Privacy Policy

1. Who We Are

Border Blitz is a daily geography game. By using the site, you agree to this policy. If you have questions, contact us using the details in Section 12.

2. What Information We Collect

2.1 Information You Provide

• Email address. If you create an account, we use this for authentication and password recovery.
• Handle. A public display name you choose for the leaderboards.
• Game data. Your scores, round-by-round guesses (clicked coordinates and distance from target), times, and which mode you played.
• Feedback you send us. Anything you type into the in-app feedback form.

2.2 Information We Automatically Collect

• Device fingerprint. A hash combining your browser's user-agent, language, screen size, CPU and memory hints, timezone, and a small canvas signature. We use it to keep anonymous play sessions stable across reloads and to prevent abuse. We store the resulting hash, not the underlying values.
• Hashed IP address. When you submit a game we hash your IP address with a non-cryptographic hash and store only the hash. We use this for rate limiting. We do not store raw IP addresses, and we do not derive your physical location from them.
• Login timestamps. When you last signed in or played, so we can surface stats and clean up inactive accounts.

2.3 Local Storage and Cookies

We store a few things in your browser's local storage:

• A device identifier (bb_device_id) so an anonymous session survives reloads.
• Your cached handle (bb_handle) so the splash screen can greet you instantly.
• A signed-in flag (bb_signed_in) so the splash can render the right state before the network responds.
• A marker for each completed daily (bb_daily_*) so reloading doesn't let you re-play the day.

When you sign in, we also set a single HttpOnly session cookie (bb_session) holding an opaque, server-side session token. It is not readable by JavaScript and is the only authentication credential stored on your device.

3. How We Use Your Information

We use your information to:

• Run the game, including recording your scores, maintaining streaks, and showing your rank.
• Display leaderboards using your handle and score. Anonymous users are excluded from public listings.
• Prevent abuse through rate-limiting and duplicate-submission checks.
• Improve the game by reviewing aggregate data to find bugs and tune difficulty.
• Process subscription payments via Stripe, if you go Pro.
• Respond to feedback or support requests you send us.

We do not:

• Sell your data to anyone.
• Send marketing emails or spam.
• Share your data with advertisers.
• Track you across other websites.
• Run third-party analytics. There's no Google Analytics, Mixpanel, PostHog, or tracking pixels on the site.

4. Third-Party Services

4.1 Amazon Web Services (hosting + database)

We host the site and run our Postgres database on Amazon Web Services. Account passwords are hashed with bcrypt before storage; we never see or store them in plain text. Your data is encrypted in transit (HTTPS) and at rest. See AWS's privacy notice.

4.2 Stripe (payments)

If you subscribe to Border Blitz Pro, payment is processed by Stripe. We never receive or store your full card number. Stripe sends us a customer ID and the status of your subscription. See Stripe's privacy policy.

4.3 Amazon SES (email)

We use Amazon SES to deliver transactional email, including account verification, subscription receipts, and the in-app feedback form.

5. Data Storage and Security

• Data is encrypted in transit over HTTPS.
• Data is encrypted at rest on AWS infrastructure.
• Access to the database is restricted and logged.

No system is 100% secure. We take reasonable measures to protect your information but cannot guarantee absolute security.

6. Your Rights and Choices

6.1 Access and Control

• View your data. Your scores and game history are visible on the leaderboard pages and within your account.
• Change your handle or email. Update them yourself from your account page (Account Settings). Email changes are confirmed via a code sent to the new address.
• Change your password. From your account page, or via the "Forgot password" link on sign-in.
• Delete your account. Self-service from your account page. We send a confirmation link to your email; clicking it permanently deletes your account and associated data. You can also contact us if you prefer.

6.2 European Users (GDPR)

If you're in the European Economic Area, you have additional rights:

• The right to access a copy of the data we hold about you.
• The right to correct inaccurate data.
• The right to request deletion (the "right to be forgotten").
• The right to receive your data in a machine-readable format (portability).
• The right to object to processing of your data.

To exercise these rights, contact us using the details in Section 12.

6.3 California Users (CCPA)

California residents have the right to:

• Know what personal information we collect.
• Request deletion of personal information.
• Opt-out of data "sales," though we don't sell data.
• Non-discrimination for exercising these rights.

7. Children's Privacy

Border Blitz is a geography game suitable for all ages. Users under 13 should have parental permission to create an account. We do not knowingly collect personal information from children under 13 without parental consent. If you believe a child under 13 has created an account without permission, contact us and we'll delete it.

8. Cookies

We use a single first-party HttpOnly session cookie (bb_session) to keep you signed in, plus the browser local storage entries listed in Section 2.3 to remember your handle, device, and daily progress. We do not use third-party advertising cookies or analytics cookies. You can clear cookies and local storage from your browser settings; doing so will sign you out and reset progress markers.

9. Data Retention

• Active accounts. We keep your data as long as your account is active.
• Inactive accounts. Accounts with no activity for two or more years may be deleted.
• Deleted accounts. When you request deletion, we remove your data within 30 days.

10. International Data Transfers

Border Blitz is operated from the United States and data is stored on AWS infrastructure that may be located in the U.S. and other regions. By using Border Blitz, you consent to the transfer of your data to these locations.

11. Changes to This Policy

We may update this policy from time to time. When we do, we'll update the "Last Updated" date above. For significant changes, we'll notify signed-in users by email. Continued use of Border Blitz after a change means you accept the revised policy.

12. Contact Us

Questions, data requests, or deletion requests:

• Email: cmoraski@deco.technology
• Or use the in-app Feedback button.

We aim to respond to privacy requests within 30 days.

13. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your personal data based on:

• Consent. You agree to this policy when creating an account.
• Contractual necessity. Processing is necessary to provide the game service.
• Legitimate interests. Improving the game, preventing abuse, and maintaining security.