Privacy Policy
This Privacy Policy describes how Zhentao Tong ("we," "us," "our"), operating play-avalon.com (the "Service"), collects, uses, and shares your information.
1. Information We Collect
1.1 Information you provide
- Account information. When you sign in with Google or Discord through Clerk, we receive a user identifier and the profile fields those providers share (typically name, email, and a profile picture URL).
- Display name and gameplay actions. The display name you choose for a game and your in-game actions (proposals, votes, mission cards, speeches) are part of game state and are included in saved replays.
- Optional API key (BYOK). If you provide an OpenRouter API key for AI speech, we hold it in server memory for the lifetime of the room only. We do not write it to disk, log it, or include it in any payload sent to other clients.
1.2 Information collected automatically
- IP address. Used for rate limiting and abuse prevention. Not associated with your account record beyond the duration of a request unless required for security investigation.
- Connection metadata. Timestamps of connection, room activity, errors. Used for operations and debugging.
1.3 Payment information
Payments are processed by Stripe. We do not receive or store your card number, CVC, or full bank details. Stripe sends us a transaction record (purchase amount, currency, your account ID, a Stripe session ID) which we store to credit coins to your account.
2. What We Do With It
- Provide the Service: authenticate you, run games, save replays, process purchases.
- Enforce abuse limits, security, and Terms of Service.
- Operate and improve the Service (debugging, capacity planning).
We do not sell your personal information.
3. Third-Party Services We Use
| Provider | Purpose | What they receive |
|---|---|---|
| Clerk | Authentication | OAuth identity from Google/Discord |
| Stripe | Payments | Card details, transaction metadata |
| Neon | Database hosting | Encrypted DB contents (see §1) |
| DigitalOcean | Server hosting | Encrypted server logs and game state |
| Cloudflare | DNS | DNS lookups for play-avalon.com |
| OpenRouter | AI speech (BYOK) | Only when you provide your own key; charges to your account |
| Google / Discord | OAuth providers | Standard OAuth handshake; see their privacy policies |
4. Cookies and Local Storage
We use cookies and local storage for two purposes: (a) to maintain your sign-in session through Clerk, and (b) to remember your last-used display name and portrait choice on this device. We do not use advertising cookies or third-party tracking cookies.
5. Replays and Public Game Data
When a game finishes, we save a replay file containing the game's events: the players' display names, role assignments, proposals, votes, mission outcomes, and speeches. Other signed-in users of the Service can view these replays. Anything you say or do in a game is visible to other players in that game and may be visible later through replays.
We retain at most the 20 most-recent replays per user; older replays are deleted automatically. We may also delete older replays globally for storage management.
6. Data Retention
- Account record: retained while your account is active.
- Replays: capped at 20 most-recent per user; older ones deleted automatically.
- Transaction records: retained for at least seven (7) years for tax and accounting purposes.
- Server logs: typically rotated within 30 days.
7. Your Rights
You may request that we:
- Provide a copy of the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated personal information (we will retain transaction records as required by law).
To exercise these rights, email support@play-avalon.com from the email address associated with your account.
EU/UK users: the rights above apply, plus rights to data portability and to object to processing. You may also lodge a complaint with your national data protection authority.
California users: we do not sell personal information and have not done so in the preceding 12 months. You may request access and deletion as described above.
8. Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us information, contact us and we will delete it.
9. Security
We use TLS for all network traffic, store secrets only in access-restricted environment variables, and rate-limit abusive activity. No system is perfectly secure. We will notify affected users of any material breach of personal information as required by applicable law.
10. International Transfers
Our servers and most of our service providers are located in the United States. By using the Service from outside the US, you consent to the transfer of your information to the US.
11. Changes to This Policy
We may update this Privacy Policy. Material changes will be reflected by an updated "Last updated" date and, where appropriate, additional notice.
12. Contact
Email support@play-avalon.com.