Last updated: 13 April 2026
This policy explains what personal data Fantasy Powerlifting collects, why we collect it, how long we keep it, and your rights under UK data protection law. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Fantasy Powerlifting is operated by Super Training Events Ltd, 48 Yarnolds, Cheltenham.
For data protection purposes, we are the data controller. If you have questions about this policy or how we handle your data, contact us at info@strengthanalytics.co.uk.
We do not collect payment information, phone numbers, date of birth, or any special category data (as defined under Article 9 UK GDPR). We do not build behavioural profiles or sell data to third parties. Sentry is configured with sendDefaultPii: false to avoid capturing IP addresses, request headers, or form input values, and we do not enable Sentry Session Replay or client-side performance tracing.
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | To authenticate your identity via OTP and to send transactional emails (e.g. team confirmation) | Performance of a contract (Article 6(1)(b)) |
| Display name | To show your name on leaderboards and shareable team pages | Performance of a contract (Article 6(1)(b)) |
| Team picks | To run the fantasy game, calculate scores, and display results | Performance of a contract (Article 6(1)(b)) |
| Marketing consent record | To send competition updates, new competition announcements, platform news, and team-change notifications (e.g. if a lifter you picked withdraws) — and to demonstrate you agreed to receive them. We never share your email with third parties. | Consent (Article 6(1)(a)) |
| Session tokens | To maintain your authenticated session so you don't need to re-enter a code on every visit | Legitimate interests (Article 6(1)(f)) — to provide a functional service |
| Error data (Sentry) | To detect, diagnose, and fix application errors | Legitimate interests (Article 6(1)(f)) — to maintain a functioning, reliable service |
| Data | Retention period |
|---|---|
| Account data (email, display name) | Until you delete your account, or 2 years of account inactivity, whichever comes first |
| Team picks and scores | Retained indefinitely as part of the competition archive, but anonymised (display name only, no email) in public-facing views |
| Marketing consent record | Retained for the duration of your account, plus 1 year after deletion — as evidence of consent if required |
| Session tokens | Expire after 7 days of inactivity, or immediately on sign-out |
| Server-side infrastructure logs | Retained by Vercel for up to 30 days per their standard data retention policy |
| Sentry error data | Retained by Sentry for 90 days, after which it is automatically deleted from their systems |
We do not sell, rent, or trade personal data. We share data only with the following service providers, who act as data processors on our behalf:
Our hosting and infrastructure provider. Vercel serves the Platform globally and retains standard server logs. Vercel is based in the USA; data transfers are covered by Standard Contractual Clauses. See Vercel's Privacy Policy at vercel.com/legal/privacy-policy.
Our database, authentication, and real-time infrastructure provider. Supabase stores your account data, team picks, and session tokens on our behalf. Supabase's servers may be located within the EU or USA. Where data is transferred outside the UK, this is covered by appropriate safeguards including Standard Contractual Clauses (SCCs). See Supabase's Privacy Policy at supabase.com/privacy.
Our transactional email provider. Your email address is passed to Resend solely to deliver authentication codes and team confirmation emails. Resend does not use your email for any other purpose. See Resend's Privacy Policy at resend.com/privacy.
Our error monitoring provider. When an application error occurs, Sentry receives technical data including browser and device information, the URL you were visiting, and a diagnostic trace of the error. Sentry is configured not to receive IP addresses, request headers, or request bodies. This data is used only to identify and fix bugs in the Platform. Sentry is based in the USA; data transfers are covered by Standard Contractual Clauses. We do not enable Sentry Session Replay, client-side performance tracing, or any feature that would capture your screen, form inputs, or personal content. See Sentry's Privacy Policy at sentry.io/privacy.
We may also disclose data if required to do so by law, court order, or at the request of a regulatory authority.
Some of our service providers operate infrastructure outside the UK. Where your data is transferred to countries that do not have an adequacy decision from the UK Secretary of State, we ensure appropriate safeguards are in place — including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).
Under UK GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, email us at info@strengthanalytics.co.uk. We will respond within one calendar month. There is no charge for reasonable requests.
Withdrawing marketing consent: if you gave consent to receive marketing communications, you can withdraw it at any time by clicking the unsubscribe link in any marketing email, or by emailing us. Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.
If you believe we have handled your personal data unlawfully, or if you are unhappy with our response to a rights request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
We would appreciate the opportunity to address any concerns directly before you contact the ICO.
We take reasonable technical and organisational measures to protect your personal data. Authentication is handled via one-time passcodes — there are no passwords to be breached. Session tokens are stored in secure, HTTP-only cookies. Our infrastructure is hosted on Vercel and our database is managed by Supabase, both of which maintain SOC 2 Type II compliance. Error monitoring is handled by Sentry, which is configured to avoid capturing sensitive input data.
No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Fantasy Powerlifting is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email before the changes take effect. The “last updated” date at the top of this page will always reflect the most recent version. Continued use of the platform after notification constitutes acceptance of the updated policy.