Privacy Policy
Last updated: July 2026
TheoryTwelve, LLC (“TheoryTwelve,” “we,” “us,” or “our”) operates Gambit Fantasy (“Gambit” or the “Service”). This Privacy Policy explains what information we collect when you use Gambit, how we use it, who we share it with, and the choices you have. By using the Service, you agree to this policy.
Contact: legal@gambitfantasy.app
TheoryTwelve, LLC · Colorado, USA
1. Information We Collect
Account Information
When you create an account, we collect your email address and display name. If you sign in via Google, X (Twitter), or Facebook, we receive the basic profile information those providers share — typically your name, email address, and profile picture — per your settings with that provider.
Game Activity
We record everything needed to run the game: your lineup selections, which players you have started (your “burns”), your weekly scores, league standings, and in-app chat messages. This is the core data that makes the game work.
Payment Information
Payments are processed entirely by Stripe. We never see or store your full card number, bank account details, or CVV. We do store your subscription tier (Free, Individual Pro, or League Pro) and status so we can gate features appropriately.
Usage and Technical Data
We collect standard server logs (IP address, browser/device type, pages visited, timestamps) and error reports through our monitoring tools. On mobile, we also collect your device type, operating system version, and — if you grant permission — a push notification token.
Communications
If you email us or submit a support request, we retain that correspondence to resolve your issue and improve the Service.
2. How We Use Your Information
- ▪Operate the Service: run the game, track burns, calculate scores, manage leagues, and enforce rules.
- ▪Transactional communications: account confirmation, lineup lock reminders, weekly score summaries, billing receipts, and security alerts.
- ▪Push notifications (mobile): lineup reminders before kickoff, score updates during game days, and league activity alerts. You can opt out at any time in your device settings.
- ▪Marketing email: product updates, new feature announcements, and seasonal previews — only if you have opted in. Every marketing email includes a one-click unsubscribe.
- ▪Error monitoring: crash reports and error logs help us identify and fix bugs quickly.
- ▪Fraud prevention and safety: detecting and preventing cheating, collusion, or abuse of the Service.
- ▪Legal compliance: meeting our obligations under applicable law, including responding to valid legal process.
We do not sell your personal information. We do not use your data to serve third-party advertisements.
3. Third-Party Services
We use the following third-party services to operate Gambit. Each has its own privacy policy governing how it handles data. Where a service processes data on our behalf, we have data processing agreements in place.
| Service | Purpose | Data Shared |
|---|---|---|
| Clerk (clerk.com) | Authentication & user management | Email, name, OAuth profile |
| Neon (neon.tech) | PostgreSQL database hosting | All app data |
| Stripe (stripe.com) | Payment processing & subscriptions | Email, payment method |
| Sleeper (sleeper.com) | NFL player & statistics data | None (we query their public API) |
| Giphy (giphy.com) | GIF search in league chat | Search queries |
| Vercel (vercel.com) | Hosting, CDN, and serverless compute | Request logs, IP addresses |
| Google Fonts (fonts.googleapis.com) | Web typography | IP address, browser info |
| Resend (resend.com) | Transactional email delivery | Email address, email content |
| EmailOctopus (emailoctopus.com) | Marketing email (opt-in only) | Email address, name |
| Sentry (sentry.io) | Error monitoring & crash reporting | Error context, anonymized device info |
| Google (via Clerk) | OAuth sign-in option | Basic profile (if you choose Google sign-in) |
| X / Twitter (via Clerk) | OAuth sign-in option | Basic profile (if you choose X sign-in) |
| Meta / Facebook (via Clerk) | OAuth sign-in option | Basic profile (if you choose Facebook sign-in) |
| Apple APNs | iOS push notifications (mobile app) | Device push token |
| Google Firebase / FCM | Android push notifications (mobile app) | Device push token |
4. Push Notifications
The Gambit mobile app may send push notifications for lineup lock countdowns, score updates, and league activity. To do this, we share a device-specific push token with Apple (APNs) for iOS devices and Google Firebase (FCM) for Android devices. These tokens are pseudonymous identifiers that do not contain your personal information.
You can revoke push notification permission at any time in your device's notification settings. You can also manage notification preferences inside the app.
5. Cookies and Local Storage
We use session cookies set by Clerk to keep you logged in. We do not use advertising cookies or cross-site tracking. Google Fonts may set a short-lived cache cookie.
On the web, we use browser local storage to remember your waitlist email before you create a full account. No personal data is stored in local storage after account creation.
6. Data Retention
- ▪Active accounts: we retain your data for as long as your account is active.
- ▪Deleted accounts: we delete personal data within 30 days of a verified deletion request. Game history (scores, standings) may be retained in anonymized, aggregate form.
- ▪Payment records: retained for 7 years as required by law.
- ▪Chat messages:retained for the duration of the season, then purged at the conclusion of each league's season.
7. Your Rights
Regardless of where you live, you can contact us at legal@gambitfantasy.app to:
- ▪Request a copy of the personal data we hold about you
- ▪Correct inaccurate personal data
- ▪Delete your account and associated personal data
- ▪Opt out of marketing email
California residents (CCPA/CPRA):you have the right to know what personal information we collect and how we use it, to delete your information, and to opt out of the “sale” or “sharing” of your personal information. We do not sell or share your personal information with third parties for advertising purposes.
8. Children's Privacy
The Service is intended for users 13 and older. We do not knowingly collect personal information from children under 13. If we become aware that we have done so, we will delete that information promptly. Contact us at legal@gambitfantasy.app if you believe we have collected data from a child under 13.
9. Data Security
We use industry-standard security practices: data encrypted in transit (TLS), encrypted at rest in our database, access controls limiting who can view production data, and regular security reviews. No system is perfectly secure; if you discover a security issue, please report it to legal@gambitfantasy.app.
10. Changes to This Policy
We'll post updates here and update the “Last updated” date at the top. For material changes, we'll send an email to active users at least 14 days before the change takes effect. Continuing to use Gambit after the effective date means you accept the updated policy.