Privacy Policy
Last updated: July 2026
What we collect
Without an account (anonymous play): we store only what is needed to run the app on your device — your level, streak, and daily history — in your browser's localStorage. Nothing is sent to a server except anonymous analytics events (see below).
With a free account: we store your email address for authentication, plus your level, streak, daily scores, and per-theme accuracy. This lets you keep your streak across devices.
With The Program (paid): all of the above, plus assessment results and, if you connect them, puzzle positions from your own games.
What we don't collect
- No passwords. Authentication is email link only.
- No payment card data — payments are handled by Stripe.
- No advertising trackers or third-party ad networks.
- No data is sold or shared with marketers.
Analytics
We use Plausible Analytics — a privacy-first tool that collects no personal data, uses no cookies, and is not governed by GDPR cookie consent requirements. We also log anonymous event beacons (puzzle solved/missed, level picked) to a Cloudflare D1 database for product analytics. These events carry no user identifier.
Third-party infrastructure
- Cloudflare Pages: hosts the site. Cloudflare logs standard web request data per their privacy policy.
- Supabase: stores user accounts and progress data. Data is hosted in a Supabase project on AWS us-east-1. See Supabase privacy policy.
- Stripe: processes subscription payments. We never see your card number. See Stripe privacy policy.
Your rights
If you have an account, you can:
- Export your data — email [email protected] with the subject "Data export" and we will send you all stored data within 7 days. (A self-serve export link is coming in a future update.)
- Delete your account — email [email protected] with the subject "Delete my account". We will permanently delete your email and all associated data within 7 days. Aggregate, non-identifiable analytics are not deleted (they contain no personal data).
Cookies
We use no analytics cookies. Supabase auth uses a session token stored in localStorage, not as a cookie. If you clear localStorage, you will be signed out.
Data retention
Account data is retained while your account is active. If your account is inactive for 2 years, we will email you before deletion. Anonymous localStorage data is never sent to us and is subject to your browser's own retention rules.
Contact
Questions? [email protected]