Privacy Policy

Last Updated: 31/05/2026

This Privacy Policy explains how Drunkdeck ("we", "us", "our") collects, uses, and shares information about you when you use our online drinking game ("Service"). If you are located in the European Economic Area (EEA) or UK, this policy also describes your rights under the General Data Protection Regulation (GDPR) and UK GDPR.

1. Data We Collect

• Account data: email address, display name, email verification status, profile photo URL.
• Gameplay data: game sessions, category choices, custom cards you create.
• Subscription & payment data: subscription plan, subscription status, billing history. Full payment card details are processed directly by Stripe and never stored by us.
• Usage data: page views, events, device type, browser, operating system — collected via Google Analytics cookies.
• Error data: error stack traces collected by Sentry when the application crashes.
• Audit logs: a record of actions you take within the Service (e.g. account updates, card creation) for security and abuse-prevention purposes.

2. Legal Basis for Processing

• Contract (Art. 6(1)(b)): processing your account data, subscription data, and gameplay data is necessary to provide the Service you signed up for.
• Consent (Art. 6(1)(a)): analytics cookies (Google Analytics) and marketing pixels (ServiceForm) are only loaded after you accept via the cookie consent banner. You may withdraw consent at any time by clicking "Reject all" in the banner.
• Legitimate interest (Art. 6(1)(f)): error monitoring (Sentry — errors only, no session replay without consent) and audit logging for security and fraud prevention.
• Legal obligation (Art. 6(1)(c)): retaining transaction records as required by applicable financial regulations.

3. Sub-Processors

We share your data with the following third-party processors:

• Firebase (Google) — Auth, Firestore, Realtime Database: stores your uid, email, display name, gameplay sessions, and audit logs.
  Hosted in asia-south1 (Mumbai, India) — see "International Transfers" below. Firebase Privacy
• Stripe: processes payments and stores your email, payment method, and billing address on our behalf.
  Stripe Privacy
• Google Analytics (GA4): collects page views, events, device/browser information via cookies. Only loaded with your consent.
  Google Privacy
• Sentry: collects error stack traces when the application crashes. Session replay is disabled without your consent.
  Sentry Privacy
• ServiceForm: a form-tracking and lead-capture tool that collects anonymised interaction data on our website. Only loaded with your consent.
  ServiceForm Privacy
• Redis (Upstash): caches game card data with a 24-hour TTL. No personally identifiable information is stored.

4. Data Retention

• Account & profile data: retained for the lifetime of your account and deleted within 30 days of account deletion.
• Subscription data: retained for 7 years to comply with financial record-keeping obligations, then deleted.
• Audit logs: retained for 12 months, then automatically deleted via a scheduled purge.
• Analytics data: governed by Google Analytics' standard retention (14 months by default).
• Error data (Sentry): retained for 90 days per Sentry's default retention policy.
• Redis cache: game card data has a 24-hour TTL and is not persisted beyond that.

5. International Data Transfers

Our primary data store (Firebase Firestore and Realtime Database) is hosted in asia-south1 (Mumbai, India), which is outside the EEA. This transfer is covered by Google's Standard Contractual Clauses (SCCs) under GDPR Article 46. You can review Google's Data Processing Terms at cloud.google.com/terms/data-processing-addendum. Firebase Auth may process authentication data in additional Google-operated regions, all of which are covered by the same SCCs.

6. Your Rights (GDPR)

If you are in the EEA or UK, you have the following rights:

• Right of access (Art. 15): request a copy of all personal data we hold about you. Use the "Download my data" button in your profile, or contact us.
• Right to erasure (Art. 17): request deletion of your account and all associated data. Use "Delete account" in your profile, or contact us.
• Right to data portability (Art. 20): download your data in machine-readable JSON format via "Download my data" in your profile.
• Right to rectification (Art. 16): update your display name in your profile at any time.
• Right to object (Art. 21): object to processing based on legitimate interest by contacting us.
• Right to withdraw consent: withdraw analytics/marketing consent at any time via the cookie consent banner.
• Right to lodge a complaint: you have the right to complain to your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

7. Data Subject Access Requests (DSAR)

To exercise any of the rights above, or to submit a GDPR request, please contact us at:

Email: [email protected]

We will respond to all requests within 30 days as required by GDPR. For complex requests we may extend this by a further 2 months and will notify you if we do so. We may need to verify your identity before processing your request.

8. Security

We take reasonable technical and organisational measures to protect your data from unauthorised access, use, or disclosure. All data is transmitted over HTTPS. Firebase credentials are stored as environment variables and not in source code.

9. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified via a notice within the Service. The "Last Updated" date at the top of this page reflects the most recent revision.

10. Contact

For general questions about this Privacy Policy, contact us at [email protected].

WARNING

Please note that consuming alcohol can be dangerous and should be done responsibly, in moderation, and not under the legal drinking age. We will not be held responsible for any damage or harm caused by excessive alcohol consumption.