1.Introduction#
GameShuffle (“we,” “us,” or “our”) is operated by Britton Lorentzen, doing business as Empac and GameShuffle, with a registered business address at 4904 168th Ave E, Lake Tapps, WA 98391. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data.
We built GameShuffle with privacy in mind. We use cookieless analytics by default, we don't sell your data, and we give you full control over your account — including permanent, self-service deletion.
By using GameShuffle, you agree to the collection and use of information as described in this Policy.
2.Information We Collect#
2.1Information You Provide Directly
Account information:
- Email address (required for signup)
- Display name and username
- Password (bcrypt-hashed by Supabase — we never store plain-text passwords)
- Gamertags you choose to add: PlayStation Network, Nintendo Switch Online, Xbox Live, Steam, and Epic Games usernames
Profile preferences:
- Avatar preference (initials, Discord avatar, or Twitch avatar)
- Game night profile settings including player count, content preferences, and consoles owned
Tournament data:
- Tournament details you create: title, description, rules, race settings, track lists, and item restrictions
- Participant registration information: display name, friend code, Discord username, and participation status
Saved configurations:
- Randomizer setups, kart builds, item sets, and other tool configurations you save to your account
Subscription and payment information:
- If you subscribe to GameShuffle Pro, billing information including your name, billing address, and payment card information is collected and processed by Stripe. We do not store your full payment card number — Stripe handles all payment data directly.
- We store subscription status, plan tier, billing cycle, and trial usage history
Contact form submissions:
- Any information you voluntarily submit via our contact form
2.2Information From Third-Party Sign-In Providers
If you sign in or link your account using Discord or Twitch, we receive the following from those providers:
- Discord: User ID, username, email address, and avatar URL
- Twitch: User ID, username, email address, and avatar URL
We do not receive your password from these providers. Their collection and handling of your data is governed by their own privacy policies.
2.3Twitch Streamer Integration
If you connect your Twitch account for the streamer integration (distinct from sign-in), we additionally collect and store:
- Your Twitch display name, login, and numeric user ID
- OAuth access and refresh tokens, encrypted at rest using AES-256-GCM, used to subscribe to your stream's events and manage channel point rewards on your behalf
- The scopes you authorize (e.g. reading chat as the GameShuffle bot, managing channel point redemptions)
- Live session data while you're streaming: current Twitch category, viewers who opt into your randomizer lobby (their Twitch user ID and display name), and the randomized loadouts generated for each shuffle
- A randomly generated overlay token that powers your OBS browser source and the public lobby viewer page
You can disconnect the Twitch integration at any time from the Twitch dashboard page. Disconnecting revokes the OAuth tokens, removes the channel point reward we created, deletes our EventSub subscriptions, and deletes the stored connection record and all session data.
2.4Information Collected Automatically
Server and infrastructure logs: Vercel, our hosting provider, collects standard server logs including IP addresses and request metadata as part of normal infrastructure operation. We do not use this data for tracking or profiling.
Bot protection: Cloudflare Turnstile is used on signup and login forms to detect and prevent automated abuse. It processes your IP address and browser fingerprint. It does not set cookies and is invisible to normal users.
Analytics: We use two analytics tools with different privacy profiles:
- Plausible Analytics — cookieless, privacy-friendly analytics that collects page views and custom events without using cookies or tracking you across sites. This runs for all visitors regardless of cookie consent because it does not require consent under GDPR or CCPA by design.
- Google Analytics (G-WBXS3D8GBL) — collects page views, events, and anonymized IP addresses. This tool uses cookies and is only loaded if you explicitly accept cookies via our consent banner.
