batterup-privacy

Privacy Policy — Batter Up Fantasy

Last updated: May 22, 2026

Batter Up Fantasy (“the App”) is an iOS application that tracks Major League Baseball starting lineups for players you roster in your Yahoo Fantasy Baseball, ESPN Fantasy, Fantrax, and CBS Sports Fantasy leagues. This privacy policy explains what data we collect, why we collect it, and what we do with it.

What we collect

The App collects only what is necessary to deliver its core functionality:

1. Your Yahoo Fantasy authorization — When you sign in, Yahoo issues us an OAuth access token and refresh token. These tokens let the App read your Yahoo Fantasy Baseball rosters on your behalf. We never see your Yahoo username or password — you enter those directly on Yahoo’s login page. We store these tokens server-side (in Cloudflare KV) so we can refresh your roster without requiring you to sign in repeatedly.

2. A push notification device token — When you grant the App permission to send notifications, Apple issues a unique device token. We store this token server-side and use it solely to deliver lineup-related push notifications to your iPhone via Apple Push Notification service (APNs).

3. Your Yahoo profile identifier (GUID) and nickname — Returned by Yahoo at sign-in time, used to look up your rosters and personalize the in-app greeting.

4. Your ESPN Fantasy session cookies — If you choose to connect ESPN Fantasy, your ESPN session cookies (SWID and espn_s2) are captured from the in-app WebView after you sign in on ESPN.com. We never see your ESPN password — you enter it directly on ESPN’s login page. We store these cookies server-side (in Cloudflare KV) to read your ESPN fantasy rosters on your behalf.

5. Your Fantrax session cookies — If you choose to connect Fantrax, your Fantrax session cookies are captured from the in-app WebView after you sign in on Fantrax.com. We never see your Fantrax password — you enter it directly on Fantrax’s login page. Because Fantrax sits behind a Cloudflare bot-protection gateway, the captured cookies include Cloudflare’s cf_clearance and __cf_bm cookies in addition to Fantrax’s own session cookies (such as JSESSIONID); we forward them all together so Fantrax’s gateway recognizes our requests. We store these cookies server-side (in Cloudflare KV) to read your Fantrax fantasy rosters on your behalf.

6. Your CBS Sports Fantasy session cookies — If you choose to connect CBS Sports, your CBS session cookies are captured from the in-app WebView after you sign in on cbssports.com. We never see your CBS password — you enter it directly on CBS’s login page. The captured cookies are scoped to the .cbssports.com domain and include CBS’s userId cookie plus other session identifiers; we store them server-side (in Cloudflare KV) to read your CBS Sports fantasy rosters on your behalf. At connect time the App also reads the list of fantasy baseball leagues that appears in your CBS user-profile menu (each league’s URL slug, team name, and league name) and forwards that list to our server, because CBS does not expose a JSON endpoint that enumerates your leagues; we need this list to know which league subdomains ({league-slug}.baseball.cbssports.com) to read on your behalf.

What we do NOT collect

• We do not collect your name, email address, phone number, or any other contact information beyond what Yahoo’s nickname field provides.
• We do not collect location data, contacts, photos, microphone audio, health data, or financial information.
• We do not use analytics, advertising, or any third-party tracking SDKs.
• We do not collect crash reports or telemetry.

How your data is used

Your provider tokens and session cookies (Yahoo, ESPN, Fantrax, CBS Sports) are used only to:

• Fetch the leagues and teams you manage
• Fetch the current rosters on those teams
• Cross-reference those rosters against MLB’s free public StatsAPI to detect when your players are in (or out of) the official starting lineups for each day’s games

Your device token is used only to deliver push notifications about your rostered players. Notifications are triggered server-side every five minutes during MLB lineup-posting hours.

Who we share data with

Nobody. We do not sell, rent, or share your data with third parties. There are no advertisers, no analytics providers, no data brokers involved.

The App communicates with four services to function:

• Yahoo Fantasy Sports API (api.login.yahoo.com and fantasysports.yahooapis.com) — for OAuth and roster data
• ESPN Fantasy API (fan.api.espn.com and lm-api-reads.fantasy.espn.com) — for reading your fantasy rosters if you’ve connected ESPN
• Fantrax (www.fantrax.com) — for reading your fantasy rosters if you’ve connected Fantrax
• • CBS Sports Fantasy (www.cbssports.com and *.baseball.cbssports.com) — for reading your fantasy rosters if you’ve connected CBS Sports. Each league lives on its own {league-slug}.baseball.cbssports.com subdomain; we read only the team pages for leagues you have connected.
• MLB StatsAPI (statsapi.mlb.com) — for public game schedules, lineups, and player stats; no personal data is sent
• Apple Push Notification service (api.push.apple.com) — for delivering notifications

Data retention and deletion

Your Yahoo tokens and device token are retained for as long as you use the App. If you want your data deleted, you can:

1. Delete your account in-app Settings → Account → Delete account) — this immediately removes all server-side data (Yahoo tokens, device tokens, cached roster data) and signs you out. The action is irreversible.
2. Email us at the support address below and request full deletion of your server-side records. We will delete your Yahoo tokens, your Yahoo GUID, and any registered device tokens within seven (7) days of the request.
3. Revoke access from Yahoo directly — visit https://login.yahoo.com/account/preferences/apps to remove Batter Up Fantasy’s access at any time. This immediately invalidates our stored tokens.
4. Revoke access from ESPN directly — sign out of espn.com in any browser. This invalidates the session cookies we stored.
5. Revoke access from Fantrax directly — sign out of fantrax.com in any browser. This invalidates the session cookies we stored.
6. Revoke access from CBS Sports directly — sign out of cbssports.com in any browser. This invalidates the session cookies we stored.

Children

The App is not directed to children under 13 and does not knowingly collect data from anyone under that age.

Changes to this policy

If we update this policy, we will revise the “Last updated” date at the top. Material changes will be noted in the App’s release notes.

Contact

Questions or data-deletion requests: Email: alexander.arnowitz@gmail.com