1. Data we collect

Account data: when you create an account, we collect your email address and an authentication identifier through Supabase.

Gameplay data: your daily guesses, win streaks, and game preferences are stored to track your progress.

Technical data: IP address (briefly, for geolocation of pricing), browser type, language, and approximate country (via hosting provider headers).

Analytics data: anonymized usage events (page views, button clicks, mode selections) collected via PostHog.

Advertising data: when ads are displayed, our ad partners (e.g. Google AdSense) may collect cookies and identifiers as described in their own policies.

2. How we use your data

We use your data to: (a) provide the game and save your progress, (b) authenticate your account, (c) display localized pricing for premium features, (d) measure usage to improve the product, (e) display advertising. The legal bases under GDPR are: performance of a contract (account, gameplay), legitimate interest (analytics, security), and consent (advertising cookies).

3. Third parties we share data with

Supabase Inc. (USA): hosts our database and authentication. Subject to standard contractual clauses.

Vercel Inc. (USA): hosts the website.

PostHog Inc. (USA): processes anonymized analytics events.

Stripe Inc. (USA/Ireland): processes payments for premium subscriptions.

Google LLC (USA): may serve ads via AdSense; see policies.google.com/technologies/ads.

We do not sell your personal data.

4. Cookies and tracking

We use cookies for: session authentication (essential), analytics (legitimate interest, anonymized), and advertising (consent-based for EU users). You can manage advertising consent at any time and decline non-essential cookies. Browser-level controls (Do Not Track, cookie blockers) are also respected.

5. Your rights (GDPR)

You have the right to: access your data, rectify inaccurate data, delete your data ("right to be forgotten"), restrict processing, data portability, object to processing, and withdraw consent at any time. To exercise any right, email us at contact@cardle.sh. You may also lodge a complaint with the CNIL (cnil.fr), the French data protection authority.

6. Data retention and security

Account data is kept as long as your account is active. Inactive accounts are deleted after 24 months of inactivity. Game history is kept indefinitely for streak tracking unless you request deletion. We use industry-standard encryption (HTTPS, encrypted database storage). No transmission over the internet can be guaranteed 100% secure.

7. Children

Cardle is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with data, contact us and we will delete it promptly.

8. Changes and contact

We may update this policy. The "Last updated" date reflects the latest revision. Material changes will be communicated via the site. For any question, write to contact@cardle.sh.