FormationFX Privacy Policy
Version: Beta 0.3 Final — Amendment 8 (beta application data collection) | Date: 21 June 2026
Plain English summary: FormationFX is a football-themed paper-trading simulation. We collect your email address, display name, date of birth (to confirm you are 18 or over), and your in-app activity so the game works. We do not handle real money. We share your data only with the services that power the app (listed below). You can ask us to delete your data at any time. This policy explains the details.
1. Who We Are
Data Controller: Matthew Hall, trading as FormationFX (sole trader), England and Wales.
Contact for privacy matters: [email protected]
ICO registration: FormationFX is registered with the Information Commissioner's Office under the Data Protection (Charges and Information) Regulations 2018, registration reference ZC149527.
FormationFX is a paper-trading simulation application. No real money is ever processed, invested, or held. All in-app currency (coins, XP, badges) is virtual and has no monetary value.
2. Data We Collect and Why
Plain English: We collect what we need to run your account, confirm you are old enough to use the app, and make the game work. Nothing more.
2.1 Account Data
Auth0 acts as our identity provider and stores the credentials below on our behalf under a Data Processing Agreement. Your date of birth is held on our own user record (Amazon RDS / AWS) for age-eligibility purposes and is not shared with Auth0.
| Data | Storage | Purpose | Lawful Basis |
|---|---|---|---|
| Email address | Auth0 | Account creation, login, essential communications | Performance of contract (Art. 6(1)(b) UK GDPR) |
| Display name | Auth0 | In-app identity | Performance of contract |
| Authentication tokens | Auth0 | Secure session management | Performance of contract |
| Date of birth (DOB) | FormationFX primary database (AWS) | Verifying that you are aged 18 or over at signup, and supporting reactive removal of any account discovered to have been opened by a person under 18 | Legitimate interests (Art. 6(1)(f) UK GDPR — age-eligibility verification of an adult-only investment simulation) |
We collect your date of birth at signup because FormationFX is restricted to users aged 18 or over (see §7). DOB is stored for the lifetime of your account and deleted alongside the rest of your account data when your account is closed (see §4).
2.2 In-App Activity Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| XP balance and history | Game progression | Performance of contract |
| Coin balance and transaction log | Virtual currency tracking | Performance of contract |
| Badge and achievement records | Game progression | Performance of contract |
| Squad picks and transfer history | Core game functionality | Performance of contract |
| Retention events (login streaks, session timestamps) | Game loop, streak rewards | Legitimate interests (operating the game service) |
| Behavioural analytics (feature usage, navigation patterns) | Product improvement | Legitimate interests (improving the service); opt-out available |
NPS satisfaction score (nps_response: integer 0–10, collected at days 7, 30, and 90 of activation) and modal-dismissed flag (npsDismissedAt) | Retention monitoring, product improvement, funding-pitch evidence | Legitimate interests (Art. 6(1)(f) — understanding satisfaction at activation milestones; LIA on file: STAA-10746); opt-out by dismissing the modal permanently |
2.3 Device and Security Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| Device fingerprint (browser/OS signals) | Fraud prevention, multi-account detection | Legitimate interests (protecting the integrity of the game) |
| IP address (via Cloudflare) | DDoS protection, geolocation (UK/EU compliance) | Legitimate interests (security) |
2.4 Data We Do NOT Collect
- Real financial data (bank account numbers, card details, investment portfolios)
- Sensitive personal data (health, biometric, political, religious data)
- Children's data (the service is 18+ only — see §2.5 and §7 for how we enforce this)
- Location data beyond coarse IP geolocation
2.5 Age-Eligibility Enforcement Data
To stop people under the age of 18 from creating an account on FormationFX, and to remove any account discovered to belong to a person under 18, we operate the following processing activities. None of these involves a new third-party processor — all records are held within the FormationFX primary database (AWS).
