Puzzlock

This Privacy Policy applies to the Puzzlock service operated by Flow Through Logic Pty Ltd (ABN 15 697 017 842, ACN 697 017 842), a company registered in Australia ("Puzzlock", "we", "us", or "our").

It sets out what personal information we collect, the purposes for which we collect it, who we share it with, how long we retain it, and the rights you have over it.

Questions or requests: [email protected].

1. Scope

This policy covers puzzlock.app and its sub-routes (including public profile pages, share pages, OG images, and the API endpoints the service calls). It applies to visitors, waitlist entrants, and registered players.

Puzzlock is in limited founder beta. No paid tier is offered and no payment information is collected.

2. What we collect

2.1 Information you provide

Point of collection	Data collected
Sign-up	Email address, password (hashed; plaintext is never retained), display name, username, and a confirmation that you are 13 years of age or older.
Waitlist submission	Email address and an optional free-text explanation of your interest.
Feedback	The feedback text, your username, and (optionally) your email address.
Friend requests	Your user ID, the other player's user ID, and the status of the relationship (pending or accepted).

2.2 Information generated through use of the service

Skill ratings (SR) across ten cognitive constructs (Reasoning, Words, Hold, Pace, Focus, Restraint, Switch, Space, Recall, Numbers), including the underlying Glicko-2 state (rating, rating deviation, volatility, last-played time, peak rating, calibration progress).
Puzzle counters including lifetime total, distinct puzzle types encountered, and per-construct history.
High score and current weekly tier.
Achievements, including progress, unlocked tiers, pinned trophies, and Genesis-step progress.
Daily puzzle results: date, solve time in milliseconds, target word, and completion timestamp. The last 30 days are retained locally; server-side results are retained for the life of the account.
Tournament runs: score and completion timestamp for each entry.
Referral attribution: a single record identifying the player who invited you.
Titles: titles earned and the title currently equipped.

2.3 Information we do not collect

IP addresses are not logged by the application code.
No browser-fingerprinting techniques are used.
No analytics, product-analytics, error-reporting, or advertising SDKs are integrated (for example, Google Analytics, PostHog, Mixpanel, Sentry, or equivalent).
No location data is collected.
No payment information is collected during the beta.
No access to device contacts, microphone, camera, or other sensors is requested.

Our hosting and database providers (Railway and Supabase) necessarily see IP addresses at the network layer for standard operational purposes, such as TLS termination, rate limiting, abuse detection, and authentication logging. Those logs are not retrieved or analysed by us. See §5.

3. Purposes and legal bases

If you are located in the European Economic Area or the United Kingdom, the following table identifies our legal bases under Article 6 of the GDPR / UK GDPR.

Data	Purpose	Legal basis
Email, password, display name, username	Account creation and security	Performance of a contract (Art. 6(1)(b))
SR, achievements, scores, streaks, daily results	Delivery of the core service	Performance of a contract (Art. 6(1)(b))
Public profile surfaces (username, display name, SR, achievements, title, high score, friend count)	Leaderboards, share pages, public profile pages	Performance of a contract (Art. 6(1)(b)) and legitimate interests in operating a multiplayer service (Art. 6(1)(f))
Waitlist email and explanation	Administering beta admission	Consent (Art. 6(1)(a)), withdrawable at any time
Feedback submissions	Product improvement	Legitimate interests (Art. 6(1)(f))
Referral attribution	Administering the invite system	Performance of a contract (Art. 6(1)(b))

If you are located in Australia, we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

If you are located in California, the rights described in §8 are available to you under the CCPA and CPRA.

4. Where your data is stored and who can see it

4.1 Infrastructure

Supabase hosts the production database and authentication service. The project is provisioned in Asia-Pacific (Tokyo, Japan), region ap-northeast-1.
Railway hosts the Next.js application that serves puzzlock.app, deployed to US East (Virginia, United States).
Google Apps Script and Google Sheets receive mirrored copies of waitlist entries and feedback submissions for internal review during the beta.

4.2 Public and private information

The following are publicly readable via the service's API (Supabase Row-Level Security is deliberately permissive on the tables that back public profiles and leaderboards):

Username and display name
Per-construct skill rating, mastery tiers, and peak rating (the monotonic peak is rendered on public profiles)
High score and current weekly tier
Earned achievements
Equipped title
Friend count
Number of referrals
Tournament scores

Share links and OG image cards (/u/<username>, /r/share, /d/share, and the corresponding /api/og/* images) embed a subset of the above for social-media rendering.

