Privacy policy

The data controller for The Price Games is a natural person acting in a private capacity, with no registered commercial activity at the time of writing. For any privacy-related request, or to exercise any of the rights listed below, the single contact channel is hello@thepricegames.com.

Signing in is optional. If you choose to sign in, we use Google OAuth (via Supabase Auth) and receive the following data from your Google account: email address, display name, profile picture URL, and your Google account identifier (the OpenID "sub" claim). We do not receive your password and we do not request any additional Google scopes beyond email, profile and openid.

Purpose: authenticate you, show your name and photo on the leaderboard, and persist your personal bests across devices. Legal basis (GDPR art. 6.1.a): the consent you actively give by clicking "Sign in with Google". You can withdraw it at any time by deleting your account, without affecting the lawfulness of prior processing.

Retention: your account data (profile, scores, auth record) is kept for as long as your account exists. You can delete it at any time from the menu drawer (Delete account) — this wipes your Supabase Auth record, your profile and all your scores instantly and permanently. Encrypted backups rotated by our database provider (Supabase) may retain residual copies for the duration of the backup window applicable to our current plan before being overwritten.

International transfers: authentication is handled by Google LLC (United States), which is certified under the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023). Operational data is stored by Supabase Inc. on AWS eu-central-1 (Frankfurt, EU); where Supabase processes data from outside the EEA it relies on the Standard Contractual Clauses (Commission Decision 2021/914/EU) together with the DPF.

Public exposure: when you are logged in, your display name and avatar are visible on the public leaderboard and may be indexed by search engines. You can change your display name from the menu drawer or remove it entirely by deleting your account.

IP address: when you sign in, Supabase Auth logs the source IP of the authentication request for security and abuse-prevention purposes. These logs are retained under Supabase’s standard operational policies.

We do not use cookies for advertising, retargeting or cross-site tracking. Because we only set strictly necessary cookies, we consider that no ePrivacy consent banner is required for our current setup.

When you sign in with Google, Supabase Auth stores a strictly-necessary session cookie on this domain (named sb-<project>-auth-token, which may be split across sb-<project>-auth-token.0 and sb-<project>-auth-token.1 depending on token size). It contains your signed session token so you stay logged in between visits; it is removed when you sign out or delete your account.

We do not set any other cookies. No third-party analytics, no fingerprinting, no tracking pixels.

We collect gameplay statistics (for example: rounds played, scores, hit rate) directly in our own database. For anonymous players these records hold no identifier. For signed-in players they are linked to your account, which makes them pseudonymised personal data under GDPR, and they are deleted together with your account.

We share or rely on the following processors to run the service. Their own privacy policies apply:

• Google (authentication via OAuth) — policies.google.com/privacy
• Supabase (database, auth and hosting of user data, on AWS eu-central-1) — supabase.com/privacy
• eBay (source of product data and affiliate tracking when you click a product link) — ebay.com/help/policies/member-behaviour-policies/user-privacy-notice

If you are in the EU or the UK, you have the following rights over your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate data (e.g. change your display name in the menu).
• Erasure — delete your account and all associated data (in-app, or by email).
• Restriction — ask us to pause processing while a claim is resolved.
• Portability — receive your data in a machine-readable format. Request this by email.
• Withdrawal of consent (GDPR art. 7.3) — you may withdraw the consent you gave when signing in at any time. Withdrawing consent is equivalent to deleting your account and does not affect the lawfulness of processing carried out beforehand.
• Objection (GDPR art. 21) — you may object to processing of your data when it is based on legitimate interests or for profiling purposes. We honour objections unless there are compelling legitimate grounds to continue.
• No automated decision-making (GDPR art. 22) — we do not take decisions based solely on automated processing, nor do we perform profiling that produces legal or similarly significant effects on you.

To exercise any of these rights, use the in-app Delete account button or write to hello@thepricegames.com. We respond within 30 days.

If you believe we are handling your data incorrectly, you can lodge a complaint with a data-protection authority. In Spain this is the Agencia Española de Protección de Datos (aepd.es); in the United Kingdom, the Information Commissioner’s Office (ico.org.uk). EU residents may alternatively contact the supervisory authority of their country of residence.

Playing anonymously has no age requirement. Signing in with Google, however, is only allowed if you meet the minimum age set by your jurisdiction: 16 by default under the EU GDPR (14 in Spain under LOPDGDD art. 7, other member states may differ) and 13 in the United States under COPPA. If you are below the applicable age, please do not sign in.

We may update this policy as the service evolves. The "Last updated" date at the top of this page reflects the current version.

For any privacy enquiry (data access, deletion, portability, complaints), write to: hello@thepricegames.com