What is MyFPL Mini-League?

MyFPL Mini-League is a companion app for Fantasy Premier League that tracks your performance, standings, and insights across all your FPL mini-leagues. It focuses on your private leagues — not the global game.

How does MyFPL Mini-League work?

Sign up with your email or Google account, connect your FPL team ID, and MyFPL automatically discovers your mini-leagues. You get personalised standings, gameweek insights, decision breakdowns, and bragging rights — updated every gameweek.

Is MyFPL Mini-League free to use?

Yes, MyFPL Mini-League is completely free. There are no premium tiers or hidden fees.

Do I need to share my FPL password?

No. MyFPL only needs your FPL team ID, which is a public number visible in your FPL URL. We never ask for your FPL email or password.

Is my FPL data safe with MyFPL Mini-League?

Yes. MyFPL Mini-League only reads data from the official FPL public API — the same data anyone can see by visiting your FPL profile. We never sell your data. We share it only with the trusted services we need to run the platform, as described in our Privacy Policy.

Which FPL leagues does MyFPL Mini-League support?

MyFPL Mini-League supports classic mini-leagues with up to 100 members. As long as your league is a private classic league set up through the official FPL platform, it will be automatically discovered when you connect your team ID.

How many FPL leagues can I track?

All of them. MyFPL Mini-League automatically pulls in every eligible mini-league linked to your FPL team ID — there is no cap on the number of leagues you can view.

What insights does MyFPL Mini-League provide?

MyFPL provides captain choice analysis, bench point comparisons, transfer impact tracking, chip usage breakdowns, and league-level rankings — all relative to your mini-league rivals, not the millions of global FPL managers.

How quickly is data updated after a gameweek?

Stats and standings are updated after the final match of each gameweek. We pull from the official FPL API, so updates follow FPL’s own data release schedule — typically within a few hours of the last whistle.

Does MyFPL Mini-League work for managers outside the UK?

Yes. MyFPL Mini-League works for any FPL manager worldwide. All you need is a valid FPL team ID.

Privacy Policy

My FPL Mini League
Website: myfplminileague.com

Effective Date: 17 April 2026
Last Updated: 17 April 2026
Version: 1.0

Data Fiduciary / Data Controller Information

This platform is operated by:

Saurabh Sarin, Shitij Gupta, and Shashwat Nandan, operating as My FPL Mini-League
JP Nagar, Bengaluru - 560078, Karnataka, India
Email: [email protected]

Saurabh Sarin, Shitij Gupta, and Shashwat Nandan are the Data Fiduciaries (as defined under the Digital Personal Data Protection Act, 2023) and Data Controllers (as defined under the General Data Protection Regulation) for the personal data processed through this platform.

1. Introduction

This Privacy Policy explains how Saurabh Sarin, Shitij Gupta, and Shashwat Nandan, operating as My FPL Mini-League ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use the My FPL Mini League platform ("Platform"), accessible at myfplminileague.com.

My FPL Mini League is a web-based platform that enables Fantasy Premier League (FPL) managers to participate in private paid mini-leagues featuring enhanced scoring, analytics, and prize distribution.

This Policy applies to all users of the Platform, regardless of location. Where specific rights or obligations differ by jurisdiction, we have identified the applicable provisions for users located in India, the European Union/European Economic Area (EU/EEA), and California (United States).

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as the legal basis for processing your personal data, we will obtain your explicit consent before collecting or processing such data.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Identity and Authentication Data

Data	Description	How Collected
Email Address	Your email address used to create and authenticate your account	Provided by you at registration
Display Name	The name displayed to other league participants	Provided by you or derived from your FPL account
FPL Team ID	Your numeric Fantasy Premier League team identifier	Provided by you during onboarding
FPL Team Name	The name of your FPL team	Retrieved from the FPL API using your Team ID

2.2 Contact and Communication Data

Data	Description	How Collected
Phone Number	Your mobile phone number in international E.164 format	Provided by you for WhatsApp notifications
WhatsApp Opt-in Status	Whether you have opted in to receive WhatsApp notifications, including the date and time of opt-in and opt-out	Recorded when you provide or withdraw consent
Email Delivery Records	Recipient email address, email subject, delivery status, and email service provider used	Generated automatically when we send you emails
WhatsApp Message Records	Message content, delivery and read status, and per-message cost	Generated automatically when we send you WhatsApp messages

