Privacy Policy

1. Introduction

RoastDeck (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data when you use RoastDeck at roastdeck.com (“the Service”).

2. Information We Collect

2.1 Information You Provide

• Photos: Selfies or photos you upload for use in the game. These are processed by AI to generate game content.
• Display Name: The name you choose when joining a game.
• Custom Scenarios: Text you write for custom card prompts.
• Account Information: If you sign in with Google, we receive your name and email address from Google OAuth. We do not receive or store your Google password.
• Payment Information: If you make a purchase, payment is processed by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. We receive a transaction ID and plan type from Stripe.

2.2 Information Collected Automatically

• IP Address: Used for rate limiting and abuse prevention. We do not use IP addresses for advertising or tracking.
• Device Information: Browser type, operating system, and screen size may be collected for debugging and compatibility purposes.
• Usage Data: Game events (e.g., number of generations, games played) are logged for usage tracking and billing purposes.
• Local Storage: We store a randomly generated player ID and active game code in your browser’s local storage. This is not transmitted to third parties.

2.3 Information We Do NOT Collect

• We do not use third-party advertising trackers or analytics cookies.
• We do not collect location data beyond IP-based geolocation.
• We do not collect biometric data. Photos are processed as standard images, not biometric templates.
• We do not sell your personal information to anyone, ever.

3. How We Use Your Information

• Photos: Sent to Google’s Gemini AI API to generate game images. Photos are transmitted securely and are not used to train AI models by RoastDeck.
• Display Name: Shown to other players in your game session.
• IP Address: Used for rate limiting (preventing abuse) and free-tier usage tracking.
• Account Info: Used to identify your account, manage purchases, and enable game features.
• Usage Data: Used to enforce free-tier limits and improve the Service.

4. Third-Party Services

We use the following third-party services to operate RoastDeck:

5. Data Retention

• Photos & Generated Images: Stored for as long as the game session data exists. We may periodically purge game data older than 90 days.
• Account Data: Retained as long as your account is active. You may request deletion at any time.
• Usage Logs: IP-based usage data is retained for up to 30 days for rate limiting purposes, then deleted.
• Payment Records: Transaction records are retained as required by law and Stripe’s data retention policies.

6. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• HTTPS encryption for all data in transit
• Encryption at rest for stored data (via Supabase)
• API key authentication for all server-to-server communication
• Rate limiting and abuse detection
• AI-based content moderation to reject inappropriate uploads

However, no system is 100% secure. We cannot guarantee absolute security of your data.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of your personal data.
• Deletion: Request deletion of your account and associated data.
• Correction: Request correction of inaccurate data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to certain processing of your data.
• Withdrawal of Consent: Withdraw consent for data processing at any time.

To exercise any of these rights, contact us at privacy@roastdeck.com. We will respond within 30 days.

8. California Residents (CCPA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale of your personal information. We do not sell personal information. To make a request, email privacy@roastdeck.com.

9. European Residents (GDPR)

If you are in the European Economic Area (EEA), our legal basis for processing your data is:

• Consent: You consent to photo processing when you upload a photo to the game.
• Contract: Processing is necessary to provide the Service you requested.
• Legitimate Interest: Rate limiting, abuse prevention, and service improvement.

You may withdraw consent at any time by deleting your photo or contacting us. Your data is processed in the United States. By using the Service, you consent to this transfer.

10. Children’s Privacy

RoastDeck is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided personal information, we will delete it promptly. If you believe a child under 13 has used the Service, contact us at privacy@roastdeck.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new “Last updated” date. Continued use of the Service constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions or data requests, contact us at:

privacy@roastdeck.com