| Record | Data held | Purpose | Lawful Basis | Retention |
|---|---|---|---|---|
ageVerificationCoolOff — anti-circumvention cool-off list | Email address (lower-cased) and rejection timestamp. The rejected date of birth is not retained. | Prevents someone whose signup has been rejected for being under 18 from immediately re-submitting the form with an altered date of birth | Legitimate interests (preventing under-18s from creating accounts on an adult-only investment simulation) | 30 days from rejection, then hard-deleted |
MinorAccountFlag — reactive discovery log | Hashed account id, suspension timestamp, deletion timestamp, discovery source (e.g. user report, support contact, internal review, brokerage KYC signal), operator id of the staff member who actioned the flag | Operational record of reactive enforcement under the FormationFX Compliance Operations Runbook | Legitimate interests (defence of regulatory action) | 6 years from creation |
user.minor_account_deleted audit-log row | userId = NULL. Metadata: hashed account id, flag id, operator id. No data identifying the minor whose account was removed. | Auditable evidence that the reactive enforcement procedure was followed correctly | Legitimate interests (defence of regulatory action) | 6 years from creation |
Why these are not children's data: the email addresses on the cool-off list belong to people whose signup we rejected — no FormationFX account is created for them, and the entry is purged after 30 days. The flag and audit records describe the act of removal, not the minor: account ids are hashed at the point of writing, and the underlying user record (including DOB) is hard-deleted in the same operation. We retain the hashed-id record so that, if challenged, we can show the ICO that we acted on a credible discovery within the timescales set out in our Compliance Operations Runbook.
2.6 Waitlist and Pre-Launch Interest List
If you submitted your email address at formationfx.uk/waitlist, we hold that data to notify you when FormationFX opens more widely.
Plain English: You joined the waitlist voluntarily. We will use your email address for one purpose only — to send you a notification when we open our doors wider — then delete your record.
| Data | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Email address | Adding you to our pre-launch interest list; sending you a one-time notification when FormationFX opens for wider access | Consent — Art. 6(1)(a) UK GDPR. Your consent is recorded electronically at the point of form submission, including the timestamp of opt-in, as required by Art. 7(1) UK GDPR. | Until the launch or early-access notification is sent + 30 days, or until you withdraw your consent, whichever is earlier; then hard-deleted |
| Submission metadata (IP address and browser/device type at point of sign-up) | Bot and spam prevention; evidence of the consent event | Legitimate interests (Art. 6(1)(f) — maintaining the integrity of the consent record and preventing automated submissions) | Deleted alongside the waitlist email record |
Withdrawing consent. You can withdraw your consent and request deletion of your waitlist entry at any time by emailing [email protected]. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Where we have already sent the launch notification, the record will be in the 30-day post-notification wind-down and will be deleted on schedule.
No further use. Joining the waitlist does not create a FormationFX account and does not constitute consent to recurring marketing. Your email address will not be used for any purpose other than the one-time launch notification unless you separately create a FormationFX account (see §2.1). Your waitlist data is held entirely within the FormationFX primary database (AWS — see §3) and is not shared with any other third-party processor.
2.7 Statutory safety reporting
FormationFX has designated a Safety Officer responsible for processing mandatory referrals under the Online Safety Act 2023 and the Terrorism Act 2000. The safety reporting inbox is [email protected].
If you encounter or suspect child sexual abuse material (CSAM) or terrorism-related content on the platform, please report it immediately to [email protected]. We are required by law to refer such reports to the Internet Watch Foundation (IWF), the Child Exploitation and Online Protection Command (CEOP), and/or the Counter Terrorism Internet Referral Unit (CTIRU) as appropriate.
Where a report falls within these mandatory referral categories, a legal hold may be applied to relevant account data as required by law. See §5 "Your Rights — Right to Erasure" for how this interacts with your Art. 17 UK GDPR right.
2.8 Alpaca Trading Data (live-trading mode only)
This section applies only if you activate the Alpaca Connect feature and link a real Alpaca brokerage account. If you use only the default FormationFX path without connecting an Alpaca account, this section does not apply to you.
