Privacy Policy

    Last updated: 4 March 2026

    World League Manager ("WLM", "we", "us", "our") is operated by Bearworks LTD, a company registered in England and Wales. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights.

    1. Data Controller

    Bearworks LTD is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, you can contact us at:

    Privacy: privacy@worldleaguemanager.com
    General support: hello@worldleaguemanager.com

    2. Information We Collect

    2.1 Information You Provide

    • Account registration: email address, display name (manager name), password (stored in hashed form). If you register or sign in using Google, we receive your Google account email address, display name, and profile picture URL via Google's OAuth 2.0 API. We do not receive or store your Google password.
    • Supporter subscription: payment information is processed by our third-party payment provider and is not stored on our servers. We receive confirmation of subscription status, billing dates, and transaction identifiers only.
    • Communications: any messages you send via in-game messaging, the contact form, or email correspondence with us.

    2.2 Information Collected Automatically

    • Gameplay data: match results, tactical settings, transfer activity, lineup selections, league standings, and other in-game actions necessary to operate the game.
    • Technical data: IP address, browser type and version, device type, operating system, timezone, and general location (country/region level only).
    • Usage data: pages visited, features used, session duration, and interaction patterns to help us improve the Service.

    2.3 Information We Do Not Collect

    We do not collect special category data (e.g. racial or ethnic origin, political opinions, health data, biometric data). We do not knowingly collect data from children under 13.

    3. Lawful Basis for Processing

    Under UK GDPR, we process your personal data on the following legal bases:

    Purpose Lawful Basis
    Providing and operating the game Contract performance (Art. 6(1)(b))
    Processing Supporter subscription payments Contract performance (Art. 6(1)(b))
    Sending essential service notifications Contract performance (Art. 6(1)(b))
    Improving the game and fixing bugs Legitimate interests (Art. 6(1)(f))
    Preventing cheating and enforcing fair play Legitimate interests (Art. 6(1)(f))
    Analytics and performance monitoring Legitimate interests (Art. 6(1)(f))
    Marketing emails (if opted in) Consent (Art. 6(1)(a))

    4. How We Use Your Information

    • To create and manage your account and provide the game service.
    • To process and manage Supporter subscriptions, including billing and renewal notifications.
    • To calculate match results, maintain league standings, and operate the transfer market.
    • To communicate with you about your account, including password resets, service updates, and security alerts.
    • To detect, investigate, and prevent cheating, fraud, and violations of our Terms of Service.
    • To analyse usage patterns and improve the game experience.
    • To comply with legal obligations.

    We will never sell your personal data to third parties.

    5. Google User Data

    If you choose to sign in or register using Google, WLM accesses limited data from your Google account through Google's OAuth 2.0 authentication service. This section explains how we handle that data in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

    5.1 Data We Access

    We request only the following OAuth scopes:

    • email — your Google account email address, used to create and identify your WLM account.
    • profile — your display name and profile picture URL, used to personalise your manager profile.
    • openid — standard authentication identifier to verify your identity.

    5.2 How We Use Google Data

    Google user data is used solely to:

    • Authenticate you and create or link your WLM account.
    • Display your name and profile picture within the game.
    • Send essential account-related communications to your email address.

    We do not use Google user data for advertising, to build user profiles for ad targeting, or for any purpose unrelated to the core functionality of WLM.

    5.3 How We Store Google Data

    Your email address and display name are stored in our database alongside other account data. Profile picture URLs are stored as references. All stored data is protected by the technical and organisational measures described in Section 12 (Data Security). We do not store Google access tokens or refresh tokens beyond the duration of the authentication session.

    5.4 How We Share Google Data

    We do not sell, lease, or share your Google user data with third parties except as described in Section 6 (Data Sharing) — specifically, with infrastructure providers that process data on our behalf under data processing agreements. Your Google data is never shared with advertisers or data brokers.

    5.5 Google API Services Limited Use Disclosure

    WLM's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

    6. Data Sharing

    We may share your data with the following categories of recipients:

    • Infrastructure providers: cloud hosting and database services that store and process data on our behalf, operating under data processing agreements.
    • Payment processor (Paddle): Paddle.com Market Ltd acts as our Merchant of Record for all paid subscriptions. Paddle processes payment data, handles billing, taxes, refunds, and invoicing as an independent data controller for that data. We receive only your subscription status, billing dates, and Paddle's transaction/customer identifiers — we do not receive or store card details.
    • Analytics providers: anonymised or pseudonymised usage data to help us understand how the Service is used.
    • Law enforcement or regulators: where we are legally obliged to do so, or to protect our rights and the safety of our users.

