Privacy Policy

Effective: May 18, 2026

1. Introduction

This Privacy Policy explains how Analardo Games ("we", "us", "our") collects, uses, and protects your personal data when you use Clueshot at clueshot.com ("the Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller for the Service is Analardo Games. For any questions regarding your personal data, you can contact us at info@clueshot.com.

3. Data We Collect

We collect the following categories of data:

Account data: Email address and hashed password (stored securely by our authentication provider, Supabase). If you sign in with Google, we receive your email address from Google.
Profile data: Account creation date, number of games created, and number of games played.
Game data: Game titles, descriptions, step passwords, step instructions, photo URLs, and (optionally) GPS coordinates you attach to a step. All game data you create is stored as part of your games.
Photos: Images you upload as part of game creation, stored in cloud storage.
Game progress: Which games you have played, your current step, and completion status.
Payment data: If you subscribe to Clueshot Pro, Stripe processes your payment information (card details, billing address). We do not store your full card number or payment details. We store your Stripe customer identifier and subscription status in our database to manage your subscription.
Technical data: Our hosting provider (Netlify) and database provider (Supabase) automatically collect server access logs, which may include IP addresses, browser type, and access timestamps.
Analytics data: We use Google Analytics, deployed via Google Tag Manager, to understand how visitors use the Service. It sets cookies and collects data such as your IP address, device and browser type, pages viewed, referring pages, and approximate (city-level) location. We use this data only in aggregated form to measure and improve the Service.

When you open a clue's location map, your browser may share your device location and (with permission) compass heading with the map view to help you find the clue. This data stays on your device — Clueshot never receives or stores it.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service — account management, game creation, game progress tracking.
Legitimate interest (Art. 6(1)(f)): Service operation, security monitoring, infrastructure maintenance, and analytics to measure usage and improve the Service.
Consent (Art. 6(1)(a)): When you register an account and agree to these terms. You may withdraw consent at any time by deleting your account.

5. How We Use Your Data

We use your data to:

Provide and operate the scavenger hunt service.
Store and display games you create.
Track your game progress so you can resume games.
Manage your account and authenticate your identity.
Send transactional emails (account confirmation, password reset).

We do not use your data for advertising, profiling, or automated decision-making.

6. Data Sharing and Third Parties

We share your data with the following service providers, solely for the purpose of operating the Service:

Supabase (database, authentication, file storage) — processes account data, game data, photos, and progress. Based in the US.
Netlify (web hosting) — serves the application and processes server access logs. Based in the US.
Google (OAuth sign-in) — only if you choose to sign in with Google. Subject to Google's Privacy Policy.
Google Analytics (usage analytics, deployed via Google Tag Manager) — Google processes analytics data such as cookie identifiers, IP address, and usage events to provide us with aggregated statistics on how the Service is used. Subject to Google's Privacy Policy. Based in the US.
Stripe (payment processing) — processes payment information for Clueshot Pro subscriptions. We share your email address with Stripe when you subscribe. Subject to Stripe's Privacy Policy. Based in the US.
Resend (email delivery) — processes your email address for transactional emails (confirmation, password reset). Based in the US.
Public CDNs: Open-source libraries (Leaflet maps, Supabase JS SDK, QR helpers) and the Caveat font are loaded from public CDNs (jsDelivr, esm.sh, Google Fonts). Map tiles are loaded from OpenStreetMap. Your IP address is visible to those providers when files are fetched. We do not control these providers; their use is necessary to render the application.

We do not sell or rent your personal data, and we do not share it with third parties other than the service providers listed above. We do not use advertising networks.

7. Data Retention

We retain your data as follows:

Account data and profile: Retained until you delete your account.
Game progress: Retained until you delete your account.
Games you created: Upon account deletion, your games become anonymous (the link between your account and the games is removed). The games and their associated photos remain accessible to preserve the experience for other players who may have shared links.
Payment data: Stripe retains payment records according to their retention policy and legal requirements. We retain your Stripe customer identifier and subscription status until account deletion.
Server logs: Retained according to our hosting providers' standard retention policies.

8. Your Rights Under GDPR

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data:

Right of access (Art. 15): You can request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You can request correction of inaccurate personal data.
Right to erasure (Art. 17): You can delete your account at any time through the user menu in the application. This permanently removes your profile and progress data.
Right to restriction of processing (Art. 18): You can request that we limit how we process your data.
Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
Right to object (Art. 21): You can object to processing based on legitimate interest.
Right to withdraw consent: You may withdraw your consent at any time by deleting your account.
Right to lodge a complaint: You have the right to file a complaint with a data protection supervisory authority.

To exercise any of these rights, please contact us at info@clueshot.com.

9. Cookies and Local Storage

The Service uses browser local storage and cookies as follows:

Authentication tokens: Supabase stores session tokens in local storage to keep you signed in.
Game session (clueshot_session): Current game progress is cached locally for seamless gameplay.
Draft data (clueshot_draft): Unsaved game creation drafts are temporarily stored locally and automatically expire after 1 hour.
Analytics cookies: Google Analytics sets cookies (such as _ga) to distinguish visitors and measure how the Service is used. These cookies are deployed through Google Tag Manager.

10. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at info@clueshot.com and we will delete it promptly.

11. International Data Transfers

Your data is processed by service providers based in the United States (Supabase, Netlify, Resend, Stripe, Google). These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective" date at the top of this page. We encourage you to review this policy periodically.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at info@clueshot.com.