Privacy & Cookies

Overview

This policy explains what data we collect while you use the game, browse and purchase question packs (“Packs”), hold a subscription (e.g., Free+/Advanced), or publish Packs as a creator eligible for guaranteed payouts after our moderation review. We don’t sell your personal data and we do not use third-party advertising cookies.

What We Collect

Account data. Email, username, password hash, avatar, and basic profile/role (player/host/creator).
Technical data. Session/JWT cookies, device/browser info, IP (for security/abuse prevention), and event logs required to keep multiplayer rooms stable and secure.
Gameplay data. Rooms you host or join, scores, chat messages in a room, round/board state, and anti-abuse flags (e.g., spam/bot detection).
Commerce data. Pack purchases, library ownership, discounts, refunds, subscription tier and status, and invoices/receipts metadata.
Creator/payout data. Pack metadata, moderation status, reported issues, statistics (sales/usage), and payout details (processed via Stripe; we don’t store full card/bank numbers on our servers).
Pack media. Packs can include text, images, audio, or video. We store/serve the media files and related metadata (type, URL, size, thumbnails) to make gameplay smooth.

Cookies

We use strictly necessary cookies so you can sign in, join rooms, and keep your session alive. These cookies are essential to the service and cannot be disabled inside the app. We do not use marketing/ads cookies.

Cookie	Purpose	Type	Typical Lifespan
`session` / `access_token`	Keeps you signed in and authorizes API calls (JWT/in-session).	Strictly necessary	Session or up to a few hours
`csrf_token`	Protects against cross-site request forgery on forms and API.	Strictly necessary	Session
`socket_id`	Realtime multiplayer connectivity (rooms, chat, buzzers).	Strictly necessary	Session
`cookiesAccepted`	Remembers that you closed the cookie banner.	Preference	Up to 12 months
`remember_me` (optional)	Keeps you signed in across browser restarts (if you choose).	Preference	Up to 30 days

Cookie names and lifespans may vary slightly across environments (e.g., staging vs. production) but serve the same essential functions.

Payments and Subscriptions (Stripe)

All payments and subscriptions are processed by Stripe. We never store full card numbers or bank account details on our servers. Stripe acts as our payment processor and may process limited personal data required to complete transactions, handle disputes, and comply with financial regulations.

What we see: payment status, last 4 digits and brand (for receipts), tokenized IDs, amounts, currency, invoices, and subscription state (active, past_due, canceled, etc.).
What Stripe sees: your payment details and billing information necessary to process the charge (see Stripe’s own privacy policy for details).

Packs Store & Media

Packs may be free or paid and can include text, images, audio, or video. We store and deliver this content so you can play without delays. If a Pack violates our content rules (e.g., illegal content or IP infringement), it may be removed.

For players: we keep your library (owned and purchased Packs) and show eligibility based on your subscription (e.g., Free vs. Advanced) and pack access tier. We also track pack usage stats to improve quality and rankings.

Creators & Guaranteed Payouts

If you publish Packs, you may be eligible for guaranteed payouts when your Pack passes our moderation and meets the program conditions. We process creator identity and payout info via Stripe (e.g., Stripe Connect). We keep moderation decisions, reasons, and version history to ensure store integrity and fair payouts.

Moderation data: status, reviewer notes, timestamps, violation categories (if any).
Payout data: aggregated sales/usage, payout schedule/status, and Stripe account references.

We do not store full bank details; payouts are initiated through Stripe using tokenized identifiers.

Legal Bases for Processing

Contract: to provide the game, multiplayer rooms, purchases, subscriptions, and creator payouts.
Legitimate Interests: security, fraud prevention, service analytics, and service improvements.
Consent: optional preferences like “remember me” or cookie banner dismissal.
Legal Obligation: financial records, tax, compliance, and dispute handling.

Data Retention

We keep account and gameplay data while your account is active. Purchase and subscription records are retained for the period required by financial and tax laws. Creator payout and moderation logs are retained as needed for audit and compliance. You can request deletion of your account; some records (e.g., invoices) may be kept where required by law.

Security

We use modern security practices (TLS in transit, hashed passwords, scoped tokens, role-based access, and server-side checks). No system is perfectly secure, but we continually improve our defenses and monitor for abuse.

Third-Party Services

We rely on trusted providers for hosting, email delivery, file storage/CDN, error monitoring, and payments (Stripe). Where these providers process data on our behalf, they do so under appropriate safeguards and agreements.

Your Rights

Access, update, or delete your account.
Export your data upon request.
Object to or restrict certain processing where applicable.
Withdraw consent for optional features (e.g., “remember me”).

Some requests may be limited by our legal obligations (e.g., keeping invoices for tax compliance).

Children

The service is not directed to children under the age where parental consent is required by local law. If you believe a child has provided personal data without required consent, contact us and we will take appropriate action.

Changes to this Policy

We may update this policy to reflect changes in our product or legal requirements. We’ll post the new version here and update the “Last updated” date above.

Contact

Questions? Reach us at support@gff.local .