Private, self-hosted deployment
Privacy policy
Effective July 16, 2026What this deployment stores
- Your display name, normalized email address, password hash, and revocable sessions.
- Fantasy league settings, teams, rosters, standings, matchups, draft events, and the team you claim in each league.
- Your rankings, auction values, notes, shares, and recommendation inputs or feedback.
- Operational records such as sync time, source freshness, request correlation IDs, and security audit events. Application logs are configured to redact credentials.
Provider connections
Yahoo authorization happens on Yahoo. The server stores Yahoo tokens in an encrypted, versioned credential envelope and uses them only for read-only fantasy sync initiated through this deployment. The current release shows the last successful sync and keeps unattended Yahoo league refreshes disabled until that scheduler is separately validated.
ESPN does not provide this app with a supported consumer Fantasy OAuth flow. The optional browser companion uses the ESPN session already present in your browser. It sends bounded league snapshots to Laces Out, but never sends your ESPN password or the values of ESPN cookies. A paired browser can be revoked from the connections screen.
How data is used and shared
Data is used to synchronize leagues, run deterministic draft and in-season analysis, show league-wide statistics to authorized league members, and operate or secure this deployment. Private rankings, notes, provider credentials, and personal recommendation settings are not exposed to another member unless you explicitly create a permitted share.
Laces Out does not sell data, run behavioral advertising, or add third-party analytics by default. Provider and football-data services receive only the requests required to retrieve their data. Optional AI features must identify their provider before data is sent and are disabled unless the operator configures them.
Retention, export, and deletion
The live database retains an account and its authorized artifacts until they are deleted by the deployment operator or required for an active shared league. Encrypted backups may retain deleted records until that operator’s documented backup rotation completes. Ask the person who invited you to export your data, revoke a connection, delete a share, or delete your account and associated private data.
Security and your choices
Passwords are protected with Argon2id, browser sessions are HTTP-only, production traffic is intended to use HTTPS, and provider credentials are encrypted at rest. No small self-hosted service can promise absolute security. Use a unique password, revoke provider access if a device or server is compromised, and report unexpected league or account activity to the operator promptly.
Policy changes and contact
Material policy changes should be announced to members before new processing begins. This is a private deployment rather than a centrally operated Laces Out service; the person who issued your invite operates it and is responsible for access, deletion, security, and policy questions.
Members should contact the operator through the channel used to share their invite.