Swipade — Privacy Policy
Effective date: May 25, 2026 Last updated: May 25, 2026
Swipade ("we", "us", or "our") respects your privacy. This Privacy Policy describes the information we collect when you use the Swipade website, mobile-installable web app, APIs, and related services (the "Service"), how we use that information, and the choices you have. This Policy is incorporated into and supplements our Terms of Service.
This Policy is written for users in the United States. If you access the Service from outside the United States, you are transferring your information to the United States, where data-protection laws may differ from those in your jurisdiction.
1. Information We Collect
1.1 Information you give us directly
- Account information. When you create an account, we collect your email address (used for sign-in and for transactional messages) via our authentication provider, Supabase. You may also set a handle, a display name, a profile gradient or uploaded avatar, and preferred genre filters.
- Game content. When you build, edit, or publish a game we store the prompts you submit to the AI builder, the generated HTML and version history, your game's title, blurb, rules, tags, theme colors, and entry cost, and any review submissions.
- Social content. Friend requests (including who initiated them), comments and reviews (1–5 star ratings and optional text), likes, follows, favorites, beat-me challenges, and user reports of other users or games.
- Friend code. A short alphanumeric code automatically generated for your account so other users can add you as a friend.
- Direct messages an administrator may send to your account, and your read state on those messages.
- Payment or billing information if and when you purchase a paid feature. We do not store full payment card numbers — those are handled by our payment processor (we will update this Policy if we add billing).
1.2 Information we collect automatically
- Gameplay data. Every play records a session token, the game and version played, the start and completion timestamps, score, duration, in-round rank, and any payout points awarded. Anti-cheat rejections are also stored.
- Earned engagement badges (Stamps). When you reach a stamp threshold (e.g. "Play 50 games"), we store the timestamp and progress count.
- Daily streak. We compute your consecutive-day play streak from your play history; we do not store an extra streak counter.
- Notifications you receive and your read state for each.
- Share-link analytics. When someone visits a share link (
/c/{gameId}or/link/{gameId}), we log: the game ID, an opaque per-browser session hash (a SHA-256 of a randomly generated cookie value combined with the game ID — see Section 1.3 on cookies), the referring URL, UTM parameters, the two-letter country code Vercel provides from the request IP (we do not store the raw IP), a platform classification (iOS / Android / desktop / other) derived from the User-Agent header, and the viewer's user ID if signed in. - Build-failure diagnostics. When the AI builder produces a game that fails to compile or render, we keep the prompt and the failure for review and product improvement.
- Admin audit log. All sensitive admin actions are recorded with the actor's user ID and a payload describing the change. This is internal-only.
- Service logs. Our hosting provider (Vercel) and our database provider (Supabase) maintain operational logs (e.g., request paths, status codes, error stacks) for the purposes of operating, securing, and debugging the Service. We treat these as confidential and access them only as needed.
1.3 Cookies and similar technologies
We use a small number of cookies and local-browser storage entries:
| Name | Purpose | Lifetime |
|---|---|---|
| Supabase auth cookies | Sign-in session | Session / refresh per Supabase defaults |
sw_sid | Random per-browser ID used to compute the opaque session hash for share-link analytics. The raw value never leaves the browser unhashed. | 1 year |
sw_last_game | Remembers the last game you played so the feed can land on it after a quit/restart | 7 days |
| TanStack Query cache (memory) | Client-side request cache so repeat page transitions are instant. Cleared on page refresh. | Per-tab session |
| Service Worker cache | Stores game-art SVGs and PWA icons for fast re-open / partial offline | Up to 30 days, capped by browser policy |
We do not use third-party advertising cookies. We do not sell or share information for cross-context behavioral advertising.
1.4 Information from third parties
If you choose a magic-link or third-party sign-in option, we receive your email and a stable user identifier from that provider as part of the authentication response. We do not access your contacts, calendar, files, social graph, or any other third-party-account data.
2. How We Use Information
We use the information described above to:
- Operate, maintain, and improve the Service (deliver the feed, build games, accept plays, render leaderboards and stamps, route notifications, etc.).
- Authenticate you and prevent fraud, score tampering, abuse, and unauthorized access.
- Personalize what you see (your genre preferences, your friend feed, your stamps).
- Send transactional messages (sign-in links, security notices, important Service announcements). We do not send marketing email without your separate opt-in.
- Generate share-link analytics in aggregate form so creators and admins can see how a game travels.
- Train and improve our own product systems (e.g., builder prompts, art generation prompts, stamp catalog tuning). We do not use your User Content to train any third-party AI provider's base model. When we call third-party AI providers (Anthropic, Google) to generate content for you, those providers receive only the prompt content for that single request and their handling is governed by their own terms.
- Enforce our Terms of Service and comply with legal obligations.
- Protect the rights, property, and safety of Swipade, our users, and the public.
3. How We Share Information
3.1 With other users
- Your handle, display name, avatar, friend code, published games, scores on public leaderboards, earned stamps, comments and reviews, follow/follower lists, and friend lists are visible to other users of the Service, by design.
- Your email address is not shown publicly.
