Privacy Policy

• Account data — name, email, bcrypt-hashed password. Collected at registration, used for authentication.
• Email verification tokens — random 32-byte hex token; deleted on verification or after 24 hours.
• Debate content — the arguments you write during gameplay. Transmitted to Anthropic for AI processing. Stored in our database only if you choose to save the transcript (share pages).
• Billing metadata — Stripe customer ID, subscription status, period end. We never see or store your card number — Stripe handles all card data directly.
• Gameplay statistics — XP, level, streaks, achievements, debate history.
• Server logs — IP, timestamp, path, user-agent. Retained up to 30 days for security and debugging.

We do not collect: payment card numbers, GPS location, device fingerprints, advertising IDs, voice/biometric data, or health data. We do not use third-party advertising trackers.

• Contract (6(1)(b)) — account creation, email verification, debate processing, subscription billing.
• Legitimate interest (6(1)(f)) — server logging for security, abuse prevention, fraud detection.
• Legal obligation (6(1)(c)) — tax records, lawful authority requests.
• Consent (6(1)(a)) — optional marketing emails (opt-in; revocable in Settings).

• Anthropic, PBC — AI model provider for debate generation & judging. Inputs are not used to train models (per Anthropic API policy). USA.
• Stripe, Inc. — payments & subscription management. USA (PCI-DSS Level 1).
• Vercel, Inc. — hosting & CDN. USA/EU.
• Resend — transactional email delivery. USA/EU.

Transfers to the USA are covered by EU Standard Contractual Clauses (GDPR Art. 46(2)(c)). We do not sell personal data, ever.

You have the right to: access your data, correct it, delete it (“right to be forgotten”), port it (JSON export), restrict processing, object to processing, and withdraw consent. Email legal@mindduel.app — we respond within 30 days.

EU residents may also lodge a complaint with: Commission for Personal Data Protection (CPDP), 2 Prof. Tsvetan Lazarov Blvd, Sofia 1592, Bulgaria · kzld@cpdp.bg.

California residents have equivalent rights under CCPA including the right to know, delete, and opt out of sale (we do not sell data).

• Account data — lifetime of your account + 30-day recovery buffer, then permanently deleted.
• Debate transcripts — persisted only when you save/share them; deletable from your profile.
• Server logs — ≤30 days.
• Billing records — retained 7 years as required by tax law.

We use strictly necessary cookies only — the NextAuth session cookie to keep you logged in. No advertising cookies, no third-party analytics cookies, no tracking pixels. Game preferences (difficulty, mute) are stored in your browser’s localStorage and never leave your device.

Our AI judge scores your arguments. This is automated decision-making, but it produces no legal or similarly significant effects outside the game. We commit to: (a) every score includes written reasoning; (b) scores influence only in-game state; (c) you can email us to flag a score you believe malfunctioned for human review.

The Service is not directed at users under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, email legal@mindduel.app and we will delete the account.

Passwords are hashed with bcrypt (cost 12). All traffic is TLS-encrypted. Secrets live in environment variables, never in source control. Access to production data is limited to the Operator. In the event of a personal data breach, we notify the supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.

Material changes to this policy will be emailed to you at least 14 days before they take effect. The current version is always available at https://mindduel.app/privacy with its effective date.

Email: legal@mindduel.app

Data Controller: Mind Duel, Bulgaria