiet-hours windows in your local timezone; we won't deliver push notifications during those windows except for billing or moderation messages that are time-sensitive.

Transactional email (sign-in magic links, league invitations, billing receipts, security notices) is sent regardless of marketing-style preferences because the service can't function without those messages reaching you. We don't send marketing email today; if we ever do, it will be opt-in only.

10How long we keep data

We keep different categories of data for different periods.

  • Account information — for as long as your account is active, plus a short window for backups after deletion (see below).
  • League content — for as long as the league exists. When a commissioner deletes a league, its content is removed from active systems within 30 days.
  • Verification tokens (sign-in magic links, OAuth state) — invalidated after first use or on expiry, typically within minutes.
  • Operational logs — typically 30 days, longer only when needed for security investigations.
  • Billing records — kept for the period required by tax and accounting law in the jurisdictions we operate in (generally 7 years).
  • Backups — encrypted database backups roll off on a finite schedule (typically 30 days for daily snapshots). Deleted records continue to exist in those backups until they age out.

11Your rights and how to use them

You have control over the data we hold about you. From inside Leaguebase you can:

Depending on where you live (notably the EEA, UK, California, and several US states with comprehensive privacy laws) you may also have the right to access, correct, port, or restrict processing of your data, and to object to certain uses. To exercise those rights, use the in-product controls above or email support@leaguebase.com from the address associated with your account.

We respond to verifiable requests within 30 days (or the shorter period your local law requires) and we never charge a fee for a first request. We may need to verify your identity before completing certain requests so we don't accidentally reveal your data to someone else.

If you believe we've mishandled your data, you can complain to your local data-protection authority. We ask you to contact us first so we can try to fix it.

12Children

Leaguebase is built for adults running and participating in fantasy sports leagues. The service is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created an account, contact us at support@leaguebase.com and we'll delete the account and any associated personal data.

13Security

We take security seriously and apply the controls you'd expect from a modern application:

  • All connections to Leaguebase use HTTPS/TLS in production.
  • Passwords are stored as salted bcrypt hashes — never in plaintext.
  • OAuth refresh tokens for Yahoo are encrypted at rest.
  • Stripe handles card data directly; we never see or store full card numbers.
  • Access to production systems is limited to a small number of operators on a need-to-know basis with audited access logs.
  • We patch dependencies regularly and run automated security checks against our code and infrastructure.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to security@leaguebase.com — we'll respond promptly and credit you (with permission) once the issue is fixed.

14International users

Leaguebase is operated from the United States and our infrastructure is hosted there. If you use Leaguebase from outside the US — including the EEA, UK, or other regions with comprehensive data-protection laws — your information will be transferred to and processed in the US. We rely on appropriate transfer safeguards (such as the EU's standard contractual clauses where applicable) and the contractual commitments of our sub-processors.

15Changes to this policy

We'll update this policy from time to time as the product evolves. When we make material changes — for example, adding a new sub-processor or expanding a category of data we collect — we'll post a changelog entry at the top of this page and email account-holders so you have time to review before the change takes effect.

16Contact us

For privacy questions, data requests, or anything in this document that's unclear, email support@leaguebase.com. For security disclosures, use security@leaguebase.com.

Last updated April 30, 2026. We post a changelog at the top of this page when material changes are made and email account-holders when changes affect your rights.