What we store: When you connect your Alpaca account via the Alpaca Connect flow, FormationFX writes two categories of credential to its primary database (Amazon RDS / AWS), encrypted at rest with AES-256-GCM: (i) your Alpaca account identifier — which identifies the linked brokerage account and is used to route order instructions correctly; and (ii) your Alpaca OAuth access token and refresh token — which maintain the authorised API connection and allow FormationFX to transmit order instructions to Alpaca at your direction. The lawful basis for storing both is Art. 6(1)(b) UK GDPR — performance of contract. Both are deleted on user-initiated disconnect, account deletion, or Alpaca-side revocation of the OAuth grant, whichever occurs first.
Where you use the Rebalance Portfolio feature in live-trading mode, FormationFX transmits trade instructions to Alpaca Securities LLC ("Alpaca"), our executing broker. This processing only occurs after you have connected your Alpaca brokerage account and have explicitly confirmed a rebalancing trade set.
What we send to Alpaca: Order instructions including your Alpaca account identifier, asset symbol (e.g. ticker), order direction (buy or sell), quantity (including fractional amounts), order type (market), and an idempotency key linking the order to your specific rebalancing event. No other personal data (name, email, date of birth, or address) is included in the order payload.
What we receive from Alpaca: Execution reports including confirmed fill price, filled quantity, partial-fill details, order status, and any rejection reason. We use these to update your on-screen portfolio view and to maintain the required FCA audit trail.
Why we process this data: To deliver the live-trading rebalancing service you have requested — transmitting your confirmed trade instructions and reconciling your portfolio record against the execution result is the core function of the feature.
Lawful basis: Art. 6(1)(b) UK GDPR — performance of contract. The 7-year retention of trade records also engages Art. 6(1)(c) — legal obligation (SYSC 9.1.1R / COBS 11.5.1R / HMRC).
Retention: Trade instruction and execution records are retained for 7 years from the date of the trade, in compliance with FCA record-keeping requirements (SYSC 9.1.1R / COBS 11.5.1R) and HMRC tax-records obligations. Right-to-erasure requests for this data will be declined until the retention period expires, under Art. 17(3)(b).
Transfer outside the UK: Your trade data is transmitted to Alpaca Securities LLC in the United States under the UK International Data Transfer Agreement (UK IDTA) / UK Addendum to Standard Contractual Clauses Module 2 (Controller-to-Processor), incorporated into our agreement with Alpaca.
Not used for: Advertising, profiling, marketing personalisation, or sale to any third party.
2.9 Beta Application Data
If you apply to join the FormationFX beta programme at formationfx.uk/beta-apply, we collect:
- Your full name and email address — so we can contact you about your application and, if successful, send you an invite code
- Whether you are a UK resident — an eligibility criterion for the beta programme
- Your age range (18–24 / 25–30 / 31–40 / 40+) — an eligibility criterion (the beta programme is open to adults under 40)
- Whether you play or have played FPL or any fantasy football game in the last 12 months — a screening criterion
- Whether you hold or have held an investing account — a screening criterion
- Your availability to explore and give feedback over the next four weeks — a scheduling criterion
- UTM tracking parameters from the URL you used to reach the form (utm_source, utm_medium, utm_campaign, utm_content) — so we can understand which outreach channels are generating interest in FormationFX
Why we process this data and our legal basis: Processing your application data is necessary for the pre-contractual steps required to assess your eligibility for and admission to the beta programme (UK GDPR Art. 6(1)(b)). UTM tracking parameters are processed under our legitimate interest in understanding the effectiveness of our beta recruitment outreach (UK GDPR Art. 6(1)(f)).
What happens with your application: If you are eligible, you will receive a confirmation email and the CMO will personally review your application before any invite code is sent. If you are not eligible (for example, because you are not a UK resident or are aged 40 or over), your application will not be progressed, but will be retained for six months in case of re-application or abuse detection, after which it will be deleted.
