Rankings tuned to the signal, not the noise.

Need help? Sign in

Privacy Policy

Effective 2026-05-22 · last updated 2026-05-22
Privacy Terms of Service

SignalTuned, operated by Signal Tuned LLC (a Connecticut limited liability company) ("we," "us," or "the Service"), respects your privacy. This policy describes what we collect, why, how we use it, and your rights. By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

1. Information we collect

1.1 Information you provide

  • Email address: required to create an account and receive magic-link sign-in emails.
  • Sleeper league ID and username: required to identify your fantasy league for ranking personalization.
  • Display name: optional; defaults to a derivation of your email if not provided.

1.2 Information collected automatically

  • Session cookie (named ff_user_id): a strictly-necessary cookie that keeps you signed in across requests. Set with HttpOnly, Secure, and SameSite=Lax flags. Not used for tracking or advertising.
  • Server logs: IP address, user-agent, request paths, timestamps. Retained for up to 30 days for security and debugging. Not shared with third parties except as required by law.

1.3 Information collected from third parties

Roster and league data is fetched from the public Sleeper API using your provided league ID. We do not access your Sleeper account credentials and do not connect via OAuth.

1.4 Information collected when you subscribe

When you upgrade to a paid Pure Signal subscription we collect: subscription tier, subscription status, billing period, the last 4 digits and brand of your payment card, and renewal / cancellation history. Full card numbers, CVVs, and complete billing addresses are processed by Stripe (see Section 3) under PCI-DSS Level 1 compliance and are never stored on our servers. Refund and dispute records are retained for accounting and tax compliance. See Section 4 for the retention period.

2. How we use information

  • To authenticate you (magic-link emails sent via Resend).
  • To personalize rankings to your league's exact scoring settings and your roster composition.
  • To compute trade analyzer verdicts and recommendations when you request them.
  • To diagnose technical issues and improve the Service.

We do not sell or rent your information. We do not use your information for advertising. We do not share your information with third parties except (a) as listed in Section 3 below, or (b) when required by law.

3. Third-party processors

  • Resend (transactional email): receives your email address to deliver magic-link sign-in messages and pre-renewal subscription notices. Resend's privacy policy: https://resend.com/legal/privacy-policy.
  • Clerk (identity and authentication): when you sign in via the Clerk-authenticated path, Clerk receives your email address and stores authentication session metadata. We do not transmit your fantasy league data, roster history, or subscription details to Clerk. Clerk operates under SOC 2 Type II compliance. Clerk's privacy policy: https://clerk.com/legal/privacy.
  • Stripe (payment processing): processes payment card data when you subscribe to a paid plan. Stripe receives your full card number, CVV, billing zip, and email; we receive only the last 4 digits, card brand, expiration month/year, and subscription state. Stripe operates under PCI-DSS Level 1 compliance. Stripe's privacy policy: https://stripe.com/privacy.
  • Railway (hosting infrastructure): operates the servers that run the Service. Railway's privacy policy: https://railway.app/legal/privacy.
  • Sleeper: public API access only; we do not transmit your account information to Sleeper.

Each processor is bound by Article 28 GDPR data-processing terms or equivalent. We do not currently use any analytics or advertising vendors.

4. Data retention

  • Active accounts: retained as long as you continue to sign in.
  • Inactive accounts (no sign-in for 24 months): account is soft-deleted (deactivated). Personal data is retained for an additional 12 months for backup/restore purposes, then permanently deleted.
  • Inactive accounts (no sign-in for 36 months): all personal data is permanently deleted, including email, league IDs, roster history, and any cached league data.
  • Server logs: 30 days.
  • Magic-link tokens: 15 minutes (single-use; expire automatically).
  • Subscription billing records: retained for 7 years after the subscription ends, for U.S. tax and accounting compliance. This covers IRS audit windows, state-tax retention requirements, and chargeback dispute periods. After 7 years these records are deleted.

5. Your rights

5.1 Access and portability (GDPR Art. 15, 20; CCPA §1798.110)

You can request a copy of all personal data we hold about you by emailing the contact address in Section 9. We will respond within 30 days (GDPR) or 45 days (CCPA).

5.2 Correction (GDPR Art. 16)

You can update your display name by signing in. For email or league ID corrections, email us.

5.3 Deletion (GDPR Art. 17; CCPA §1798.105)

You can permanently delete your account and all associated data via DELETE /v1/users/me when signed in (requires CSRF token). Or email us with the request and we will delete within 30 days. Deletion is irreversible.

5.4 Objection / restriction (GDPR Art. 18, 21)

You can object to or restrict our processing of your data by emailing us. Note: if you object to processing required for the Service to function (e.g., session cookie, league ID), the practical outcome is account deletion.

5.5 Do Not Sell / Do Not Share (CCPA §1798.120)

We do not sell or share your personal information. There is nothing to opt out of.

5.6 Right to lodge a complaint

EU/EEA residents may lodge a complaint with their local supervisory authority. California residents may complain to the California Attorney General.

6. Security

We use HTTPS for all traffic, hash magic-link tokens, scope session cookies to the application domain, and run on infrastructure with industry-standard security practices. Payment card data is processed exclusively by Stripe (PCI-DSS Level 1 certified); we never see or store full card numbers or CVVs. No system is perfectly secure; if you discover a vulnerability please email us.

7. Children's privacy

The Service is not directed at children under 16 (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect data from children. If you believe a child has provided data to the Service, email us and we will delete it.

8. International transfers

The Service is hosted in the United States. By using the Service from outside the US, you consent to your information being transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our processors.

9. Contact

Questions, requests, or complaints: [email protected]. Mailing address available on request.

10. Changes to this policy

We may update this policy. Material changes will be communicated via email to active accounts at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change.