FantasyWorldCup
Back to home Legal information

Privacy Policy

Last updated: 11/06/2026

1. Data Controller

Controller: Albert Vilà
Email address: info@fantasymundial.com
Website: www.fantasymundial.com

2. Data we collect and categories

We collect the following categories of personal data:

  • Registration data: username, email address and password (stored encrypted using bcrypt).
  • Usage data: teams, transfers, scores, leagues and activity within the platform.
  • Technical data: IP address, device type, operating system and push notification token (only if the user grants explicit permission).
  • Social authentication: if you use Google login, we receive your name, email and profile photo in accordance with their privacy policy.

We do not collect special category data (health data, ethnic origin, religious beliefs, etc.) or data from users under 16. If we detect a user is under 16, we will delete their account.

3. Purpose of Processing

  • Manage your account and allow you to participate in fantasy leagues.
  • Send you game-related push notifications (only if you have given consent on your device).
  • Service improvement and aggregated usage analysis.
  • Comply with legal obligations.

We do not use your data for advertising purposes or share it with third parties for commercial purposes.

4. Legal basis for processing (art. 6 GDPR)

  • Performance of a contract (art. 6.1.b): account management, league participation and game features.
  • Consent (art. 6.1.a): push notifications and social authentication.
  • Legitimate interest (art. 6.1.f): platform security, fraud prevention and service improvement.
  • Legal obligation (art. 6.1.c): data retention when required by law.

5. Data Retention

We retain your data for as long as your account is active or necessary for the provision of the service. If you request deletion of your account, we will erase or anonymise your personal data within a maximum of 30 days, unless the law requires us to retain it for a longer period (e.g. accounting data for 5 years under tax regulations).

Push device tokens are automatically deleted when the device becomes inactive or the user revokes permission.

6. Recipients and data processors

We do not share your data with third parties for commercial purposes. We may share it with the following data processors, always under a processing agreement and GDPR guarantees:

  • Google Firebase (FCM): sending push notifications. Policy: policies.google.com/privacy
  • Google OAuth: social authentication (if used).

Where legally required, we may disclose data to competent authorities.

7. International data transfers

Google services may involve transfers outside the European Economic Area. Google adheres to the EU-U.S. Data Privacy Framework and the Standard Contractual Clauses approved by the European Commission, ensuring a level of protection equivalent to the GDPR.

8. Your rights (arts. 15–22 GDPR)

As a user you have the following rights:

  • Access: obtain confirmation of whether we process your data and a copy of it.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request erasure when no longer necessary or when you withdraw consent.
  • Objection: object to processing based on legitimate interest.
  • Restriction of processing: request that we restrict processing in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format (e.g. JSON or CSV).
  • Withdrawal of consent: at any time, without affecting the lawfulness of prior processing.

To exercise these rights, send an email to info@fantasymundial.com with the subject "GDPR Rights", stating your username. We will respond within a maximum of one month (extendable by two further months in complex cases, with prior notification).

You also have the right to lodge a complaint with the supervisory authority. In Spain: Agencia Spanisha de Protección de Datosaepd.es.

9. Data security

We apply appropriate technical and organisational measures in accordance with art. 32 GDPR:

  • Passwords stored using bcrypt hashing (never in plain text).
  • Communications encrypted via HTTPS/TLS.
  • Database access restricted by credentials and firewall.
  • Administration panel protected and separated from the public area.
  • API keys and tokens stored outside the public server directory.

In the event of a security breach posing a high risk to your rights, we will notify you without undue delay in accordance with art. 34 GDPR.

10. Cookies

This platform uses first-party technical and functional cookies. You can consult our Cookie Policy for more information.

11. Automated decisions and profiling

We do not make automated decisions with significant legal effects on users, nor do we carry out profiling within the meaning of art. 22 GDPR.

12. Changes to this policy

We may update this policy when necessary. We will notify you of relevant changes through the platform and/or by email at least 15 days in advance. Continued use of the service after changes take effect implies acceptance.

13. Contact

For any questions about this policy or the processing of your data:
Email address: info@fantasymundial.com