    We do not share your data with advertisers. In-game information that is inherently public (e.g. your manager name, club name, league standings, match results) is visible to other users as part of the game.

    7. International Data Transfers

    Our infrastructure providers may process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including:

    • UK adequacy decisions for the destination country.
    • Standard Contractual Clauses (SCCs) approved by the ICO.
    • Other appropriate safeguards as permitted under UK GDPR.

    8. Data Retention

    • Active accounts: we retain your data for as long as your account is active and you continue to use the Service.
    • Inactive accounts: accounts inactive for more than 12 months may be deleted, along with all associated data.
    • Deleted accounts: upon account deletion, personal data is removed within 30 days. Some anonymised gameplay data (e.g. historical match results) may be retained for game integrity.
    • Supporter billing records: retained for up to 7 years after the end of the subscription to comply with financial record-keeping requirements.
    • Enforcement records: records of account suspensions or bans may be retained indefinitely to prevent repeat violations.

    9. Cookies & Similar Technologies

    9.1 Essential Cookies

    We use strictly necessary cookies for authentication, session management, and security. These cookies are required for the Service to function and cannot be disabled.

    9.2 Analytics Cookies (Google Analytics 4)

    We use Google Analytics 4 to understand how visitors use the Service. Google Analytics is configured with IP anonymisation enabled and operates under Google's Consent Mode v2.

    • If you visit from the UK, EU or EEA: we ask for your permission via a banner before storing any analytics cookies on your device. Until you accept, Google receives only anonymous, aggregated visit signals (no cookies, no device identifier). If you reject, no analytics cookies are ever set.
    • If you visit from elsewhere: analytics cookies are set by default in line with local norms.
    • Cookies set after consent: _ga and _ga_YE25TP0DYM (used by Google Analytics to distinguish unique visitors and sessions). Both expire after 13 months.
    • Sub-processor: data is processed by Google LLC under Google's standard data protection terms and Standard Contractual Clauses where applicable.
    • You can change your decision at any time by clearing your browser's site data for this domain — the banner will reappear.

    9.3 No Advertising Cookies

    We do not use advertising or tracking cookies. We do not serve third-party advertisements.

    10. Your Rights Under UK GDPR

    Under the UK GDPR, you have the following rights in relation to your personal data:

    • Right of access (Art. 15): you can request a copy of the personal data we hold about you.
    • Right to rectification (Art. 16): you can request correction of inaccurate or incomplete data.
    • Right to erasure (Art. 17): you can request deletion of your personal data ("right to be forgotten"), subject to our retention obligations.
    • Right to restrict processing (Art. 18): you can request that we limit how we use your data in certain circumstances.
    • Right to data portability (Art. 20): you can request your data in a structured, commonly used, machine-readable format.
    • Right to object (Art. 21): you can object to processing based on legitimate interests, including profiling.
    • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

    To exercise any of these rights, please email privacy@worldleaguemanager.com. We will respond within one month of receiving your request, as required by law. We may ask you to verify your identity before processing your request.

    11. Children's Privacy

    WLM is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will take steps to delete it promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@worldleaguemanager.com.

    12. Data Security

    We implement appropriate technical and organisational measures to protect your personal data, including:

    • Encryption of data in transit (TLS/SSL) and at rest.
    • Hashed password storage using industry-standard algorithms.
    • Access controls limiting data access to authorised personnel only.
    • Regular security reviews and monitoring.

    No system is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

    13. Data Breach Notification

    In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

    • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required under UK GDPR Art. 33.
    • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34).

    14. Changes to This Policy

    We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-game notification. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

    15. Complaints

    If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK supervisory authority:

    Information Commissioner's Office (ICO)
    Website: ico.org.uk
    Helpline: 0303 123 1113

    16. Contact Us

    For any privacy-related questions, data requests, or concerns, please contact:

    Email: privacy@worldleaguemanager.com

    You may also use our contact form.