Privacy Policy
Effective Date: May 2026 · Last Updated: May 2026
This Privacy Policy describes how Fancav ("we," "us," or "our") collects, uses, stores, and shares your personal information when you use the Fancav platform, including the website at fancav.com and all related services (collectively, the "Service"). By creating an account or using the Service, you agree to the collection and use of your information as described in this Privacy Policy.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a notice within the Service and require you to re-acknowledge the updated Policy before continuing to use the platform.
1. Information We Collect
1.1 Information You Provide Directly
Personal accounts: When you create a personal account, we collect your first and last name, email address, date of birth, gender, phone number, and home address. If you sign up via Google OAuth, we receive your name and email address from Google and ask you to provide the remaining required fields directly.
Business accounts: When you create a business account, we collect your business name, venue type, business address, contact person first and last name, title or role, business phone number, event capacity, primary sports leagues, amenities, a venue description, and optionally a business logo or photo.
Profile information: You may update your profile at any time, including your address, favorite teams, primary team selection, and time zone.
Event information: When you create a watch party event, we collect the event title, description, date and time, address, maximum attendees, visibility settings, and any other fields you complete in the event creation form.
Comments: When you post a comment on an event detail page, we collect the text content of that comment along with the date and time it was posted.
Communications: If you contact us by email, we collect the content of your message and any information you choose to include.
1.2 Information We Collect Automatically
Usage data: We collect information about how you interact with the Service, including pages visited, features used, events viewed, RSVPs made, and actions taken within the app.
Device and browser information: We collect your browser type, operating system, and general device information when you access the Service.
Location data: We collect your home address at signup and geocode it to latitude and longitude coordinates for the purpose of showing you nearby watch party events. We do not collect real-time GPS location from your device.
Log data: Our servers automatically record certain information when you use the Service, including your IP address, browser type, referring URLs, and timestamps of requests.
1.3 Information From Third Parties
Google OAuth: If you sign up or log in using Google, we receive your name and email address from Google. We do not receive access to your Google contacts, calendar, Drive, or any other Google service beyond what is needed to authenticate your account.
Sports schedule data: We use the ESPN API to retrieve upcoming game schedules for your followed teams. We do not receive any personal information about you from this source.
2. How We Use Your Information
We use the information we collect to:
- Create and maintain your account
- Verify your age and phone number at signup
- Display nearby watch party events relevant to your followed teams and location
- Enable you to host, RSVP to, and manage watch party events
- Reveal event addresses to confirmed attendees within the 24-hour window, as described in our Terms of Service
- Send transactional emails — including RSVP confirmations, event cancellation notices, and 24-hour reminder emails with full address details
- Send one-time SMS verification codes at signup
- Apply team color theming throughout the app based on your primary team selection
- Screen user-submitted content through automated moderation tools
- Process and respond to content reports submitted through the app
- Enforce our Terms of Service and Community Guidelines
- Maintain the security and integrity of the platform
- Comply with applicable laws and legal obligations
- Improve and develop the Service
We do not use your personal information for advertising purposes. We do not sell your personal information to third parties. We do not use your information to build advertising profiles or share it with data brokers.
3. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
3.1 With Other Users — Limited and Intentional
Fancav is a community platform. Certain information is visible to other users by design, subject to strict limits:
- Event listings: Your event title, description, date, time, neighborhood (not full address), team, visibility setting, and first name are visible to other users who can view your event.
- Attendee lists: Your first name appears on the attendee list of any event you have confirmed RSVPd to, visible to other users who can view that event.
- Comments: Your first name and comment content are visible to users who can view the event detail page where you posted.
- Host information: If you host an event, your first name is displayed on your event listing and detail page. Your full address is never displayed to non-attendees and is only revealed to confirmed RSVP attendees within 24 hours of the event start time.
We never display your last name, email address, date of birth, phone number, home address, or gender to other users in any context.
3.2 With Service Providers
We share information with third-party service providers who help us operate the platform. These providers are contractually required to use your information only to provide services to us and not for their own purposes:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | All account and event data stored on their infrastructure |
| Mapbox | Maps and geocoding | Home address (for geocoding at signup); neighborhood coordinates for map display |
| Resend | Transactional email delivery | Your email address, first name, and event details required to send notifications |
| Inngest | Background job processing | Event data required to trigger scheduled jobs (e.g. 24-hour reminder emails) |
| OpenAI | Content moderation | Text content of event titles, descriptions, and comments submitted to the moderation API |
| Vonage | SMS verification | Your phone number, for the purpose of delivering a one-time verification code at signup |
3.3 For Legal Reasons
We may disclose your information if we believe in good faith that disclosure is necessary to: comply with applicable law or a valid legal process; protect the rights, property, or safety of Fancav, our users, or the public; detect, prevent, or address fraud, security, or technical issues; or enforce our Terms of Service.
3.4 Business Transfers
If Fancav is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and a notice on the platform before your information is transferred and becomes subject to a different privacy policy.
4. Data Storage and Security
4.1 Where Your Data Is Stored
Your data is stored on Supabase's infrastructure, which uses PostgreSQL hosted on AWS. All data is stored in the United States.