2.3 User Preferences

Data	Description	How Collected
Manager Type	Your self-identified management style (e.g., casual, competitive)	Selected by you in settings
Favourite Club	Your preferred English Premier League club	Selected by you in settings
Insights Preferences	Your preferences for analytics features and insights displayed	Selected by you in settings
Tracked Leagues	The leagues you choose to follow and monitor	Selected by you in settings

2.4 Gameplay and Performance Data

Data	Description	How Collected
Gameweek Scores and Ranks	Your per-gameweek and overall scores and rankings within leagues	Computed from data retrieved from the FPL API
Squad Data	Your current FPL squad composition	Retrieved from the FPL API
Transfer History	Your FPL player transfer records (transfers in and out)	Retrieved from the FPL API

2.5 Financial Data

Data	Description	How Collected
League Entry Fee	The entry fee for league participation (currently INR 3,000)	Set by the league administrator; recorded upon your entry
Prize Tier Rules	The prize distribution structure for each league	Configured per league
Prize Payment Records	Records of prize amounts, recipients, and payment status	Recorded upon prize distribution

Note: We do not directly collect or store your payment card details, bank account information, or UPI credentials. Payment transactions are arranged by the league administrator outside the Platform. We record only the outcome (whether a prize was awarded and the amount).

2.6 Analytics and Usage Data

Data	Description	How Collected
Usage Events	Over 30 types of events including page views, button clicks, feature interactions, and navigation patterns	Collected automatically via Google Analytics 4 (GA4)
Masked Email	A masked version of your email address (e.g., a***@gmail.com) included in login events	Sent as a parameter with login events to GA4
Device Information	Your device type (desktop, mobile, tablet)	Collected automatically via GA4
Referrer URL	The website or link that directed you to the Platform	Collected automatically via GA4

2.7 Cookies and Browser Storage

Essential Cookies (First-Party):

Cookie	Purpose	Duration	Type
sb-*-auth-token	Authentication session management	Session	httpOnly, Secure
sb-*-auth-token-code-verifier	Secure authentication flow (PKCE)	Session	httpOnly, Secure
preview_access	Beta/preview feature access control	24 hours	httpOnly, Secure

Analytics Cookies (Third-Party — Google Analytics 4):

Cookie	Purpose	Duration
_ga	Distinguishes unique visitors	2 years
_ga_<container-id>	Maintains session state for analytics	2 years

Local Storage (Browser):

Key	Purpose	Contains Personal Data?
hasVisited	Detects first-time visitors	No
loginMethod	Remembers your chosen authentication method	No
loginStartTime	Measures login flow duration	No
loginIsNewUser	Distinguishes new from returning users	No
userEmail	Caches your email address for display purposes	Yes
dev-phase-override	Development feature flag	No
CACHE_CLEANUP_KEY	Manages browser cache cleanup	No

Session Storage (Browser):

Key	Purpose	Contains Personal Data?
navSequenceNumber	Tracks navigation sequence within your session	No

For more information about cookies and how to manage them, please see Section 10: Cookies and Similar Technologies.

3. Purposes of Processing

We process your personal data for the following purposes:

#	Purpose	Data Used
1	Account Creation and Authentication	Email address, FPL Team ID, FPL Team Name
2	League Participation and Scoring	Display name, gameplay data (scores, ranks, squads, transfers)
3	Prize Calculation and Distribution	Gameplay scores and ranks, financial data (entry fees, prize tiers, payment records)
4	WhatsApp Notifications	Phone number, WhatsApp opt-in status, message content and delivery records
5	Email Communications	Email address, email delivery records
6	Platform Analytics and Improvement	GA4 usage events, device information, referrer, analytics cookies
7	Personalization	User preferences (manager type, favourite club, insights, tracked leagues)
8	Public Leaderboard and Winner Disclosure	Display name, FPL Team ID, gameweek scores, league ranks, prize amounts
9	Platform Security and Abuse Prevention	Authentication tokens, rate limiting data
10	Legal and Regulatory Compliance	All data as required by applicable law

Important Notice — Public Leaderboard

Your gameplay results, including your display name, FPL Team ID, scores, league ranks, and prize amounts, may be published in a publicly accessible file hosted at adigunners.github.io. This information is accessible to anyone on the internet.

We will obtain your explicit consent before including your data in this public leaderboard. You may request removal at any time by contacting us at [email protected].