3.How We Use Your Information#
We use the information we collect to:
- Create and manage your account
- Provide the features and functionality of the Service, including randomizers, tournament management, sessions, and competitive tools
- Process subscription payments and manage your GameShuffle Pro subscription if applicable
- Authenticate your identity and keep your account secure
- Display your profile information to other users where you have chosen to make it public
- Manage third-party platform integrations (such as Twitch and Discord) on your behalf, including maintaining authenticated connections, executing bot commands you've configured, and managing real-time event subscriptions
- Save and apply your preferences, settings, and configurations across the Service
- Respond to your support requests and contact form submissions
- Send transactional emails (receipts, password resets, trial-ending notifications, account changes)
- Send marketing and promotional communications, only with your opt-in consent
- Understand how the Service is used so we can improve it (via analytics)
- Monitor and maintain the reliability of third-party platform integrations
- Enforce our Terms of Service and protect the integrity of the platform
- Comply with legal obligations
We do not use your data to serve targeted advertising. We do not sell your data to third parties.
5.Data Storage & Security#
5.1Where Your Data Is Stored
All account and application data is stored in Supabase's PostgreSQL database. Supabase is hosted on AWS infrastructure, primarily in the United States. Plausible analytics data is processed in Germany. Other data may be processed in the United States or other jurisdictions where our service providers operate.
5.2How We Protect Your Data
We take security seriously and have implemented the following protections:
- Password hashing: All passwords are bcrypt-hashed server-side by Supabase. Compromised password detection is enabled.
- Row-Level Security (RLS): Enabled on all database tables — you can only read or write your own data unless content is explicitly public.
- Token encryption: Sensitive tokens including third-party OAuth credentials are encrypted at rest using AES-256-GCM.
- Session management: Handled by Supabase Auth using JWT access tokens and refresh tokens stored in HTTP-only cookies, inaccessible to JavaScript.
- Bot protection: Cloudflare Turnstile on all authentication forms.
- Brute force protection: Client-side lockout after failed login attempts with cooldown periods, backed by Supabase server-side rate limiting.
- Service role key: Our server-side admin key is never exposed to the browser and is only used for specific privileged operations.
- Email verification: Required before creating or joining tournaments.
- Payment security: Card data is handled entirely by Stripe (PCI-DSS Level 1 certified). We never see or store full card numbers.
No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at privacy@gameshuffle.co.
6.Third-Party Services#
We work with the following third-party services to operate GameShuffle. Each has its own privacy practices:
Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Auth, database, real-time | supabase.com/privacy |
| Vercel | Hosting and infrastructure | vercel.com/legal/privacy-policy |
| Stripe | Payment processing for GameShuffle Pro | stripe.com/privacy |
| MailerSend | Transactional email delivery | mailersend.com/legal/privacy |
| Cloudflare | Bot protection (Turnstile) | cloudflare.com/privacypolicy |
| Google Analytics | Usage analytics (with consent) | policies.google.com/privacy |
| Plausible | Cookieless analytics | plausible.io/privacy |
| Discord | OAuth sign-in, account linking, bot integration | discord.com/privacy |
| Twitch | OAuth sign-in, account linking, streamer integration | twitch.tv/p/legal/privacy-notice |
| Termly | Privacy compliance, cookie consent banner, DSAR form | termly.io/our-privacy-policy |
| Sentry | Error monitoring (where applicable) | sentry.io/privacy |
We have data processing agreements (DPAs) in place with all service providers handling EU/UK personal data, incorporating Standard Contractual Clauses (SCCs) where required. We are not responsible for the data practices of these third parties. We encourage you to review their privacy policies.
7.Public Information & Sharing#
Some information on GameShuffle is visible to other users or the public:
- Public profiles (
/u/[username]) — your display name, username, and any content you choose to display publicly - Tournament listings — tournaments you create are publicly browsable, including their title, description, and participant list
- Shared configurations — saved randomizer configs with a share link are accessible to anyone with the link
- Tournament participation — your display name and registration status are visible to other tournament participants and the organizer
- Session participation — when you join a GameShuffle session, your display name and any picks/bans you make are visible to other session participants and viewers (where the streamer has enabled the public lobby viewer)
You control what you share. You can manage your public profile and linked accounts from your account settings at any time.