4.2 How We Protect Your Data
We implement the following security measures to protect your personal information:
- Passwords are hashed and salted using bcrypt via Supabase Auth. Passwords are never stored in plain text.
- Session tokens are stored in httpOnly, Secure, SameSite=Strict cookies — never in localStorage or sessionStorage.
- All traffic is served exclusively over HTTPS. HTTP requests are automatically redirected to HTTPS.
- Database access is controlled via Supabase Row Level Security (RLS) policies, which enforce data access rules at the database level. For example, event addresses are gated by RLS and are never accessible through the API to unauthorized users regardless of application code.
- API responses follow the principle of least privilege — each endpoint returns only the fields required for that specific feature. Personal information is never inadvertently included in responses.
- Rate limiting is applied to login attempts and event creation to prevent abuse.
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.
4.3 Address Privacy
For personal host events, your full street address is stored in our database but is never returned by our API to unauthorized users. The full address is accessible only to the event host and to confirmed RSVP attendees within 24 hours of the event start time. This restriction is enforced at the database level via Row Level Security — it is not solely an application-level control.
Map pins for events always represent the general neighborhood or zip code centroid — never the host's exact street address. The precise coordinates used for pins are derived from neighborhood-level data, not the host's actual location.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. The following specific retention periods apply:
| Data Type | Retention Period |
|---|---|
| Active account data | Retained for the lifetime of the account |
| Deleted accounts | Account immediately deactivated; personal data permanently purged 30 days after deletion request. A restore link is emailed at time of deletion |
| Cancelled events | Event record retained for 90 days then purged |
| Withdrawn RSVPs | Soft-deleted immediately; purged after 90 days |
| Inactive accounts | Accounts inactive for 2 years receive an email warning. If no response within 30 days, account is scheduled for deletion |
| Transactional email logs | Retained for 90 days for deliverability debugging, then purged |
Anonymized, non-identifiable aggregate data (such as total platform event counts) may be retained after account deletion for platform analytics purposes.
6. Your Rights and Choices
6.1 Account Information
You may update your personal information at any time from your profile settings, including your name, address, phone number, favorite teams, and primary team.
6.2 Account Deletion
You may delete your account at any time from your profile settings. Upon confirmed deletion:
- Your account is immediately deactivated — you cannot log in after confirming deletion
- A confirmation email is sent immediately with a link to cancel the deletion
- You have 30 days to cancel the deletion using the link in that email
- After 30 days, all personal data (name, email, address, date of birth, gender, phone number) is permanently purged from our systems
- Any events you were hosting that have not yet taken place are automatically cancelled, and RSVPd attendees are notified
- Any active RSVPs you held are automatically withdrawn, and affected hosts are notified
Account deletion is permanent and cannot be undone after the 30-day window closes. If your restore link expires and you need assistance, contact us at support@fancav.com. Anonymized, non-identifiable data (such as aggregate platform analytics) may be retained after deletion.
6.3 Email Preferences
Transactional emails — including RSVP confirmations, event cancellation notices, and 24-hour reminder emails — are sent in connection with your active use of the platform. You cannot opt out of transactional emails while you hold active RSVPs or are hosting active events, as these emails contain information material to your participation.
If Fancav introduces non-transactional email communications in the future (such as newsletters or promotional announcements), you will be able to opt out of those separately.
6.4 SMS
To stop receiving SMS messages from Fancav, reply STOP to any message we send. You will receive a confirmation that you have been unsubscribed. Note that opting out of SMS may limit your ability to use certain verification features of the Service.
7. California Privacy Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions permitted by law. You may delete your account directly from your profile settings at any time, which initiates the deletion process described in Section 6.2.
Right to opt out of sale: Fancav does not sell your personal information to third parties. We do not share your information with data brokers or advertising networks. Because we do not sell personal information, there is nothing to opt out of — but we make this statement explicitly so you are fully informed of your rights.
Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To submit a data access or deletion request, contact us at legal@fancav.com with the subject line "California Privacy Request." We will respond within 45 days as required by law.
A "Do Not Sell My Personal Information" link is available in the footer of our website. Clicking it will confirm that Fancav does not sell personal information.
8. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. Age verification is enforced server-side at signup using the date of birth provided. If we become aware that we have collected personal information from a user under 18, we will take steps to delete that information promptly. If you believe a minor has created an account, please contact us at legal@fancav.com.
9. Cookies and Tracking
We use cookies and similar technologies to operate and improve the Service. Specifically:
- Session cookies are used to maintain your authenticated session. These are stored in httpOnly, Secure cookies and are required for the Service to function.
- Preference cookies may be used to remember your settings and preferences within the app.
We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking for advertising purposes.
Most browsers allow you to control cookies through their settings. Disabling session cookies will prevent you from logging into the Service.
10. Third-Party Links
The Service may contain links to third-party websites or services, such as broadcast network websites referenced on event detail pages. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy by email and by displaying a prominent notice within the Service. Material changes will not apply retroactively. We will update the "Last Updated" date at the top of this page whenever changes are made. Your continued use of the Service after notice of changes constitutes your acceptance of the updated Policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:
Email: legal@fancav.com
Website: fancav.com
We will respond to all privacy inquiries within 30 days.
This Privacy Policy was last updated in May 2026. If you have questions, contact us at legal@fancav.com.