Who receives your data: If you are eligible, a confirmation email is sent via Resend, Inc. (see §3). Your application is visible to the FormationFX team for review purposes only.
Retention: Eligible applications are retained for the duration of the beta programme plus six months. Ineligible applications are deleted six months after submission.
3. Third-Party Processors
Plain English: We use third-party services to run the app. Each one only gets what it needs to do its job, and each one is bound by a data processing agreement with us.
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Auth0 (Okta) | Authentication and identity | Email, display name, session tokens | EU/US (Standard Contractual Clauses apply) |
| Alpaca Markets | Paper-trading API (simulation data only — no real money) | In-app trading instructions (simulated) | US (SCCs apply) |
| Alpaca Securities LLC | Order execution for live-trading Rebalance Portfolio feature (see §2.8) | Order instructions and execution reports (Alpaca account id, asset symbol, direction, quantity, order type, idempotency key, fill price, filled quantity, order status) | United States — UK IDTA / UK Addendum to SCCs Module 2 |
| Amazon Web Services (AWS) | Cloud infrastructure, database hosting | All application data, including DOB and the age-eligibility records described in §2.5 | EU (eu-west-1 preferred) |
| Vercel | Application hosting and delivery | Application code, session data | EU/US (SCCs apply) |
| PostHog | Product-behaviour analytics (event capture, funnels, pageview counts) | Anonymous PostHog distinct_id (UUID), event names with bounded enum properties only — no email, name, ticker, price, quantity, or financial value | EU (eu.posthog.com, Frankfurt) — UK→EU adequacy; UK→US onward sub-processing under UK IDTA / SCC Module 2 |
| Cloudflare | CDN, DDoS protection | IP addresses, request metadata | Global edge (SCCs apply) |
| Resend, Inc. | Transactional email delivery (incl. beta application confirmation emails to eligible applicants at formationfx.uk/beta-apply) | Recipient email address and email content | US (SCCs apply) |
All processors are engaged under written Data Processing Agreements compliant with UK GDPR Article 28. Copies available on request to [email protected].
Analytics processing is consent-based. PostHog only receives events from your browser after you have explicitly accepted analytics cookies on the cookie-consent banner. You can withdraw consent at any time from the in-app cookie settings; on withdrawal, FormationFX immediately opts your browser out of further PostHog capture and resets the analytics identity. We do not transmit your email, name, date of birth, country, ticker symbols, trade quantities, trade prices, account balances, or any financial value to PostHog at any time.
International transfers: Where processors operate outside the UK/EEA, transfers are protected by UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved under UK GDPR.
No new processor is involved in age-eligibility enforcement. DOB, the cool-off list, the minor-account flag, and the deletion audit log are all held in the FormationFX primary database (AWS) under the existing Article 28 DPA with AWS.
4. How Long We Keep Your Data
Plain English: We keep your account data while your account is active. After you delete your account, we purge personal data within 30 days. A short anti-circumvention list lives for 30 days, and a PII-free record of any minor-account removal lives for 6 years. Anonymised statistics live on indefinitely.
| Data category | Retention period |
|---|---|
| Account data (email, name, auth tokens, DOB) | Active account lifetime + 30 days post-deletion |
| In-app activity data (XP, coins, picks, history) | Active account lifetime + 30 days post-deletion |
NPS response scores (nps_response table) and dismissed flag (npsDismissedAt) | Active account lifetime + 30 days post-deletion |
| Device/security logs | 90 days rolling |
| Age-eligibility cool-off list (rejected signup email + timestamp) | 30 days, then hard-deleted |
| Waitlist email address and submission metadata | Until launch or early-access notification sent + 30 days, or withdrawal of consent, whichever is earlier; then hard-deleted |
| Beta application data (eligible) | Duration of beta programme + 6 months |
| Beta application data (ineligible) | 6 months from submission, then deleted |
| Minor-account flag records (hashed account id, timestamps, operator id) | 6 years from creation |
| PII-free minor-account deletion audit-log row | 6 years from creation |
Alpaca trade instructions + execution reports (RebalancingOrderRecord) | 7 years from trade date (SYSC 9.1.1R / COBS 11.5.1R / HMRC Finance Act 1998) |
| Behavioural analytics raw events (PostHog) | 90 days |
| Aggregated, anonymised analytics | Indefinite (no personal data retained) |
| Legal/compliance records (if applicable) | 6 years (statutory minimum) |
Deletion requests are processed within 30 days. We will confirm completion by email.