8.Data Retention & Deletion#
8.1Retention
We retain your account data for as long as your account is active. If you delete your account, all associated data is permanently deleted immediately via cascading database constraints.
For users who have subscribed to GameShuffle Pro, Stripe retains transaction records for 7 years per their own data retention policy (independent of our account deletion process), in compliance with US tax and financial recordkeeping requirements.
8.2Account Deletion
You can delete your account at any time from your account settings. This action is:
- Immediate — your account is removed right away
- Permanent — deletion cannot be undone
- Complete — all associated data including saved configs, tournament registrations, profile information, and integration tokens is deleted; active subscriptions are cancelled
Exception: Tournament data you created persists for other participants even after your account is deleted. Your organizer reference becomes null, but participant registrations submitted by others remain accessible to those participants.
8.3Supabase Auth Logs
Supabase retains authentication audit logs per their own data retention policy, independent of our account deletion process.
9.Your Rights#
Depending on where you are located, you may have the following rights regarding your personal data:
- Access — view all personal data we hold about you via your account settings or by submitting a request
- Correction — edit your profile information at any time from account settings
- Deletion — permanently delete your account and all associated data via self-service
- Portability — request a copy of your data in a portable format
- Withdraw consent — decline or withdraw analytics cookie consent at any time
- Unlink OAuth providers — disconnect Discord or Twitch from your account at any time
- Opt out of marketing — unsubscribe from marketing emails at any time via the link in every marketing email or via account settings
- Right to appeal — if we decline a privacy request, you may appeal by emailing privacy@gameshuffle.co
To exercise any right not available via self-service, submit a request via our Data Request Form or contact us at privacy@gameshuffle.co. We will respond within the timeframe required by applicable law (typically 30-45 days).
California residents (CCPA/CPRA): We do not sell or share personal information for cross-context behavioral advertising. You have the right to know what data we collect, request deletion, request correction, and opt out of any “sale” or “share” — all available via your account settings, our Data Request Form, or by contacting us.
Other US state residents: Residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have similar rights under their respective state privacy laws.
EEA/UK residents (GDPR): Our legal basis for processing your data is performance of a contract (providing the Service you signed up for), legitimate interests (security, analytics, integration health), legal obligations (tax records, legal compliance), and where applicable, your consent (analytics cookies, marketing emails). You have the right to lodge a complaint with your local supervisory authority.
We do not currently have an EU/UK Article 27 representative as our processing of EU/UK personal data is occasional and does not involve high-risk processing. We will appoint a representative if our EU/UK presence grows to meet the threshold.
10.International Data Transfers#
Our servers are located in the United States, with some analytics processing in Germany (Plausible). Your information may be transferred to, stored by, and processed by us and our service providers in the United States, Germany, United Kingdom, Ireland, Canada, and other countries.
For transfers of personal information from the EEA, UK, or Switzerland to other countries, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers. Our service providers incorporate SCCs in their data processing agreements with us.
11.Children's Privacy#
GameShuffle is not directed at children under 13. We do not knowingly collect personal information from children under 13. By using the Service, you represent that you are at least 13 years old, or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. Users between the ages of 13 and 18 should review this Privacy Policy with a parent or guardian.
If we learn that personal information from users under 13 has been collected without verifiable parental consent, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under 13, please contact us at privacy@gameshuffle.co.
12.Changes to This Policy#
We may update this Privacy Policy from time to time. We will notify users of material changes by email at least 30 days before the changes take effect. Updates for new functionality, security updates, bug fixes, or court orders may take effect immediately. The Effective Date at the top of this page indicates when this Policy was last updated. Continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.
13.Contact#
If you have questions about this Privacy Policy or how we handle your data, please contact us:
Britton Lorentzen, Data Protection Officer
Doing business as Empac and GameShuffle
4904 168th Ave E
Lake Tapps, WA 98391
United States
Email: privacy@gameshuffle.co
Phone: (888) 603-6722
To submit a privacy-related request, use our Data Request Form.