Privacy Policy
Last updated: 28 March 2026

This Privacy Policy describes how Debasis Kar ("I", "me", "the operator") collects, uses, and protects information when you use Poor Fantasy League ("PFL", "the service") at fantasy.kars.work and its sub-domains.

By using the service, you agree to the collection and use of information as described in this policy. This policy applies only to activities on this website and not to information collected offline or through other channels.
Disclaimer
This website is an unofficial fan project. All team names are used for informational purposes only. We are not affiliated with any official sports organisation or league.
1. Data Controller
The data controller responsible for your personal data is Debasis Kar, Berlin, Germany. Contact details are available in the Impressum.
2. Information I Collect
Account data
When you register, I collect your chosen username, a hashed version of your PIN, and your email address. The email address is used solely for account security — specifically to allow you to reset your PIN without contacting an administrator. No real name, phone number, or payment information is required or stored.

Prediction data
Your match predictions and associated scores are stored to operate the fantasy league and display leaderboards.

Server log files
My hosting provider automatically records standard access logs, which may include anonymised IP addresses, browser type, operating system, referring pages, and date/time stamps. This data is used solely for server administration and security monitoring and is not linked to any personal identity.

Audit log (IP address at login and registration)
When you register or log in, your IPv4 address is recorded in an internal audit log alongside your username and a timestamp. This is used solely for security purposes — to detect unauthorised access, investigate incidents, and protect accounts. This data is not shared with third parties and is not used for tracking or profiling.

Cookies and session data
I use the following strictly necessary and preference cookies. No tracking or advertising cookies are set without your explicit consent:

Cookie Purpose Lifetime
PHPSESSID Session authentication — keeps you logged in during a browser session. Until browser closes
pfl_remember Persistent login — set only when you tick "Keep me signed in" at login. Contains an anonymous rotating token; no personal data is stored in the cookie. Deleted immediately on logout. 30 days
theme Remembers your dark/light mode preference. 1 year
You can end your session and clear the persistent login token at any time by clicking Logout. For details on managing or deleting cookies in your browser, visit 2gdpr.com/cookies.
3. How I Use Your Information
I use the information collected to:

  • Operate and maintain the fantasy league service.
  • Display your predictions and scores on the leaderboard.
  • Authenticate your login and protect your account.
  • Send you a new PIN by email if you use the "Forgot PIN" feature.
  • Analyse aggregate usage patterns to improve the website.
  • Detect and prevent fraud, abuse, or security incidents.
Your email address is used only for PIN recovery. I will never send you marketing emails, newsletters, or share your email with third parties. I do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area, I process personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR) – processing your account and prediction data is necessary to provide the service you registered for.
  • Contract performance (Art. 6(1)(b) GDPR) – your email address is collected to enable account recovery (PIN reset), which is a core function of the service you registered for.
  • Legitimate interests (Art. 6(1)(f) GDPR) – server log analysis and security measures are carried out to protect the integrity of the service.
  • Consent (Art. 6(1)(a) GDPR) – where applicable, for optional analytics such as Google Analytics (see below).
5. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC. Google Analytics uses cookies to analyse how visitors use the site. The information generated (including an anonymised version of your IP address) is transmitted to and stored by Google on servers in the United States.

IP anonymisation is enabled on this website, meaning your IP address is truncated within EU/EEA member states before transmission. Google may transfer this information to third parties where required by law or where such third parties process the data on Google's behalf.

Analytics cookies are only set after you have given explicit consent via the cookie banner displayed on your first visit. You may withdraw consent at any time by clearing cookies and declining the banner on your next visit. You may also permanently opt out by installing the Google Analytics Opt-out Browser Add-on. The legal basis for this processing is your consent (Art. 6(1)(a) GDPR).
6. Cloudflare Turnstile
To protect the website from automated bots and spam, I use Cloudflare Turnstile provided by Cloudflare, Inc. Unlike traditional CAPTCHAs, Turnstile does not use tracking cookies or collect personal data to build user profiles. It analyses non-identifying technical signals to verify that interactions are human.

Processing is based on my legitimate interest in securing the service (Art. 6(1)(f) GDPR). For more information, see the Cloudflare Privacy Policy.
7. Email Delivery (Brevo)
Transactional emails (PIN reset emails) are sent via Brevo (formerly Sendinblue), operated by Brevo SAS, 7 rue de Madrid, 75008 Paris, France. When a PIN reset email is sent, your email address and name are transmitted to Brevo's servers solely for the purpose of delivering that email. Brevo acts as a data processor on my behalf and is contractually bound to process your data only as instructed. For more information, see the Brevo Privacy Policy. The legal basis for this processing is contract performance (Art. 6(1)(b) GDPR).
9. Data Retention
Account and prediction data (including your email address) is retained for as long as the service is active or until you request deletion. Server log files are retained for a maximum of 30 days for security purposes and then deleted or anonymised. Audit log entries, including IP addresses recorded at login and registration, are retained for as long as the service is active or until you request deletion.
10. Data Security
I take appropriate technical measures to protect your data against unauthorised access, including password hashing, HTTPS encryption in transit, and CSRF protection on all forms. However, no method of transmission over the internet is 100% secure, and I cannot guarantee absolute security.
11. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right of access – You may request a copy of the personal data I hold about you.
  • Right to rectification – You may request correction of inaccurate or incomplete data.
  • Right to erasure – You may request deletion of your personal data ("right to be forgotten"), subject to certain conditions.
  • Right to restrict processing – You may request that I limit the processing of your data under certain circumstances.
  • Right to data portability – You may request your data in a structured, machine-readable format.
  • Right to object – You may object to processing based on legitimate interests.
  • Right to withdraw consent – Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact me using the details in the Impressum. I will respond within one month. You also have the right to lodge a complaint with the competent data protection supervisory authority (in Germany: the Berliner Beauftragte für Datenschutz und Informationsfreiheit).
12. CCPA Rights (California Residents)
Under the California Consumer Privacy Act (CCPA), California residents have the right to:

  • Know what personal data has been collected and how it is used.
  • Request deletion of personal data collected about them.
  • Opt out of the sale of personal data (note: I do not sell personal data).
To exercise these rights, contact me via the details in the Impressum.
13. Children's Privacy and Age of Consent
This service requires users to be at least 16 years old to register. This minimum age reflects the age of digital consent under Art. 8 GDPR as applied in Germany (§ 13 para. 1 TTDSG). Users must explicitly confirm their age and agreement to these policies during registration.

I do not knowingly collect personal information from anyone under the age of 16. If you believe a minor under 16 has provided personal data through this service, please contact me immediately using the details in the Impressum and I will take steps to delete that information promptly.
14. Third-Party Services
This website may contain links to or embed functionality from third-party services (e.g. football/cricket data APIs). This Privacy Policy does not apply to those services. I encourage you to review the privacy policies of any third-party services you interact with.
15. Changes to This Policy
This Privacy Policy may be updated from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the service after an update constitutes acceptance of the revised policy.
16. Contact
For any questions or requests regarding this Privacy Policy, please use the contact details provided in the Impressum.