Privacy Policy

Read how Cardigarch collects, uses, stores, and protects account, gameplay, feedback, and leaderboard data.

CARDIGARCH
Login
Register
Home/Privacy

Legal

Privacy Policy

Last updated · July 2, 2026Questions? Email us

On this page

  • Who we are
  • What we collect
  • How we use data
  • Legal bases
  • Sharing
  • Retention
  • Security
  • International
  • Your rights
  • Children
  • Changes

Cardigarch ("we," "us") is an online card game service. This policy describes how we collect, use, store, and share information when you use our website and our native iOS and Android apps at cardigarch.com and related subdomains (together, the "Service"). It reflects how the Service is built today. See also our Terms of Service. For questions, contact aditya130805@gmail.com.

1. Who we are

The Service is operated by Aditya Agarwal as an independent project under the name Cardigarch. We act as the data controller for personal information processed through our own servers and databases in connection with the Service.

Authentication and related identity processing are provided by Clerk(Clerk, Inc.), which acts as a processor under our instructions for sign-in, session management, and user-profile data tied to your account. Clerk's privacy policy also applies to how Clerk handles data on its systems: clerk.com/legal/privacy.

2. Information we collect

2.1 Account and profile (via Clerk + our database)

When you create or use an account, we process:

  • Email address and username (required for a full profile in our app).
  • A Clerk user identifier that links your Clerk account to our records.
  • An internal stable player ID (UUID) we assign for gameplay and stats consistency.
  • A profile image URL if your sign-in provider (for example Google) supplies one.
  • Your account preferences (theme, plus sound, music, and emoji-reaction toggles), stored on our servers so they follow you across devices.
  • Password material: if you use email/password sign-in, Clerk stores credentials according to Clerk's practices. Our backend may store a legacy password hash for accounts imported from prior systems; new accounts typically authenticate through Clerk.
  • If you choose Sign in with Google or Sign in with Apple, that provider receives your interaction with its login flow and shares limited profile data (such as your email) with us and Clerk according to your consent and the provider's policies. With Sign in with Apple you may choose to hide your email, in which case Apple relays a private relay address instead.

2.2 Gameplay and multiplayer

To run matches, we process:

  • Lobby and room data, including room identifiers, player display names in the room, readiness state, and related session metadata stored while a room exists.
  • Real-time game messages sent over WebSockets between your client and our servers (and through our channel infrastructure) while you are connected to a game.
  • After games end, we store game history: room id, duration, player count, winner (if any), and per-player statistics such as win/loss/abandon, cards played, rent and economy-related counters, and counts of specific card types used (e.g. action cards). These statistics power leaderboards and player profiles. If your browser reports it, we also store your time-zone offset at game-end so time-based achievements work correctly.
  • Achievements you unlock — an achievement identifier and the time you unlocked it.
  • Solo (vs-bot) game completions — room id, bot difficulty, and result — used for activity tracking. Solo games do not create multiplayer history or affect leaderboards.

2.3 Social features (friends)

If you use friends features, we store friend relationships and friend requests (who invited whom, status, timestamps) between user accounts.

2.4 Feedback and ratings

When you submit in-app feedback or a rating, we collect:

  • Your message, category, optional star rating, and optional written rating comment.
  • An optional screenshot you attach (stored on our servers for staff review).
  • Technical context: the page URL you were on, browser user-agent string, and viewport size, to help reproduce issues.

We may send an internal email notification when new feedback arrives if server-side email is configured; that email may include details of the submission.

2.5 Clerk webhooks

We receive signed webhooks from Clerk for events such as user created, updated, and deleted. We use these to keep our user database in sync (for example linking email and username). When Clerk deletes a user, we currently deactivate the linked local account and clear the Clerk identifier; historical gameplay or stats rows may still exist until you contact us for a broader deletion request.

2.6 Device storage (your browser)

The app stores small amounts of data in your browser's local storage and session storage, including: your theme preference (light/dark; also saved to your account when you are signed in), an anonymous analytics id used to count distinct visitors, a short-lived rejoin-game hint (room id and expiry), a return-to redirect so we can send you back where you were after signing in, an optional local game log for the current session, and a per-tab session id used to group error reports. This data stays on your device unless our code sends other information to the server as part of normal gameplay, analytics, or API calls.

2.7 Analytics and product telemetry

To understand how the Service is used and to keep it reliable, we collect limited, privacy-conscious analytics:

  • Vercel Web Analytics and Speed Insights run on our pages to measure aggregate traffic and page-performance metrics. Vercel processes this without cross-site advertising cookies.
  • First-party funnel events we record on our own servers — a small, fixed set of product events (for example reaching a sign-in wall, completing signup, creating or joining a room, starting a solo or multiplayer game, and sharing an invite). Each event stores the event name, the page path, an anonymous browser id, and, if you are signed in, your account. We use these to power our internal admin analytics dashboard.

