GDPR-ready pools: data processing, consent, and retention best practices

By Dirk Menkveld on Monday, January 26, 2026

Blog image

GDPR-ready pools for Fantasy Football (is Prediction Game in English)

Fantasy Football (is Prediction Game in English) on GoKoppa is about predicting match results. It is not about picking players for a squad.

If you run a pool with friends, you may handle personal data. GDPR matters in the UK and Europe. It also helps anywhere in the world, because it builds trust.

This guide keeps things simple. It uses short steps you can follow.

What counts as personal data in a pool?

Personal data is any info that can point to a person.

In a prediction pool, this often includes:

  • Name or nickname (if it links to a real person)
  • Email address
  • User ID
  • IP address (often logged by services)
  • Match picks (if tied to a person)
  • Chat messages or comments

You should treat all of this with care.

Data processing: collect less, do more with it

“Data processing” means collecting, storing, using, or deleting data.

To keep your pool GDPR-ready, start with one rule: collect only what you need.

Good practice:

  • Use a nickname, not a full name
  • Ask for email only if you need invites or password reset
  • Do not collect date of birth unless you must
  • Do not ask for phone numbers “just in case”
  • Keep admin access limited to 1–2 trusted people

A simple goal helps: if you can run the pool without it, do not collect it.

GDPR says you need a reason to use personal data. Many friend pools use consent.

Consent must be:

  • Clear: plain words, no tricks
  • Specific: say what you do with data
  • Freely given: no pressure
  • Easy to withdraw: leaving the pool should be simple

Avoid pre-ticked boxes. Ask in a clear way.

Example consent text (simple):

  • “I agree that this pool stores my email and picks so I can take part. I can ask to delete my data any time.”

If someone asks, you should be able to show:

  • What they agreed to
  • When they agreed
  • How they agreed

Easy ways to do this:

  • Store a consent timestamp
  • Store the version of your rules or privacy note
  • Keep a short admin log for changes

Keep it light. Keep it useful.

Be clear about sharing and public views

Pools feel social. But sharing can surprise people.

Tell players:

  • If a leaderboard is public or private
  • What shows on the leaderboard (nickname only is best)
  • If picks are hidden until kick-off
  • If you share winners in a group chat or email

If you post results on social media, ask first. Do not assume.

Data retention: delete old data on purpose

Retention means how long you keep data.

A good rule: keep data for the season, then delete it. If you need a bit longer for disputes, say so.

Simple retention plan:

  • During the season: keep account, picks, scores
  • End of season + 30 days: allow time for questions
  • After that: delete or anonymise old personal data

If you want “season history”, store it without personal details:

  • Keep scores, not emails
  • Keep stats with random IDs, not names

Help people use their rights

Under GDPR, players can ask for things like:

  • A copy of their data
  • A fix to wrong data
  • Deletion of their data

You should set one contact method:

  • A single email address for requests
  • A simple “delete my account” option if you can

Reply fast. Keep notes of what you did.

Keep data safe (even for a small friend pool)

You do not need fancy tools. You need good habits.

Do this:

  • Use strong passwords and a password manager
  • Turn on 2-step login where you can
  • Limit who can download exports
  • Do not share spreadsheets in public links
  • Remove ex-admins right away

If you use a platform, check where it hosts data and who can access it.

Use a trusted GDPR reference

For a clear overview of GDPR rules and rights, use the official EU page: https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en

Quick checklist for a GDPR-ready prediction pool

  • Collect the least data possible
  • Explain what you collect and why
  • Get clear consent (no pre-ticked boxes)
  • Let people leave and delete data easily
  • Keep a simple retention plan (season + 30 days)
  • Lock down admin access and exports

Final note

A pool should feel fun. Privacy should feel simple. When you run Fantasy Football (is Prediction Game in English) as a match prediction game, you can keep it fair by using less data, clear consent, and timely deletion.