Privacy policy

1.Who this policy applies to

This policy explains how Fitness Industry Sales LTD (pitch.lab, "we", "us") handles personal data when you use the pitch.lab web application, the MCP connector for ChatGPT and Claude, and our related APIs. It is written for two groups: (a) individuals who register a pitch.lab account and use the service directly, and (b) Fantasy Premier League managers whose publicly available league, team and gameweek data appears in our predictions and analytics layer because another user follows them. We are the data controller for both groups under the UK GDPR.

2.Information we collect

We collect the following categories of personal data:

• Account data — email address, hashed password (bcrypt), optional display name, account creation timestamp, email-verification status.
• Authentication artefacts — long-lived session JWTs (signed, not encrypted); SHA-256 hashes of API keys you generate (raw key never persisted); OAuth 2.1 access tokens, refresh tokens and authorisation codes (all stored as SHA-256 hashes with TTL-driven expiry).
• FPL team data you claim — your FPL entry id, team name, gameweek history, captain picks, chips, transfers, mini-league memberships. This data is fetched from the public Fantasy Premier League API. Even if you do not claim your own team, your team appears in our database the moment another pitch.lab user follows you, since FPL exposes the data publicly.
• Technical / usage data — IP address (logged with each request for rate-limiting and abuse prevention), user-agent string, request path and timing, and the identifier of which MCP tool was invoked. We do not record the natural-language content of your prompts to ChatGPT or Claude — we only see the structured tool arguments those services send us.
• Email correspondence — anything you send to our support inbox, retained for as long as the conversation is operationally useful.

3.How we use information

We use the data above for the following purposes:

• Provide the pitch.lab application and the MCP connector.
• Authenticate you across the website, the OAuth-protected MCP connector, and API-key based clients (e.g. Claude Desktop).
• Generate predictions, analytics, suggested transfers, mini-league comparisons and the Pitch.lab Difficulty Rating.
• Send transactional emails (account verification, password reset links) via our email partner.
• Detect and mitigate abuse (rate limiting, anomaly detection, fraud prevention).
• Comply with legal obligations.
• Defend our legal rights where necessary.

We do not sell personal data and we do not run advertising.

4.Use of AI services

The MCP connector is read-only and does not call any large language model on your behalf. The LLM that asks our tools questions runs inside ChatGPT (OpenAI, OpenAI OpCo, LLC, United States) or Claude (Anthropic PBC, United States) — services you have chosen to use, governed by their privacy policies. Anthropic and OpenAI have contractual commitments not to train their consumer models on data submitted via the API or business tiers; please refer to their policies for the latest position. We do not feed your interactions with our connector into any model we train.

5.Lawful bases for processing

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (6(1)(b)) — delivering the service you signed up for; account management; OAuth and API authentication.
• Legitimate interests (6(1)(f)) — service security, abuse prevention, internal analytics on anonymised aggregates, defending and exercising legal claims.
• Consent (6(1)(a)) — any optional marketing email (off by default; you may opt in at signup and out at any time).
• Legal obligation (6(1)(c)) — tax, accounting, response to lawful regulatory or law-enforcement requests.

6.Sharing information

We share personal data with the following sub-processors strictly to operate the service:

• Salesforce, Inc. (Heroku) — application hosting for the API and MCP server. Data resides on AWS infrastructure in the EU/EEA where possible.
• Amazon Web Services, Inc. — managed PostgreSQL database (RDS) for application data. Region selected to minimise cross-border transfer.
• Vercel, Inc. — static and server-rendered hosting for the pitch.lab website.
• HighLevel, Inc. — transactional email delivery (account verification, password reset).
• Football data providers (read-only sources) — Fantasy Premier League public API, football-data.org, Understat, API-Football, OpenWeatherMap, The Odds API. We send no personal data to these services; we read public match, fixture and weather data from them.

We may also disclose personal data to professional advisers (accountants, lawyers) bound by confidentiality, or when required by law (court order, regulatory request, fraud investigation).

7.International data transfers

Where personal data is transferred outside the UK / EEA — for example to US-based sub-processors — we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the recipient's adequacy status (UK adequacy regulations) as appropriate. Copies of relevant safeguards are available on request.

8.Data retention

• Account data — kept for as long as your account is active; deleted within 30 days of account closure (subject to legal retention obligations).
• FPL team data — retained indefinitely while the underlying FPL team exists, because historic gameweek data is what powers our predictive models and is itself public.
• Authentication artefacts — OAuth access tokens expire after 24 hours, refresh tokens after 30 days, authorisation codes after 60 seconds. Expired tokens are purged on rotation.
• Request logs — 90 days on the application tier; aggregated metrics may be retained for longer in anonymised form.
• Email correspondence — 12 months from the last reply, then deleted unless a longer retention is required by law.

9.Account deletion and erasure requests

You can request deletion of your pitch.lab account at any time by emailing [email protected] from the email address on file. We will delete or anonymise your account data within 30 days of receipt, except where we are required by law to retain specific records (tax, accounting, litigation hold). Note: public FPL team data is not personal data we generated, and is not deletable through us — contact the Fantasy Premier League directly to manage your FPL account.

10.Security

All connections to pitch.lab are encrypted in transit (TLS from a recognised certificate authority). Passwords are hashed with bcrypt. API keys, OAuth tokens and authorisation codes are stored as SHA-256 hashes — raw values exist only in transit. Per-user credential isolation is enforced at the database layer: every query is scoped by user id and no tool can read another user's private data. We aim to notify affected users and the Information Commissioner's Office within 72 hours of becoming aware of a material personal-data breach, as required by Article 33 of the UK GDPR.

11.Your rights

Under the UK GDPR you have the following rights:

• Right of access to a copy of your personal data.
• Right of rectification of inaccurate data.
• Right of erasure ("right to be forgotten").
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing based on legitimate interests.
• Rights related to automated decision-making and profiling — note that our predictive models do not produce legally significant automated decisions about you.
• Right to withdraw consent at any time for processing based on consent (without affecting prior lawful processing).

Exercise any of these rights by emailing [email protected].

12.Right to complain

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the chance to address your concern first — email us at [email protected].

13.Children

pitch.lab is not directed at, designed for, or marketed to children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us personal data, contact us and we will delete it.

14.Marketing communications

We may send infrequent product-update emails to registered users on the basis of soft opt-in (PECR Regulation 22) — for example, announcing a major new feature or a material change to the service. You may opt out via the unsubscribe link in any such email or by emailing us. Transactional emails (verification, password reset, security notifications) are not subject to opt-out while your account exists.

15.Cookies

The pitch.lab web application sets only one first-party cookie that is strictly necessary: the session token used to keep you signed in between page loads. We do not run third-party analytics cookies, advertising trackers or session-replay tools.

16.Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes — for example, a new sub-processor handling personal data, or a change in the lawful basis for a specific processing activity — we will notify affected users by email or in-product banner at least 14 days before the change takes effect.

17.Contact

Fitness Industry Sales LTD, trading as pitch.lab.
Registered office: 71-75 Shelton Street, London, Greater London, WC2H 9JQ, United Kingdom.
ICO registration: ZB574641.
Privacy inbox: [email protected]. We aim to respond to substantive privacy enquiries within 30 days.