5. Your Rights Under UK GDPR
Plain English: You have real rights over your data. Here is how to use them.
| Right | What it means | How to exercise |
|---|---|---|
| Access (SAR) | Request a copy of all personal data we hold about you | Email [email protected] |
| Rectification | Correct inaccurate data | Email [email protected] or update in-app |
| Erasure ("Right to be Forgotten") | Delete your account and personal data | In-app account deletion flow or email request |
| Portability | Receive your data in a machine-readable format | Email [email protected] |
| Restriction | Pause processing while a dispute is resolved | Email [email protected] |
| Objection | Object to processing based on legitimate interests | Email [email protected] |
| Withdraw consent | Withdraw any consent given at any time | In-app settings or email |
When we cannot immediately fulfil a deletion request. In certain circumstances we may be required by law to retain your data even after you request deletion. This includes where applicable legislation — such as the Online Safety Act 2023 or the Terrorism Act 2000 — requires us to preserve your account or content for the purpose of making a mandatory referral to a law enforcement body or for the establishment, exercise, or defence of legal claims (UK GDPR Art. 17(3)(b) and Art. 17(3)(e)). Where this applies, we will inform you that your deletion request cannot be fulfilled at this time. We will not disclose the underlying statutory basis where doing so could compromise an ongoing law enforcement matter. Once the legal hold is lifted, deletion will proceed in the normal way.
A note on the age-eligibility records: the legitimate-interest basis described in §2.5 has been carefully scoped to what is necessary to operate an adult-only product. You can object to that processing under Article 21, but objecting to age-eligibility verification at signup means we cannot create an account for you. The cool-off list contains an email-and-timestamp pair only and is purged after 30 days; the minor-account flag and audit records contain no information identifying the data subject and so are not capable of being matched to a request under Article 15 or Article 17.
Response time: We will respond to all rights requests within 30 days. We may ask you to verify your identity before fulfilling a request.
Complaints: You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
6. Cookies and Tracking
FormationFX uses:
- Essential cookies: Required for login and session management. No consent required.
- Analytics cookies: Used for product improvement (behavioural analytics). Consent required — where analytics cookies are active, you will be presented with a cookie consent banner on first visit, and may change your choice at any time via in-app settings or your browser controls.
- No advertising or third-party tracking cookies.
7. Children
FormationFX is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18.
To enforce this restriction we operate three controls, described in detail in §2.5:
- A mandatory date-of-birth check at signup, server-side authoritative;
- A 30-day anti-circumvention cool-off list to stop a rejected signup from being immediately retried with an altered date of birth; and
- A reactive workflow — suspension within 24 hours and full deletion of personal data within 7 days — for any account discovered to belong to a person under 18, plus a 6-year PII-free audit log of any such removal for the defence of regulatory action.
If you believe a child has created an account, please contact [email protected] immediately.
8. Changes to This Policy
We will notify registered users of material changes to this policy by email at least 14 days before the change takes effect. The version date at the top of this policy will always reflect the most recent update.
9. Beta-Specific Notice
During the beta period, FormationFX operates as a closed, invitation-only simulation. No real money is involved at any stage. Beta participants' data is processed on the same basis as described in this policy. Feedback and usage data collected during beta may be used to improve the product.
FormationFX — Matthew Hall (sole trader) — England and Wales Beta 0.3 Final — Amendment 8 (beta application data collection) — effective 21 June 2026