Privacy Policy

This policy explains what poketsticks ("we", "us") collects, how we use it, and who we share it with. It covers both developers (the people who create accounts and ship games on our SDK) and players (the people who scan a QR code on their phones to join a game).

poketsticks is operated by [OPERATOR — legal entity name]. For any privacy question or request, email privacy@usebeacon.dev (placeholder — update once the operating entity is set).

1. What we collect

From developers

• Account — email, display name, and a hash of your password (if you use password auth). If you sign in with Google, we receive your email and display name from Google — we never see your Google password.
• Apps and API keys — the app names you choose and the SHA-256 hashes of any API keys you mint. We never store the plaintext keys after the one-time reveal at creation.
• Billing — if you upgrade to a paid tier, Stripe collects and holds your payment information. We only see the non-sensitive metadata Stripe sends back (customer id, subscription status, period end). We never receive or store your card number.
• Support interactions — if you email us, we keep that correspondence.

From players (via the controller)

• Profile — the display name and avatar style you set on your phone, plus a random identifier generated on-device. These persist in your phone's browser storage and travel with you when you join any game built on poketsticks.
• Game data — if a game chooses to persist data per player (high scores, unlocks, preferences), we store it scoped to that game and that profile. A game cannot read another game's data for the same player.
• Session metadata — when you join a room, we record the room id, your ephemeral session id, and which transport your connection used (local, direct-peer, or relay). This is how we count the device-minutes we bill developers for.

We do not collect player email addresses, phone numbers, location data, or advertising identifiers. Games built on poketsticks may collect other information under their own privacy policies — that's between them and their players.

2. How we use it

• To deliver the Service — authenticate you, route input events between peers, persist per-player data you ask us to persist.
• To meter relay usage and bill paid tiers.
• To send transactional email (sign-up verification, password reset, billing receipts).
• To keep the Service secure — detect and prevent abuse, debug incidents, respond to legal requests.
• To improve the product — aggregate, non-identifying usage patterns inform what we build next.

We do not use your data to train AI models, to sell to advertisers, or to build profiles of individual players beyond the display-name/avatar profile each player has explicitly set.

3. Who we share it with

We use a small set of subprocessors to run the Service. Each receives only the data they need for their specific function:

We don't sell your personal information. We may share it if compelled by lawful process, or if required to protect the rights, property, or safety of our users or the public. If we're ever acquired, data may transfer as part of the transaction; we'll notify you before that happens.

4. Cookies and similar tech

We use a single session cookie (set by Better Auth) to keep you signed in on the dashboard. The cookie is first-party, marked Secure + HttpOnly, and used only for authentication. We do not run ad trackers, third-party analytics cookies, or cross-site pixels.

On the controller side, your phone's browser stores your player profile and a profile secret in localStorage so it survives across game sessions. Nothing about that storage is shared cross-origin.

5. Data retention

• Account + app data — retained for as long as your account is active, then deleted within 30 days of account closure (subject to any legal hold).
• Raw per-minute relay usage — pruned automatically after 30 days.
• Daily usage aggregates — retained for billing history.
• Billing records — retained as long as required by tax and accounting law (typically 7 years).
• Player profiles — stored on-device in your phone's browser; we hold a server-side copy only so cross-device joins work. Clearing your phone's site data for our origin removes the local copy; you can request deletion of the server-side copy by email.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you; to object to or restrict certain processing; and to lodge a complaint with a data-protection authority.

To exercise these rights, email privacy@usebeacon.dev. We may need to verify your identity before acting on a request. We'll respond within 30 days or as soon as reasonably possible.

7. International transfers

Our subprocessors (Cloudflare, Stripe, Resend, Google) operate globally. Your data may be processed in countries other than the one you live in. Where required, we rely on standard contractual clauses or equivalent safeguards to protect cross-border transfers.

8. Children

The Service is not directed at children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. Games built on poketsticks may target younger audiences — those games are responsible for complying with COPPA, the GDPR age-of-digital-consent rules, and equivalent frameworks. If you believe we hold information about a child that shouldn't be there, email us and we'll delete it.

9. Security

All traffic to and from the Service is encrypted in transit (TLS to our edge; DTLS on the WebRTC data channel). Passwords are hashed and salted by Better Auth. API keys are stored as SHA-256 hashes. TURN credentials are short-lived (15 minutes) and scoped to a single room. No system is perfectly secure — if you suspect a breach, email security@usebeacon.dev.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced on the dashboard or by email at least thirty days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact

Privacy questions or requests: email privacy@usebeacon.dev.