Privacy Policy

This Privacy Policy explains how Boardly ("we", "us") at boardly.games collects, uses, and protects personal information when you use our board games web app. It should be read together with our Terms of Service.

Depending on how you use Boardly, we may process:

• Account and contact data: email address (for magic-link or OAuth sign-in), authentication identifiers from our auth provider (Supabase), and optional profile fields such as username, avatar, and country.
• Game data: games you create or join, moves, results, timers, ELO or similar ratings, invites, friend connections, notifications, and badges earned in the app.
• Guest usage: if you play without a full account, we may store a temporary anonymous identifier and limited game activity subject to guest limits.
• Analytics: when enabled, Google Analytics 4 (GA4) collects usage data such as pages visited, events (for example sign-in or game start), device/browser type, and approximate location derived from IP. GA4 is configured via our hosting; we use it to understand how the product is used and to improve it.
• Technical data: server logs, cookies needed for sign-in and preferences (such as language), and security-related information.
• Email delivery: if you enable turn reminders or receive transactional email, we process your email address and message metadata through our email provider.

We do not sell your personal data.

On your first visit, we show a cookie banner where you can accept all cookies, decline non-essential cookies, or customize your choices. Your selection is stored in your browser's localStorage so we can remember it on future visits. You can change your choices anytime via Cookie settings in the site footer.

• Essential cookies: required for sign-in, security, and preferences such as language. These always run.
• Analytics cookies: Google Analytics 4 loads only if you enable analytics. If you decline, GA4 scripts and events are not used.

We use personal data to:

• Provide sign-in, games, rankings, friends, and notifications.
• Maintain security, prevent abuse, and enforce our Terms.
• Send service-related email (for example magic links or turn reminders you opt into).
• Measure and improve the product via GA4 analytics.
• Comply with legal obligations.

Our legal bases under the GDPR (where applicable) include performance of a contract (providing the service you request), legitimate interests (security, analytics, product improvement), and consent where required (for example optional marketing, if we ever offer it).

We rely on trusted service providers to run Boardly, including:

• Supabase (authentication and database hosting)
• Vercel or similar hosting for the web application
• Google Analytics 4 (analytics, when enabled)
• Resend or similar providers (transactional email)

These processors handle data on our instructions and under their own privacy terms. We may also disclose information if required by law or to protect rights and safety.

We keep account and game data while your account is active and for a reasonable period afterward so you can return to your history, unless you ask us to delete it sooner. Analytics data in GA4 is retained according to our GA4 property settings (typically up to 14 months for standard reports). Server logs are rotated on a short schedule. After account deletion, we delete or anonymize personal data within a reasonable time, except where we must keep certain records for legal, security, or dispute purposes.

If you are in the European Economic Area, UK, or another region with similar laws, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request erasure ("right to be forgotten")
• Restrict or object to certain processing
• Data portability, where applicable
• Withdraw consent where processing is consent-based
• Lodge a complaint with your local data protection authority

To exercise these rights, contact hello@boardly.games. We will respond within the timeframes required by law (typically one month).

Request account and data deletion: email hello@boardly.games with the subject "Data deletion request" from the address linked to your account, or use this pre-filled deletion request email. We will verify your request and delete or anonymize personal data within a reasonable time, except where we must retain certain records for legal, security, or dispute purposes.

Our providers may process data in the United States or other countries. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms offered by our vendors.

Boardly is not directed at children under 13 (or the minimum age in your country). If you believe a child has provided personal data without appropriate consent, contact us and we will take steps to delete it.

We use industry-standard measures such as HTTPS, access controls, and hosted infrastructure from reputable providers. No online service is completely secure; please use a strong, unique email account and report suspected issues to us promptly.

We may update this Privacy Policy from time to time. The "Last updated" date at the top will change when we do. Material changes may also be highlighted in the app where practical.

Privacy questions or requests: hello@boardly.games.