Privacy Policy

Summary

• Local-first processing available: extraction and embeddings can run in your browser and be stored locally.
• Cloud workflow: Supabase Storage and database for cross-device access.
• Authentication via Google (Supabase Auth) with session cookies.
• Ads for free users via Google AdSense with consent where required.

1. Data We Process

1.1 Account and Authentication

Email, OAuth identifiers via Google sign-in (Supabase Auth), and session tokens/cookies (e.g., sb-*).

1.2 Content You Provide

Rulebook files and text you upload. Derived data needed for operation: extracted text, chunks, and embeddings. In local mode, they remain in your browser storage. In cloud mode (your Cloud Library), they are stored in Supabase and scoped to your account for AI search and chat. Note: Cloud Library is not a general-purpose file drive.

1.3 Usage and Device Data

IP address, browser/OS, pages visited, timestamps, and diagnostic logs for security and reliability.

1.5 Advertising (Free Users)

Google AdSense receives signals necessary to render ads. In the EEA/UK, we request consent for personalization; absent consent, we serve non-personalized ads.

2. Legal Bases (GDPR)

• Contract (Art. 6(1)(b)): provide the Service you request.
• Consent (Art. 6(1)(a)): ad personalization where required; optional cookies.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, reliability, and measurement.
• Legal obligations (Art. 6(1)(c)): compliance with applicable laws.

3. How We Use Your Data

• Operate uploads, chat, search, and game association features.
• Authenticate and secure accounts, prevent abuse, and maintain reliability.
• Store and retrieve your rulebooks and derived data (local/cloud per your choice).
• Show ads to free users (with consent where required).

4. AI and Third‑Party Services

To generate answers, we may transmit your prompts and small, relevant excerpts of your content to AI model providers. We minimize what we send. Key providers include Vercel (hosting), Supabase (auth/db/storage), Google (AdSense, OAuth), and AI model vendors (e.g., OpenAI, Anthropic). We use DPAs and, where required, SCCs.

5. Cookies and Local Storage

Essential cookies (auth) are required. Local storage powers local-first processing (extracted text, chunks, embeddings). Ad cookies are used by Google AdSense. In EEA/UK we seek consent for personalization; if declined, we serve non-personalized ads. You can clear cookies/local storage in your browser; functionality may be affected.

6. Data Sharing

We do not sell personal data. We share data with subprocessors to operate the Service, for legal reasons, and during business transfers with safeguards.

7. International Transfers

Where data leaves your jurisdiction, we rely on lawful transfer mechanisms (e.g., SCCs) and appropriate safeguards.

8. Retention

• Account: while active and as needed for security/legal obligations.
• Uploads/derived data: until you delete them or close your account (cloud) or clear your browser (local).
• Logs: typically [30–90 days], unless needed for security/legal reasons.

9. Your Rights

Depending on your jurisdiction (e.g., EEA/UK), you can access, rectify, delete, restrict, object (including to ads), port your data, and withdraw consent. Contact support@blindpixelsstudio.com. We may verify identity and respond within one month.

10. Security

Measures include TLS, access controls, least privilege, Row-Level Security (RLS), and monitoring. No system is 100% secure; protect your devices.

11. Children’s Privacy

This Service is not intended for children under 13 (or the age of digital consent in your jurisdiction).

12. Ads and Consent

We show ads via Google AdSense on select pages, primarily to free users. In EEA/UK, we request consents where required. If you decline, we serve non-personalized ads.

13. Changes

We may update this Policy. We’ll revise the “Last updated” date and, for material changes, provide prominent notice.