Privacy Policy

Last updated: July 2026

TheoryTwelve, LLC (“TheoryTwelve,” “we,” “us,” or “our”) operates Gambit Fantasy (“Gambit” or the “Service”). This Privacy Policy explains what information we collect when you use Gambit, how we use it, who we share it with, and the choices you have. By using the Service, you agree to this policy.

Contact: legal@gambitfantasy.app
TheoryTwelve, LLC · Colorado, USA

1. Information We Collect

Account Information

When you create an account, we collect your email address and display name. If you sign in via Google, X (Twitter), or Facebook, we receive the basic profile information those providers share — typically your name, email address, and profile picture — per your settings with that provider.

Game Activity

We record everything needed to run the game: your lineup selections, which players you have started (your “burns”), your weekly scores, league standings, and in-app chat messages. This is the core data that makes the game work.

Payment Information

Payments are processed entirely by Stripe. We never see or store your full card number, bank account details, or CVV. We do store your subscription tier (Free, Individual Pro, or League Pro) and status so we can gate features appropriately.

Usage and Technical Data

We collect standard server logs (IP address, browser/device type, pages visited, timestamps) and error reports through our monitoring tools. On mobile, we also collect your device type, operating system version, and — if you grant permission — a push notification token.

Communications

If you email us or submit a support request, we retain that correspondence to resolve your issue and improve the Service.

2. How We Use Your Information

  • Operate the Service: run the game, track burns, calculate scores, manage leagues, and enforce rules.
  • Transactional communications: account confirmation, lineup lock reminders, weekly score summaries, billing receipts, and security alerts.
  • Push notifications (mobile): lineup reminders before kickoff, score updates during game days, and league activity alerts. You can opt out at any time in your device settings.
  • Marketing email: product updates, new feature announcements, and seasonal previews — only if you have opted in. Every marketing email includes a one-click unsubscribe.
  • Error monitoring: crash reports and error logs help us identify and fix bugs quickly.
  • Fraud prevention and safety: detecting and preventing cheating, collusion, or abuse of the Service.
  • Legal compliance: meeting our obligations under applicable law, including responding to valid legal process.

We do not sell your personal information. We do not use your data to serve third-party advertisements.

3. Third-Party Services

We use the following third-party services to operate Gambit. Each has its own privacy policy governing how it handles data. Where a service processes data on our behalf, we have data processing agreements in place.

ServicePurposeData Shared
Clerk (clerk.com)Authentication & user managementEmail, name, OAuth profile
Neon (neon.tech)PostgreSQL database hostingAll app data
Stripe (stripe.com)Payment processing & subscriptionsEmail, payment method
Sleeper (sleeper.com)NFL player & statistics dataNone (we query their public API)
Giphy (giphy.com)GIF search in league chatSearch queries
Vercel (vercel.com)Hosting, CDN, and serverless computeRequest logs, IP addresses
Google Fonts (fonts.googleapis.com)Web typographyIP address, browser info
Resend (resend.com)Transactional email deliveryEmail address, email content
EmailOctopus (emailoctopus.com)Marketing email (opt-in only)Email address, name
Sentry (sentry.io)Error monitoring & crash reportingError context, anonymized device info
Google (via Clerk)OAuth sign-in optionBasic profile (if you choose Google sign-in)
X / Twitter (via Clerk)OAuth sign-in optionBasic profile (if you choose X sign-in)
Meta / Facebook (via Clerk)OAuth sign-in optionBasic profile (if you choose Facebook sign-in)
Apple APNsiOS push notifications (mobile app)Device push token
Google Firebase / FCMAndroid push notifications (mobile app)Device push token

4. Push Notifications

The Gambit mobile app may send push notifications for lineup lock countdowns, score updates, and league activity. To do this, we share a device-specific push token with Apple (APNs) for iOS devices and Google Firebase (FCM) for Android devices. These tokens are pseudonymous identifiers that do not contain your personal information.

You can revoke push notification permission at any time in your device's notification settings. You can also manage notification preferences inside the app.

5. Cookies and Local Storage

We use session cookies set by Clerk to keep you logged in. We do not use advertising cookies or cross-site tracking. Google Fonts may set a short-lived cache cookie.

On the web, we use browser local storage to remember your waitlist email before you create a full account. No personal data is stored in local storage after account creation.

6. Data Retention

  • Active accounts: we retain your data for as long as your account is active.
  • Deleted accounts: we delete personal data within 30 days of a verified deletion request. Game history (scores, standings) may be retained in anonymized, aggregate form.
  • Payment records: retained for 7 years as required by law.
  • Chat messages:retained for the duration of the season, then purged at the conclusion of each league's season.

7. Your Rights

Regardless of where you live, you can contact us at legal@gambitfantasy.app to:

  • Request a copy of the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated personal data
  • Opt out of marketing email

California residents (CCPA/CPRA):you have the right to know what personal information we collect and how we use it, to delete your information, and to opt out of the “sale” or “sharing” of your personal information. We do not sell or share your personal information with third parties for advertising purposes.

8. Children's Privacy

The Service is intended for users 13 and older. We do not knowingly collect personal information from children under 13. If we become aware that we have done so, we will delete that information promptly. Contact us at legal@gambitfantasy.app if you believe we have collected data from a child under 13.

9. Data Security

We use industry-standard security practices: data encrypted in transit (TLS), encrypted at rest in our database, access controls limiting who can view production data, and regular security reviews. No system is perfectly secure; if you discover a security issue, please report it to legal@gambitfantasy.app.

10. Changes to This Policy

We'll post updates here and update the “Last updated” date at the top. For material changes, we'll send an email to active users at least 14 days before the change takes effect. Continuing to use Gambit after the effective date means you accept the updated policy.