Privacy Notice
Last updated: 23 February 2026
1. Who We Are
Draft FC Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales under company number 14295934.
We operate the website at draftfc.co.uk and any associated applications (together, the "Service"), providing fantasy football analytics, data, and tools.
For any questions about this Privacy Notice or how we handle your personal data, please contact us at info@draftfc.co.uk.
2. What Personal Data We Collect
We may collect and process the following categories of personal data:
Account Data
Your name, email address, username, and password (stored in hashed form). If you register or sign in using a third-party service, we may receive your name and email address from that provider.
Payment Data
Your billing address and payment method details. Payment card information is processed directly by our payment provider, Stripe, and is not stored on our systems. We receive only a confirmation of payment and a truncated card reference for your records.
Fantasy Football Data
Information about your fantasy football leagues, teams, and player selections, sourced from the Fantasy Premier League (FPL) API with your authorisation.
Usage Data
Information about how you interact with our Service, including pages visited, features used, session duration, referring URLs, and the date and time of your visits.
Technical Data
Your IP address, browser type and version, operating system, device type, and device identifiers.
Communications Data
Any information you provide when you contact us for support or provide feedback, including the content of your messages and any attachments.
3. How We Collect Your Data
We collect personal data through the following means:
- Directly from you — when you register for an account, subscribe to the Service, update your profile, or contact us.
- Automatically — when you use the Service, through cookies and similar tracking technologies (see Section 10 below).
- From third parties — including the FPL API (fantasy football data) and Stripe (payment confirmations).
4. How and Why We Use Your Data
We only process your personal data where we have a lawful basis to do so under the UK General Data Protection Regulation (UK GDPR). The table below sets out the purposes for which we process your data and the corresponding legal basis.
| Purpose | Lawful Basis |
|---|---|
| Creating and managing your Account | Performance of our contract with you |
| Providing the Service and its features, including analytics and predictions | Performance of our contract with you |
| Processing payments for Subscriptions | Performance of our contract with you |
| Sending service-related communications (e.g. account confirmations, subscription notices, security alerts) | Performance of our contract with you |
| Sending marketing emails about our products and services to existing customers | Legitimate interest (soft opt-in under PECR Regulation 22); you can opt out at any time |
| Website analytics via Google Analytics to understand how the Service is used and to improve it | Consent (via cookie consent) |
| Serving advertisements on the Service | Consent (via cookie consent) |
| Preventing fraud, detecting abuse, and maintaining the security of the Service | Legitimate interest (protecting our business and users) |
| Complying with legal and regulatory obligations (e.g. tax records) | Legal obligation |
| Improving and developing the Service, fixing bugs, and analysing trends | Legitimate interest (improving our products) |
Where we rely on legitimate interest as our lawful basis, we have carried out a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at info@draftfc.co.uk if you would like further information about these assessments.
5. Marketing Communications
If you are an existing customer, we may send you emails about products and services similar to those you have purchased from us, in accordance with the "soft opt-in" permitted under the Privacy and Electronic Communications Regulations 2003 (PECR). You will always have the opportunity to opt out, and every marketing email includes an unsubscribe link.
If you are not an existing customer, we will only send you marketing communications with your explicit consent.
You can opt out of marketing communications at any time by clicking the unsubscribe link in any email, or by contacting us at info@draftfc.co.uk.
6. Who We Share Your Data With
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes.
We may share your personal data with the following categories of recipients, solely for the purposes described in this Privacy Notice:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Name, email, billing address, payment details |
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | All data stored on the Service (encrypted at rest) |
| Google (Google Analytics) | Website analytics | Pseudonymised usage data, IP address |
| SendGrid (Twilio) | Transactional and marketing emails | Name, email address |
| Advertising partners | Serving relevant advertisements | Pseudonymised data via advertising cookies (with your consent) |
We may also disclose your personal data if required to do so by law, or if we reasonably believe that disclosure is necessary to comply with a legal obligation, protect our rights or safety, or prevent fraud.
7. International Data Transfers
Some of our third-party service providers (including Stripe, AWS, Google, and SendGrid) may process your data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:
- transfers to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- the UK Extension to the EU-US Data Privacy Framework, where applicable for US-based processors.
You may contact us at info@draftfc.co.uk for further details about the specific safeguards we have in place.
8. How Long We Keep Your Data
We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Notice, or as required by law. The specific retention periods are as follows:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of your Account, plus 6 years after deletion (for legal claims) |
| Payment records | 6 years from the date of the transaction (HMRC requirements) |
| Usage and analytics data | 26 months |
| Marketing consent records | Duration of consent, plus 2 years |
| Support communications | 2 years after resolution |
When personal data is no longer required, we will securely delete or anonymise it.
9. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct any personal data that is inaccurate or incomplete.
- Right to erasure — you can ask us to delete your personal data in certain circumstances (sometimes known as the "right to be forgotten").
- Right to restriction of processing — you can ask us to limit how we use your data in certain circumstances.
- Right to data portability — you can request that we provide your data in a structured, commonly used, machine-readable format.
- Right to object — you can object to our processing of your data where we rely on legitimate interest as our lawful basis, or where we process your data for direct marketing.
- Right to withdraw consent — where we rely on your consent to process your data, you can withdraw it at any time. This does not affect the lawfulness of any processing carried out before you withdrew your consent.
To exercise any of these rights, please contact us at info@draftfc.co.uk. We will respond to your request within one month. In certain circumstances, we may extend this period by a further two months, in which case we will inform you and explain the reason.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, if you believe that we have not handled your personal data in accordance with the law. The ICO can be contacted at:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
10. Cookies and Tracking Technologies
Cookies are small text files placed on your device when you visit our website. We use the following categories of cookies:
Strictly Necessary Cookies
These cookies are essential for the operation of the Service. They enable core functionality such as user authentication, session management, and security. These cookies do not require your consent.
Analytics Cookies
We use Google Analytics to collect anonymised information about how visitors use our website, including which pages are visited most often, how visitors navigate the site, and whether they encounter errors. This data helps us improve the Service. Google Analytics uses cookies to collect this information, and it is processed in aggregate form. We have configured Google Analytics so that it does not collect data for advertising purposes. These cookies are set only with your consent.
Advertising Cookies
We serve advertisements on the Service. Our advertising partners may set cookies on your device to show you relevant advertisements and to measure the effectiveness of advertising campaigns. These cookies are set only with your consent.
Managing Cookies
When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time through your browser settings. Please note that disabling certain cookies may affect the functionality of the Service.
For more information about cookies, including how to see what cookies have been set and how to manage and delete them, visit allaboutcookies.org.
11. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at info@draftfc.co.uk and we will take steps to delete that information.
12. Data Security
We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- encryption of data in transit using TLS/HTTPS;
- encryption of data at rest;
- access controls and authentication mechanisms;
- regular security monitoring;
- payment data handled by Stripe, a PCI-DSS Level 1 certified payment processor.
While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you without undue delay.
13. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on the Service before the changes take effect.
We encourage you to review this Privacy Notice periodically. The "Last updated" date at the top of this page indicates when this Privacy Notice was last revised.
14. Contact Us
If you have any questions about this Privacy Notice or wish to exercise your data protection rights, please contact us at:
Draft FC Ltd
Email: info@draftfc.co.uk