3.2 With service providers (data processors)
We share the minimum information necessary with vendors who help us run the Service. Each is bound by an agreement that limits use of your information to providing the agreed service.
- Supabase — managed Postgres database and authentication.
- Vercel — application hosting, edge caching, and (optionally) the Vercel KV (Upstash Redis) cache for the feed bucket.
- Anthropic — large-language-model inference for game generation, art generation, and similar AI features.
- Google — large-language-model inference (Gemini) as an alternative to Anthropic; Google Fonts.
3.3 For legal reasons
We may disclose information when we believe in good faith that disclosure is required to: comply with a law, regulation, subpoena, court order, or other valid legal process; enforce our Terms of Service; or protect the rights, property, or safety of Swipade, our users, or others.
3.4 Business transfers
If Swipade is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, your information may be transferred as part of that transaction. We will notify you (e.g., by email or in-app notice) before your information becomes subject to a different privacy policy.
3.5 With your consent
We may share information for any other purpose with your explicit consent.
We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising.
4. Data Retention
We keep your information for as long as your account is active and as needed to provide the Service. After your account is deleted (see Section 6), we retain:
- Plays, leaderboards, and stamps in anonymized form (we replace your user ID with a deletion sentinel) so the per-game leaderboard remains historically consistent.
- Published games you authored unless you also delete the games themselves before deleting your account. Published games can be remixed under Terms of Service Section 4, and remixed copies remain in remixers' accounts even after you delete yours.
- Audit logs and build-failure records for up to 24 months for security and abuse-investigation purposes.
- Aggregated or anonymized statistics indefinitely.
We may retain certain information longer when required by law or to resolve disputes.
5. Security
We protect your information using a combination of:
- HTTPS for all traffic between your device and the Service.
- Row-level security (RLS) policies on every privacy-sensitive table in our database, so the database itself enforces who can read or write a given row.
- Signed play tokens with short TTL to prevent score tampering.
- Sanitized AI output — generated SVG and HTML are stripped of scripts, event handlers, external URLs, and embed-able tags before they are served.
- Obfuscated game payloads for played content — the raw source you author is not what other players can copy out of the running game.
- Code review for every production change.
No system is perfectly secure. If you discover a vulnerability, please report it responsibly to swipade@swipade.com.
6. Your Rights and Choices
6.1 Account access and deletion
- You can review and edit your handle, display name, avatar, and genre preferences from your profile page.
- You can delete your account from in-app profile settings. If a self-serve deletion is unavailable, email swipade@swipade.com and we will process the request within 30 days.
6.2 California residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories and specific pieces of personal information we collect, the sources, the business purposes, and the third parties with whom we share it.
- Delete the personal information we have collected about you, subject to certain exceptions.
- Correct inaccurate personal information.
- Limit the use and disclosure of sensitive personal information (we do not currently use it beyond purposes the CCPA permits without an opt-out).
- Opt out of "sales" and "sharing" of personal information. We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising.
- Non-discrimination — we will not deny, charge more, or provide a lesser quality of Service because you exercised your privacy rights.
To exercise these rights, email swipade@swipade.com from the email address associated with your account. We will verify your request and respond within 45 days (extendable by another 45 days where permitted). You may also designate an authorized agent to act on your behalf.
6.3 Other U.S. state rights
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights of access, correction, deletion, and portability. The CCPA process above applies — email swipade@swipade.com and reference the law you are invoking.
6.4 Cookie controls
You can clear Swipade cookies from your browser settings at any time. Clearing the sw_sid cookie will cause a new session hash to be generated on your next visit. Clearing Supabase auth cookies will sign you out.
6.5 Communication preferences
- Transactional messages (sign-in links, security alerts, critical Service announcements) cannot be opted out of while your account is active — they are necessary to operate the Service.
- In-app notifications can be reviewed and (where applicable) marked read or dismissed from the notifications inbox.
- We do not currently send marketing email.
7. Children's Privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, email swipade@swipade.com and we will delete the account and any associated data.
We do not target advertising to children. We do not have a marketplace for purchasing user data.
8. International Users
The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.
If you are in the European Economic Area, the United Kingdom, or Switzerland, the legal basis for our processing is your consent (when you create an account and use the Service) and our legitimate interests in operating, securing, and improving the Service. You may exercise rights of access, rectification, erasure, restriction, portability, and objection by emailing swipade@swipade.com, and you may lodge a complaint with your local supervisory authority.
9. Third-Party Links and Embedded Content
The Service may link to third-party sites or embed third-party content (for example, when you share a game link on a social network, or when the marketing page loads Google Fonts). Those third parties have their own privacy practices. We are not responsible for their content or privacy practices.
10. Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you (for example, by an in-app notice or by email) at least seven (7) days before the changes take effect. The "Last updated" date at the top of this Policy always reflects the current version.
11. Contact
Privacy questions, rights requests, or concerns? Email swipade@swipade.com.
For security vulnerability reports, email swipade@swipade.com.
For legal notices (DMCA, subpoenas, etc.), see the contact addresses listed in our Terms of Service.