2.8 Error and diagnostic logs

When the app hits an uncaught error in your browser, we may send a report to our servers containing the error message and stack trace, the page route, a build id, a per-tab session id, your browser user-agent, and, if signed in, your account, so we can diagnose and fix bugs. These reports are rate-limited and periodically purged.

2.9 Push notifications (native apps)

If you use our native iOS or Android app and allow notifications, we register a push device token (a Firebase Cloud Messaging token) and its platform (iOS or Android), linked to your account, so we can notify you about game events — for example when it becomes your turn or when a friend invites you to a game. Tokens are removed when you sign out or uninstall. Delivery uses Google Firebase Cloud Messaging and, on iOS, the Apple Push Notification service; the payload we send is limited to the game event (such as a room identifier and a short message). You can turn notifications off at any time in your device settings.

2.10 What we do not do

We do not embed third-party advertising networks, and we do not use analytics to track you across other websites or to build advertising profiles. We do not sell your data. If that changes, we will update this policy.

3. How we use information

  • To provide authentication, profiles, and secure access to the Service.
  • To create and manage game rooms, run live games, and persist results and statistics.
  • To show public-facing profiles and leaderboards (for example username and aggregated stats visible to other players).
  • To operate friends, invites, and related social features.
  • To receive and triage bug reports and product feedback, and to compute aggregate satisfaction metrics.
  • To measure aggregate usage and the signup/play funnel, and to diagnose errors through client logs.
  • To protect the Service, enforce rules, and troubleshoot technical issues.
  • To comply with law when required.

4. Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR-style laws apply, we rely on: contract (providing the Service you asked for); legitimate interests (securing the Service, improving features, fraud/abuse prevention, and limited internal analytics derived from server logs); and, where required, consent (for example OAuth or optional feedback with a screenshot). You may withdraw consent where processing is consent-based, without affecting prior lawful processing.

5. Sharing and subprocessors

We share data with service providers that make the Service possible:

  • Clerk — authentication, session, and hosted auth UI assets (which may be served from Clerk-controlled hostnames, including custom domains such as clerk.cardigarch.com and accounts.cardigarch.com when configured).
  • Google / Firebase— if you choose Google sign-in (subject to Google's terms and privacy policy), and, in our native apps, Firebase Cloud Messaging to deliver push notifications.
  • Apple — if you choose Sign in with Apple, and, in our iOS app, the Apple Push Notification service to deliver push notifications, subject to Apple's terms and privacy policy.
  • Vercel — hosting and delivery of the web frontend, plus Web Analytics and Speed Insights for aggregate traffic and performance metrics.
  • Railway (or equivalent) — hosting of our API, databases, WebSocket infrastructure, and uploaded feedback files.
  • Redis (or compatible) — real-time messaging layers for multiplayer channels.

We do not sell your personal information. We may disclose information if required by law, court order, or to protect rights, safety, and integrity of users and the Service.

6. Retention

We retain account and gameplay data while your account is active and as needed to operate the Service. Game history and statistics may be kept to preserve leaderboard integrity and your profile history unless you ask for deletion. Feedback submissions may be retained for product improvement and audit trails. Analytics events, client error logs, and server logs are rotated or purged on a regular operational schedule. You can delete your account from Settings: we delete your authentication identity at Clerk and then delete your account and linked records from our database. Where account deletion happens by other means (for example deleting your Clerk account directly), some historical rows may remain until processed. We will delete or anonymize associated personal data within a reasonable time, except where law requires retention.

7. Security

We use industry-standard measures appropriate to the nature of the Service (encryption in transit for HTTPS/WSS, access controls on servers, signed webhooks). No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8. International transfers

We and our subprocessors may process data in the United States and other countries where they operate. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) or other lawful transfer mechanisms.

9. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, export, or restrict certain processing, and to object to processing based on legitimate interests. You may also lodge a complaint with a supervisory authority.

To exercise rights against data we control directly, email aditya130805@gmail.com. For data held primarily by Clerk (such as core auth account settings), you can also use Clerk's account tools and privacy channels.

California residents: we do not "sell" personal information as defined by the CCPA/CPRA in the manner described in those laws. You may still contact us for access and deletion requests regarding personal information we hold.

10. Children

The Service is not directed at children under 13 (or the age required by your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

11. Changes

We may update this policy from time to time. We will post the new version on this page and update the "Last updated" date. Continued use after changes means you accept the revised policy, except where law requires explicit consent.

CARDIGARCH

Steal from your friends, stay friends. A fast property card game of sharp plays and chaotic comebacks.

Explore
PlayLeaderboardHow to PlayCard Guide
Account
SettingsLoginRegister
More
ChangelogPrivacy PolicyTerms of ServiceConnect with developer
© 2026 Cardigarch
Aditya Agarwal