Hometown Hero Fantasy
Privacy Policy

Last updated: May 1, 2026

This policy explains what data Hometown Hero Fantasy ("HHF", "we", "our") collects when you use our web app (hhf-api.fly.dev and its frontend) or our iOS/Android mobile app (bundle/package id com.hhf.app), and how we use it. It is written to be read, not to hide behind legalese.

1. WHAT WE COLLECT

Account Data (when you create an account)

  • Email address (required)

  • First and last name (optional)

  • A hashed version of your password (argon2id) — we never store or see the plaintext

  • An authentication token (JWT) stored on your device so you stay signed in. Web uses localStorage; mobile uses the OS secure keychain.

Product Usage Data (while you use the app)

  • Signals you mark to watch, with timestamps

  • Reactions you add to signals (Compelling / Worth Noting / Skeptical)

  • Which signals you've reviewed after the game finishes

  • Your preferred display language (English or Portuguese)

Push Notification Data (mobile only, optional)

  • An Expo push token issued by your device's OS

  • The platform your token came from (iOS or Android)

We ask for notification permission on the mobile app. If you decline, everything still works — you just won't get reminders.

Technical Data (normal server-side logging)

  • API request logs containing your signed-in user ID, the GraphQL operation name, response time, and any error messages. We do not log your email, password, name, or auth token.

  • Rate-limit counters and a failed-sign-in counter on your account

  • Admin audit-log entries (administrator's IP address and browser user-agent — not yours) when an HHF administrator views or modifies your account

  • Standard web server access logs retained for ≤30 days

What We Do NOT Collect

  • Precise location data. Player signals use published birthplaces from Wikidata, not your location. The app does not access GPS or location services.

  • Payment information. The app is currently free.

  • Third-party analytics. No Google Analytics, Mixpanel, Amplitude, Segment, Sentry, PostHog, Firebase Analytics, or similar.

  • Cross-site trackers or advertising identifiers. We do not access the IDFA / IDFV / GAID.

  • Personal device data. No social media contacts, address book, photos, microphone, camera, health data, or HomeKit data.

2. hOW WE USE YOUR DATA

  • To sign you in and keep you signed in

  • To show you the signals, games, and players you're tracking

  • To send push notifications you opted into (game starting, game ending — never marketing)

  • To detect brute-force sign-in attempts: after 10 consecutive failed attempts, the account is locked for 24 hours (per account, not per device or IP)

  • To fix bugs by reviewing error logs

We do not sell your data. We do not share it with advertisers. We do not build advertising profiles.

3. WHAT’S PUBLIC IN THE APP

Public team, game, and player data comes from ESPN's public scoreboard endpoints. Weather and venue enrichment comes from Open-Meteo and Wikidata. None of this is personal to you — it's sports reference data.

4. tRACKING – APP TRACKING TRANSPARENCY

Apple's App Tracking Transparency (ATT) framework requires apps to ask your permission before tracking you across other companies' apps and websites.

We do not track you. We do not use the IDFA or any advertising identifier, fingerprint your device, share your activity with data brokers or ad networks, or link your activity to identities held by other companies. Because we have nothing to ask permission for, the HHF mobile app does not show the ATT prompt.

5. RETENTION

  • Account data: kept while your account is active. Soft-deleted immediately on account deletion; hard-deleted within 30 days. Encrypted backups age out within 60 days after that.

  • Watches and reactions: removed individually when you remove them in the app; removed in bulk on account deletion.

  • Push tokens: cleared when you sign out, or automatically when Apple/Google tells our server the token is no longer valid.

  • Audit log entries (admin actions only): retained for 2 years, then deleted.

  • Server logs: rotated after 30 days.

6. YOUR RIGHTS

  • Access / Export: Use the "Download my data" button in Account settings for a JSON export, or email privacy@hometownherofantasy.com.

  • Correct: Edit any field in your account settings.

  • Delete: Use Account → Delete account. Soft-deletion is immediate; hard-deletion within 30 days. Email privacy@hometownherofantasy.com if you can't access the app.

  • Withdraw push consent: Via your device OS notification settings, or by signing out.

European users have rights under GDPR; Californian users have rights under CCPA, including the right not to be discriminated against for exercising those rights. Email us to exercise any of them and we'll respond within 30 days.

7. CHILDREN

HHF is not directed at children under 13, does not knowingly collect data from children under 13, and does not target advertising at any user (we don't run ads at all). If you believe a child under 13 has created an account, email privacy@hometownherofantasy.com and we will delete the account and any associated data promptly.

8. SECURITY

  • Passwords hashed with argon2id (never stored, transmitted, or logged in plaintext). Legacy bcrypt accounts are re-hashed on next successful sign-in.

  • Auth tokens are 7-day signed JWTs. The signing secret can be rotated to invalidate all sessions instantly.

  • Mobile auth tokens stored in the OS keychain (iOS) or encrypted shared preferences (Android) via Expo Secure Store. Web auth tokens stored in localStorage.

  • TLS enforced on all API endpoints (HTTPS-only; HTTP redirected).

  • Database storage and backups encrypted at rest by our hosting provider.

  • After 10 consecutive failed sign-in attempts the account is locked for 24 hours.

No system is perfect. If you find a vulnerability, email security@hometownherofantasy.com — we'll respond within 72 hours and won't pursue you for good-faith responsible disclosure.

9. THIRD-PARTY SERVICES WE RELY ON

These services see some data in the course of running the app. Each has its own privacy policy governing what they do with data they see.

  • Fly.io — hosts the HHF backend API, PostgreSQL database, and Redis instance. Sees API request metadata and stores all persistent user data on our behalf.

  • Apple Push Notification service (APNs) / Google Firebase Cloud Messaging (FCM) — push notification relays. See push tokens and notification payloads (game name, start/end notice).

  • Expo Application Services (EAS) / Expo Push — used to build the mobile app and relay push notifications to APNs/FCM. Sees push tokens and notification payloads. We do not use Expo Analytics.

  • ESPN, Open-Meteo, Wikidata — public sports, weather, and reference data sources. We send only game IDs, dates, and lat/lng of public stadiums. These services do not receive any user data.

 We do not use Google Analytics, Facebook SDK, AdMob, Firebase Analytics, Crashlytics, Sentry, Mixpanel, Amplitude, Segment, PostHog, LogRocket, FullStory, or any similar SDK. We do not embed any third-party trackers in the web frontend.

10. CHANGES TO THIS POLICY

We'll update this page when something material changes (e.g. a new third-party service, a new category of data, a new permission). The "Last updated" date at the top always reflects the current version. Material changes will be announced in-app on next sign-in.

11. cONTACT

General / privacy requests: privacy@hometownherofantasy.com

Security issues: security@hometownherofantasy.com

Postal address available on request.