Privacy Policy

Last updated: April 5, 2026

1. Introduction

Unstructured Ventures, LLC (“Pennant Games”, “we”, “us”, “our”) operates the pennantgames.com website and related services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

  • Account registration: Email address when you create an account (via magic link or password). If you set a password, we hash it using industry-standard algorithms and never store it in plaintext.
  • Profile information: Username, display preferences, and any optional profile details you choose to provide.
  • Game content: Team names, player display names, league configurations, trade proposals, draft selections, coaching settings, and feedback messages.
  • Wallet addresses: If you choose to connect an Ethereum wallet, we store the public wallet address (not private keys, seed phrases, or passwords).
  • Communications: Any messages or feedback you send us through the in-app feedback form or directly.

2.2 Information Collected Automatically

  • Log data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of access.
  • Device information: Device type, screen resolution, and unique device identifiers.
  • Cookies and similar technologies: Session cookies for authentication and preference cookies for theme settings. See Section 9 for details.

2.3 Information from Third Parties

  • Authentication providers: If we enable third-party sign-in in the future, we may receive your name, email, and profile picture from the provider.
  • Blockchain data: Publicly available Ethereum blockchain data to verify wallet ownership and legacy player claims.
  • NBA statistics: Publicly available NBA player statistics and box scores for fantasy league scoring. This data is about professional athletes, not our users.

3. How We Use Your Information

  • Provide the Service: Create and manage your account, operate game features (leagues, exhibitions, trades, drafts, fantasy scoring), display leaderboards and statistics.
  • Personalization: Remember your preferences (theme, saved lineups), display your claimed legacy players.
  • AI features: When you use “Ask AI” or enable AI GM management, your team roster and league context are sent to our AI provider to generate recommendations. See Section 8 for details.
  • Communication: Send account-related emails (verification, magic link sign-in, password reset, important updates). We will not send marketing emails without your consent.
  • Security: Detect and prevent fraud, abuse, unauthorized access, and violations of our Terms of Service.
  • Improvement: Analyze usage patterns in aggregate to improve the Service, fix bugs, and develop new features.
  • Legal compliance: Comply with applicable laws, regulations, and legal processes.

4. Guest Access

We offer limited guest access to certain features (such as exhibition games) via access codes. Guest sessions are stored in your browser's local storage — we do not create an account or store personal information for guest users. Guest access is anonymous: we may log the IP address for rate limiting and security purposes, but we do not associate it with any identity.

Guest users cannot save lineups, join leagues, or access AI features. To access the full Service, you must create an account.

If you are in the European Economic Area (EEA), our legal bases for processing your data are:

  • Contract performance: Processing necessary to provide the Service you signed up for.
  • Legitimate interest: Improving the Service, ensuring security, preventing fraud.
  • Consent: Where you have given explicit consent (e.g., optional wallet connection, AI feature usage).
  • Legal obligation: Where processing is required by law.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data in these limited circumstances:

  • Service providers: We use third-party providers for hosting (Vercel), database (Supabase), AI features (Anthropic), and NBA data (balldontlie.io). These providers process data on our behalf under data processing agreements.
  • Other users: Your username, team name, league activity, and game statistics are visible to other users of the Service. Your email address is not shared with other users.
  • Legal requirements: We may disclose information if required by law, court order, or governmental authority.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
  • Aggregate data: We may share anonymized, aggregated statistics that cannot identify individual users.

7. Data Storage and Security

  • Your data is stored on servers operated by Supabase (PostgreSQL with row-level security policies) and hosted infrastructure providers.
  • Authentication tokens are encrypted and transmitted over HTTPS.
  • Passwords are hashed using bcrypt via Supabase Auth. Magic link authentication uses one-time tokens sent to your email.
  • We implement access controls to limit who can access your data internally.
  • Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. AI Features

Pennant Games includes AI-powered features (“Ask AI” suggestions and AI GM team management) provided by Anthropic's Claude AI. When you use these features:

  • Your team roster, league standings, and relevant game context are sent to Anthropic's API to generate recommendations.
  • We do not send your email address, password, or other personal account information to the AI provider.
  • AI decisions and their reasoning are logged in our database for transparency and auditing.
  • Anthropic processes this data under their data processing terms and does not use it to train their models.
  • AI features are optional — you can play the game fully without using them.

9. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies: Required for authentication session management. These cannot be disabled without breaking the Service.
  • Preference cookies: Store your theme preference (light/dark/system). These are optional.
  • Guest session: Guest access codes are stored in browser local storage (not cookies). This data never leaves your device.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that track you across other websites. We do not participate in ad networks or sell data to advertisers.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and all associated personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Restriction: Request that we limit how we process your data.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw at any time.

To exercise any of these rights, contact us at hello@pennantgames.com. We will respond within 30 days.

11. Data Retention

  • Account data: Retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days, except as required by law.
  • Game data: Game statistics, play-by-play records, and league history may be retained in anonymized form after account deletion for the integrity of league records.
  • AI action logs: AI GM decision logs are retained for the duration of the league season and may be anonymized afterward.
  • Log data: Server logs are retained for up to 90 days for security and debugging purposes.

12. Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

Children between 13 and 17 may use the Service with parental or guardian consent. Parents and guardians who allow minors to use the Service are responsible for monitoring their activity and ensuring compliance with these terms. The Service does not contain advertising, in-app purchases, or real-money transactions — virtual currency (HoopCoins) has no real-world monetary value.

If you believe a child under 13 has created an account, please contact us at hello@pennantgames.com.

13. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place for international transfers in compliance with applicable law.

14. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Not be discriminated against for exercising your privacy rights

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email and/or a prominent notice on the Service. The “Last updated” date at the top indicates the most recent revision.

16. Contact

For privacy-related questions, requests, or concerns:

  • Email: hello@pennantgames.com
  • Unstructured Ventures, LLC, 6360 Broad St. #5226, Pittsburgh, PA 15206