Privacy Policy

1. Introduction

GameShuffle (“we,” “us,” or “our”) is operated by Empac. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data.

We built GameShuffle with privacy in mind. We use cookieless analytics by default, we don't sell your data, and we give you full control over your account — including permanent, self-service deletion.

By using GameShuffle, you agree to the collection and use of information as described in this Policy.

2. Information We Collect

2.1 Information You Provide Directly

Account information:

• Email address (required for signup)
• Display name and username
• Password (bcrypt-hashed by Supabase — we never store plain-text passwords)
• Gamertags you choose to add: PlayStation Network, Nintendo Switch Online, Xbox Live, Steam, and Epic Games usernames

Profile preferences:

• Avatar preference (initials, Discord avatar, or Twitch avatar)
• Game night profile settings including player count, content preferences, and consoles owned (currently stored but not actively displayed)

Tournament data:

• Tournament details you create: title, description, rules, race settings, track lists, and item restrictions
• Participant registration information: display name, friend code, Discord username, and participation status

Saved configurations:

• Randomizer setups, kart builds, item sets, and other tool configurations you save to your account

Contact form submissions:

• Any information you voluntarily submit via our contact form (powered by JotForm)

2.2 Information From Third-Party Sign-In Providers

If you sign in or link your account using Discord or Twitch, we receive the following from those providers:

• Discord: User ID, username, and avatar URL
• Twitch: User ID, username, and avatar URL

We do not receive your password from these providers. Their collection and handling of your data is governed by their own privacy policies.

2.3 Information Collected Automatically

Server and infrastructure logs: Vercel, our hosting provider, collects standard server logs including IP addresses and request metadata as part of normal infrastructure operation. We do not use this data for tracking or profiling.

Bot protection: Cloudflare Turnstile is used on signup and login forms to detect and prevent automated abuse. It processes your IP address and browser fingerprint. It does not set cookies and is invisible to normal users.

Analytics: We use two analytics tools with different privacy profiles:

• Plausible Analytics — cookieless, privacy-friendly analytics that collects page views and custom events without using cookies or tracking you across sites. This runs for all visitors regardless of cookie consent because it does not require consent under GDPR or CCPA by design.
• Google Analytics (G-WBXS3D8GBL) — collects page views, events, and anonymized IP addresses. This tool uses cookies and is only loaded if you explicitly accept cookies via our consent banner.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Provide the features and functionality of the Service, including randomizers, tournament management, and competitive tools
• Authenticate your identity and keep your account secure
• Display your profile information to other users where you have chosen to make it public (e.g., tournament participant lists, public profiles at /u/[username])
• Respond to your support requests and contact form submissions
• Understand how the Service is used so we can improve it (via analytics)
• Enforce our Terms of Service and protect the integrity of the platform
• Comply with legal obligations

We do not use your data to serve targeted advertising. We do not sell your data to third parties.

4. Cookies & Analytics

4.1 What Cookies We Use

GameShuffle uses a minimal number of cookies:

4.2 Cookie Consent

On your first visit, a banner asks whether you accept analytics cookies. If you accept, Google Analytics is loaded. If you decline, only Plausible (cookieless) runs. You can use the full platform regardless of your choice — we do not gate any features behind cookie consent.

Your preference is stored in your browser's localStorage under the key cookieConsent. You can change your preference at any time by clearing your browser storage or contacting us.

4.3 Opting Out

• Google Analytics: Decline cookies via our consent banner, or use the Google Analytics Opt-Out Browser Add-On
• Plausible: Plausible is cookieless and does not track you across sites. No opt-out is required, but Plausible honors standard Do Not Track signals.

5. Data Storage & Security

5.1 Where Your Data Is Stored

All account and application data is stored in Supabase's PostgreSQL database. Supabase is hosted on AWS infrastructure. Data may be processed in the United States or other jurisdictions where Supabase operates.

5.2 How We Protect Your Data

We take security seriously and have implemented the following protections:

• Password hashing: All passwords are bcrypt-hashed server-side by Supabase. Compromised password detection is enabled.
• Row-Level Security (RLS): Enabled on all database tables — you can only read or write your own data unless content is explicitly public.
• Session management: Handled by Supabase Auth using JWT access tokens and refresh tokens stored in HTTP-only cookies, inaccessible to JavaScript.
• Bot protection: Cloudflare Turnstile on all authentication forms.
• Brute force protection: Client-side lockout after 5 failed login attempts with a 60-second cooldown, backed by Supabase server-side rate limiting.
• Service role key: Our server-side admin key is never exposed to the browser and is only used for specific privileged operations.
• Email verification: Required before creating or joining tournaments.

No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.

6. Third-Party Services

We work with the following third-party services to operate GameShuffle. Each has its own privacy practices:

We are not responsible for the data practices of these third parties. We encourage you to review their privacy policies.

7. Public Information & Sharing

Some information on GameShuffle is visible to other users or the public:

• Public profiles (/u/[username]) — your display name, username, and any content you choose to display publicly
• Tournament listings — tournaments you create are publicly browsable, including their title, description, and participant list
• Shared configurations — saved randomizer configs with a share link are accessible to anyone with the link
• Tournament participation — your display name and registration status are visible to other tournament participants and the organizer

You control what you share. You can manage your public profile and linked accounts from your account settings at any time.

8. Data Retention & Deletion

8.1 Retention

We retain your account data for as long as your account is active. If you delete your account, all associated data is permanently deleted immediately via cascading database constraints.

8.2 Account Deletion

You can delete your account at any time from your account settings. This action is:

• Immediate — your account is removed right away
• Permanent — deletion cannot be undone
• Complete — all associated data including saved configs, tournament registrations, and profile information is deleted

Exception: Tournament data you created persists for other participants even after your account is deleted. Your organizer reference becomes null, but participant registrations submitted by others remain accessible to those participants.

8.3 Supabase Auth Logs

Supabase retains authentication audit logs per their own data retention policy, independent of our account deletion process.

9. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

• Access — view all personal data we hold about you via your account settings
• Correction — edit your profile information at any time from account settings
• Deletion — permanently delete your account and all associated data via self-service
• Portability — data export is not yet available but is planned for a future update
• Withdraw consent — decline or withdraw analytics cookie consent at any time
• Unlink OAuth providers — disconnect Discord or Twitch from your account at any time

To exercise any right not available via self-service, contact us at the address below and we will respond within 30 days.

California residents (CCPA): We do not sell personal information. You have the right to know what data we collect and to request deletion — both available via your account settings or by contacting us.

EEA/UK residents (GDPR): Our legal basis for processing your data is performance of a contract (providing the Service you signed up for) and, where applicable, your consent (analytics cookies). You have the right to lodge a complaint with your local supervisory authority.

10. Children's Privacy

GameShuffle is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the Effective Date at the top of this page. Continued use of the Service after changes take effect constitutes your acceptance of the updated Policy.

12. Contact

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Empac
hello@empac.co
empac.co