4. Legal Basis for Processing

4.1 For Users in India (DPDPA, 2023)

We process your personal data on the following legal bases under the DPDPA:

Consent (Section 6): We obtain your free, specific, informed, and unambiguous consent before collecting your personal data. You provide this consent when you create an account and at specific points during your use of the Platform (e.g., opting in to WhatsApp notifications, consenting to public leaderboard disclosure).
Certain Legitimate Uses (Section 7): In limited circumstances, we process data without consent where permitted — for example, to comply with legal obligations or to respond to a medical emergency.

You have the right to withdraw your consent at any time. See Section 14: Consent Withdrawal.

4.2 For Users in the EU/EEA (GDPR)

Legal Basis	Purposes
Consent (Art. 6(1)(a))	WhatsApp notifications, marketing emails, public leaderboard disclosure, analytics cookies, user preferences
Performance of Contract (Art. 6(1)(b))	Account creation, league participation, scoring, prize calculation and distribution, transactional emails
Legitimate Interests (Art. 6(1)(f))	Platform security and abuse prevention, basic analytics for service improvement, transactional email delivery

Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests.

4.3 For Users in California, United States (CCPA/CPRA)

We do NOT sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
We do NOT share your personal information for cross-context behavioral advertising.
You have the right to opt out of any future sale of personal information should our practices change.

5. Data Sharing and Third Parties

We share your personal data with the following third-party service providers, solely for the purposes described below. We do not sell your personal data to any third party.

5.1 Service Providers

Service	Provider	Data Shared	Server Location	Purpose
Supabase	Supabase Inc.	All user data (database, authentication, storage)	United States / Singapore	Backend infrastructure
Google Analytics 4	Google LLC	Usage events, masked email, device type, referrer, anonymized IP	United States	Platform analytics
Resend	Resend Inc.	Recipient email, email subject, email content	United States	Primary email delivery
SendGrid (SMTP)	Twilio Inc.	Recipient email, email content	United States	Fallback email delivery
WhatsApp Cloud API	Meta Platforms Inc.	Phone number, message content, delivery status	United States	WhatsApp notification delivery
Google Fonts	Google LLC	IP address, user agent string	United States	Web font delivery
Twemoji / jsDelivr	jsDelivr (Prospect One)	IP address, user agent string	Global CDN	Emoji rendering
FPL API	Premier League / ISM Games	FPL Team IDs (read-only access)	United Kingdom	Retrieval of gameplay data
Mailtrap	Railsware Products Inc.	Email content (testing environment only)	European Union	Email testing in development

5.2 Public Data Disclosure — GitHub Pages

Important: We publish certain league performance data in a publicly accessible file hosted on GitHub Pages (provided by GitHub / Microsoft Corporation, United States) at the URL adigunners.github.io.

The following personal data is included and is available to anyone on the internet: your display name (which may include your real name), your FPL Team ID, your gameweek and overall scores, your league ranking, and your prize amounts (in INR).

This data is published for the purpose of public leaderboard visibility and league transparency. We will obtain your explicit consent before including your data in this file. You may request removal at any time.

5.3 Other Disclosures

We may also disclose your personal data:

To comply with applicable law, regulation, legal process, or governmental request.
To enforce our terms of service or other agreements.
To protect the rights, property, or safety of Saurabh Sarin, Shitij Gupta, and Shashwat Nandan, operating as My FPL Mini-League, our users, or others.
In connection with a merger, acquisition, or sale of assets, in which case you will be notified.

6. International Data Transfers

Your personal data may be transferred to and processed in countries other than the country in which you reside.

Destination	Services	Data Transferred
United States	Supabase, Google Analytics, Resend, SendGrid, WhatsApp Cloud API, Google Fonts, GitHub Pages	All categories of personal data as described in Section 2
Singapore	Supabase (AWS infrastructure)	Database records
United Kingdom	FPL API	FPL Team IDs (read-only)
Global CDN	jsDelivr / Twemoji	IP address only

6.1 For Users in India

Under Section 16 of the DPDPA, 2023, the transfer of personal data outside India is permitted except to countries specifically restricted by the Central Government through notification. As of the effective date of this Policy, no such restrictions have been notified. We will update this Policy if any restrictions are imposed that affect the transfers listed above.

6.2 For Users in the EU/EEA

Where we transfer your personal data outside the EU/EEA to countries that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework (DPF) certification, and Transfer Impact Assessments (TIAs).