The following are private to you and are enforced by Row-Level Security:

Email address
Password hash (no plaintext equivalent is retained)
Pending friend requests (visible only to the two users involved)
Personal daily-puzzle completion records (daily_results rows are readable only by their owner)

4.3 Browser-side storage

Gameplay state is mirrored into your browser's localStorage to allow the service to function offline or with intermittent connectivity. Keys written include:

puzzlock-sr, puzzlock-highscore-v2, puzzlock-weekly-tier, puzzlock-achievements, puzzlock-achievement-pins, puzzlock-achievements-sync-version, puzzlock-recal-banner, puzzlock-daily, puzzlock-referrer, puzzlock-mute, puzzlock-tutorial-*, puzzlock-tournament-intro-seen:<tournament>, puzzlock-sr-reset-pending, and the Supabase authentication token key sb-<project-ref>-auth-token.

Signing out clears the account-scoped keys, so that a subsequent user of the same browser begins from an empty state.

5. Third-party recipients

Supabase, Inc.: database and authentication services. Data is resident in Japan and is processed under Supabase's standard data processing addendum.
Railway Corp.: application hosting in US East (Virginia). Railway handles HTTPS termination and request routing. Beyond ordinary API traffic, Railway does not receive gameplay data.
Google LLC: Google Apps Script and Google Sheets, used to mirror waitlist entries and feedback text for internal review.

We do not sell, rent, or licence personal information to third parties for advertising or marketing purposes.

6. Retention

Account data (email, profile, SR, achievements, scores, titles, referrals, friendships): retained for the life of your account. On deletion (see §7), rows keyed to your user ID are removed within 30 days.
Waitlist entries: retained until admission or until you request removal. Entries older than 12 months that have not been admitted are reviewed quarterly and removed.
Feedback submissions: retained for up to five years from the date of submission, or until you request earlier removal, whichever occurs first.
Browser storage: cleared by you at any time via your browser's site-data controls; account-scoped keys are cleared on sign-out.
Provider logs: retained in accordance with Supabase's and Railway's respective log-retention policies (typically 7 to 30 days for operational logs).

7. Your rights

All registered users have the following rights:

Access: obtain a copy of the personal information we hold about you.
Correction: update your display name or email address through the service. Username changes are processed on request.
Deletion: have your account and associated records erased, either through the in-service "Delete account" function or by email.
Portability: request a machine-readable copy (JSON) of your data.
Objection and restriction: ask us to stop, or restrict, processing carried out on the basis of legitimate interests.
Withdrawal of consent: for data held on the basis of consent (waitlist submissions, feedback), ask us to remove the record at any time.

Requests should be sent to [email protected] from the email address associated with your account (or, for waitlist deletions, the email address used on the waitlist form). Requests are ordinarily answered within 30 days and in any event within the time required by applicable law.

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection authority. In Australia, complaints may be directed to the Office of the Australian Information Commissioner. In California, complaints may be directed to the California Attorney General.

8. California residents (CCPA / CPRA)

California residents have the right to know what personal information is collected, the right to delete it, the right to correct it, and the right to opt out of its "sale" or "sharing" as those terms are defined under California law.

We do not sell or share personal information within the meaning of the CCPA and CPRA. To exercise any other right, contact [email protected]. No cross-context behavioural advertising is used.

9. Children

Puzzlock is not directed to children under the age of 13. Registration requires a confirmation that the user is 13 years of age or older. Where we become aware that personal information has been collected from a child under 13 without verifiable parental consent, we delete the information.

A parent or guardian who believes that a child has registered may contact [email protected] to request removal.

10. International transfers

The service is operated from Australia. Personal information is stored on servers located in Japan (Supabase, ap-northeast-1) and the United States (Railway, US East). Where transfers of personal information out of the European Economic Area or the United Kingdom occur, we rely on:

the Standard Contractual Clauses adopted by the European Commission (and, where applicable, the UK International Data Transfer Addendum), as incorporated into our providers' data processing terms; and
the fact that we collect a minimal data set and do not handle special categories of personal data.

Where transfers of personal information out of Australia occur, we comply with Australian Privacy Principle 8 of the Privacy Act 1988 (Cth), including by taking reasonable steps to ensure that overseas recipients handle the information in a manner consistent with the APPs.

11. Security

Passwords are hashed by Supabase Auth (GoTrue). Plaintext is never retained.
All traffic is served over HTTPS.
Row-Level Security policies restrict write access to records owned by the authenticated user.
IP addresses are not logged in the application code.

Where a data breach occurs that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify those individuals and the relevant regulators (the Office of the Australian Information Commissioner and, where applicable, data protection authorities in the EEA or UK) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and Articles 33 and 34 of the GDPR, generally within 72 hours of becoming aware of the breach.

12. Cookies and similar technology

Puzzlock uses localStorage, not cookies, for authentication and gameplay state. See the Cookie Policy for detail.

13. Changes to this policy

This policy may be updated from time to time. The "Effective" date at the top of this document reflects the date of the most recent version. Where a change materially affects your rights, registered users will be notified by email prior to the change taking effect.

14. Contact

Flow Through Logic Pty Ltd (ABN 15 697 017 842, ACN 697 017 842)
Canberra, Australia
Email: [email protected]