You may request a copy of the applicable safeguards by contacting us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Data Category	Retention Period	Basis
Account data (email, display name, FPL Team ID, FPL Team Name)	Duration of your account + 90 days after deletion	Service provision; grace period for recovery and legal holds
Phone number and WhatsApp opt-in	Until opt-out or account deletion. Phone number deleted 30 days after opt-out.	Communication purpose ceases upon opt-out
Gameplay data (scores, ranks, squads, transfers)	Duration of your account + 1 FPL season (~10 months) after deletion	League integrity; dispute resolution
Financial records (entry fees, prize tiers, payment records)	8 years from the date of the transaction	Indian tax and accounting law
Email delivery logs	1 year from the date the email was sent	Delivery monitoring and troubleshooting
WhatsApp message logs	1 year from the date the message was sent	Delivery monitoring and troubleshooting
User preferences	Duration of your account	Personalization; deleted on account deletion
GA4 analytics data	14 months	Google Analytics default retention period
Authentication cookies	Session duration (or 24 hours for preview_access)	Authentication; automatically expire
GA4 analytics cookies	2 years	Set and managed by Google Analytics
Public leaderboard data (GitHub Pages)	Published until removal is requested	Public leaderboard visibility; you may request removal at any time

Upon expiration of the applicable retention period, we will securely delete or anonymize your personal data, unless further retention is required by law.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

8.1 Rights Under Indian Law (DPDPA, 2023)

Right	Description	DPDPA Section
Right to Information	You may request a summary of the personal data we process about you and the processing activities undertaken.	Section 11(a)
Right to Correction and Erasure	You may request that we correct inaccurate or incomplete personal data, or erase personal data that is no longer necessary.	Section 11(b)
Right to Grievance Redressal	You may lodge a complaint with our Grievance Officer. If not resolved satisfactorily, you may approach the Data Protection Board of India.	Section 12
Right to Nominate	You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.	Section 14

8.2 Rights Under EU/EEA Law (GDPR)

Right	Description	GDPR Article
Right of Access	Obtain a copy of your personal data and information about how it is processed.	Article 15
Right to Rectification	Correct inaccurate or incomplete personal data.	Article 16
Right to Erasure	Request deletion of your personal data ("right to be forgotten").	Article 17
Right to Restriction	Request that processing of your data be restricted while a dispute is resolved.	Article 18
Right to Data Portability	Receive your personal data in a structured, commonly used, machine-readable format (JSON).	Article 20
Right to Object	Object to processing based on legitimate interests or for direct marketing purposes.	Article 21
Rights Related to Automated Decision-Making	Not be subject to decisions based solely on automated processing. Note: The Platform does not engage in such automated decision-making.	Article 22

8.3 Rights Under California Law (CCPA/CPRA)

Right	Description
Right to Know	Request disclosure of the categories and specific pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom it is shared.
Right to Delete	Request deletion of your personal information.
Right to Correct	Request correction of inaccurate personal information.
Right to Opt-Out of Sale	Opt out of the sale of your personal information. We do not sell your personal information.
Right to Non-Discrimination	We will not discriminate against you for exercising any of your rights.

8.4 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at [email protected]. When submitting a request, please provide sufficient information to verify your identity. We may request additional verification before processing your request.

Jurisdiction	Initial Response	Maximum Resolution
India (DPDPA)	Acknowledgment within 72 hours	Resolution within 30 days
EU/EEA (GDPR)	Within 1 month	Extendable by 2 additional months for complex requests
California (CCPA)	Within 45 days	Extendable by an additional 45 days

All requests will be processed free of charge, unless requests are manifestly unfounded or excessive, in which case a reasonable fee may be charged.

8.5 Right to Lodge a Complaint

If you are not satisfied with our response, you may lodge a complaint with the applicable supervisory authority:

India: Data Protection Board of India (once constituted and operational under the DPDPA, 2023)
EU/EEA: Your local Data Protection Authority
California: Office of the California Attorney General

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Measure	Description
Row Level Security (RLS)	Database-level security policies ensure that each user can only access their own data.
httpOnly Secure Cookies	Authentication tokens are stored in httpOnly cookies, preventing access by client-side scripts and mitigating XSS attacks.
PKCE Authentication Flow	We use Proof Key for Code Exchange (PKCE) in our OAuth and magic link authentication flows to prevent authorization code interception attacks.
No PII in Server Logs	Personal data such as email addresses and phone numbers is not written to application server logs.
HMAC-SHA256 Webhook Verification	Incoming webhooks from third-party services are verified using HMAC-SHA256 cryptographic signatures.
Rate Limiting	API endpoints are rate-limited to prevent brute-force attacks and abuse.
Encryption in Transit	All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher.
Encryption at Rest	Database records are encrypted at rest using AES-256 encryption via our infrastructure provider (AWS).
Access Control	Database and infrastructure access is restricted to authorized personnel only.

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, you, in accordance with applicable law.

10. Cookies and Similar Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. We also use browser local storage and session storage, which serve similar purposes.

10.2 Cookies We Use

Essential Cookies — These cookies are strictly necessary for the Platform to function and cannot be disabled.

Cookie	Purpose	Duration
sb-*-auth-token	Maintains your authenticated session	Session
sb-*-auth-token-code-verifier	Secures the authentication flow (PKCE)	Session
preview_access	Controls access to beta/preview features	24 hours

Analytics Cookies — These cookies help us understand how users interact with the Platform. They are set by Google Analytics 4.

Cookie	Purpose	Duration
_ga	Assigns a unique identifier to distinguish users	2 years
_ga_<container-id>	Maintains session state for analytics	2 years

10.3 Browser Storage

We use browser local storage and session storage for the purposes described in Section 2.7. Notably, the userEmail key in local storage contains your email address for display convenience.

10.4 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to view, delete, and block cookies. Please note that blocking essential cookies will prevent you from using the Platform, as they are required for authentication.

To opt out of Google Analytics tracking specifically, you may install the Google Analytics Opt-out Browser Add-on.

11. Children's Privacy

The Platform is not intended for individuals under the age of 18.

The Platform involves paid league participation with real-money entry fees and prize distribution. We do not knowingly collect personal data from individuals under the age of 18. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children. By creating an account, you represent and warrant that you are at least 18 years of age.

If we become aware that we have inadvertently collected personal data from an individual under 18, we will take immediate steps to delete such data. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes: We will notify you by email and/or by displaying a prominent notice within the Platform at least 15 days before the changes take effect.
Minor Changes:We will update the "Last Updated" date at the top of this Policy.

Where we rely on consent as the legal basis for processing, and a change materially affects the scope or purpose of processing, we will seek your renewed consent before applying the change to your data.

13. Grievance Officer

In accordance with Section 13 of the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:

Name: Shashwat Nandan

Designation:Co-founder & Grievance Officer

Email: [email protected]

Response Commitment: We will acknowledge your complaint within 72 hours of receipt and endeavor to resolve it within 30 days.

Escalation: If you are not satisfied with the resolution provided by our Grievance Officer, you may approach the Data Protection Board of India (India), your local Data Protection Authority (EU/EEA), or the Office of the California Attorney General (California, USA).

14. Consent Withdrawal

You have the right to withdraw your consent at any time. Under Section 6(6) of the DPDPA, 2023, the process for withdrawing consent is designed to be as easy as the process for giving consent.

14.1 Channel-Specific Opt-Outs

Channel	How to Withdraw	Effect	Processing Time
WhatsApp Notifications	Reply "STOP" to any WhatsApp message from us, or disable in your Platform settings	You will no longer receive WhatsApp messages. Your account remains unaffected.	Within 7 days
Marketing Emails	Click the "Unsubscribe" link in any marketing email	You will no longer receive marketing emails. Transactional emails will continue.	Within 7 days
Google Analytics Tracking	Install the Google Analytics Opt-out Add-on or manage cookies via your browser settings	We will no longer collect analytics data from your browser.	Immediate

14.2 Full Consent Withdrawal (Account Deletion)

To withdraw all consents and request deletion of your account and personal data:

Send an email to [email protected] with the subject line "Account Deletion Request."
Include the email address associated with your account.
We will verify your identity and process the request within 30 days.

Consequences of full withdrawal: Your account will be permanently deleted. All personal data will be deleted in accordance with the retention schedule in Section 7. Financial records may be retained for up to 8 years as required by law. Any active league participation will be terminated. Entry fees are non-refundable upon voluntary withdrawal. Data already published on the public leaderboard will be removed upon request.

Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Grievance Officer:Shashwat Nandan, Co-founder & Grievance Officer

Grievance Email: [email protected]

Registered Address:
Saurabh Sarin, Shitij Gupta, and Shashwat Nandan, operating as My FPL Mini-League
JP Nagar, Bengaluru - 560078, Karnataka, India

Governing Law and Dispute Resolution

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, India, without prejudice to your right to lodge a complaint with the Data Protection Board of India or any other applicable supervisory authority.

For users in the EU/EEA, nothing in this section limits your right to bring proceedings before the courts of the EU Member State in which you reside.

This Privacy Policy was last updated on 17 April 2026.