Legal

Privacy Policy

Last updated: May 31, 2026

Guess the Reading (“we”, “us”) is operated at guessthereading.app. This policy explains what data we collect, why we collect it, and what we do with it. We have tried to write it in plain English — no legal jargon padding.

Questions or requests? Email us at support@guessthereading.app.

What we collect and why

When you create an account, we store:

  • Email address — to identify your account, send transactional emails (welcome message, password reset, email change confirmation), and as the login credential.
  • Username — the name other players see in game rooms, on the leaderboard, and in chat. It is visible to all players in any room you join.
  • Password — stored as a bcrypt hash. We never store or have access to your plain-text password.
  • Reading display preference — your choice of romaji or hiragana for answer display. Stored so it persists across sessions.
  • Account creation date — for internal housekeeping.
  • Billing status — whether you have an active paid subscription and its current period. We do not store card numbers, bank details, or any raw payment instrument data — all of that is held exclusively by Stripe (see Third-party processors below).

We also store short-lived verification tokens when you request a password reset or email change. These expire automatically (password reset: 1 hour) and are deleted once used.

During gameplay, room activity such as which words were played, scores, and submitted answers is processed entirely in server memory for the duration of a round. None of this is written to the database or retained after the round ends.

Our servers may process your IP address to enforce rate limits on login and registration — this is a standard security measure to prevent abuse. IP addresses are not stored in our database.

Cookies

We set exactly one cookie: a session cookie named token. It holds a signed JWT that keeps you logged in for up to 7 days. The cookie is httpOnly, which means it cannot be read by JavaScript — it exists solely to authenticate your requests to our server.

When you access a payment or billing page, Stripe's JavaScript library (Stripe.js) is loaded from Stripe's servers. Stripe may set its own cookies for fraud prevention and payment security purposes — these are functional, not advertising, cookies and are governed by Stripe's Privacy Policy.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts. There is no Google Analytics, Meta Pixel, or anything similar on this site.

How we use your data

  • Authenticating you when you log in.
  • Displaying your username to other players in rooms you join.
  • Sending transactional emails: welcome message on sign-up, password reset links, and notifications when your email address changes.
  • Enforcing rate limits to protect the service from abuse.

We do not use your data for advertising, profiling, or any purpose beyond running the service.

Third-party processors

We share data with the following processors only to the extent necessary to operate the service:

  • Supabase — hosts our PostgreSQL database. Your account data lives on Supabase infrastructure.
  • Resend — delivers transactional emails. Your email address is passed to Resend only when an email needs to be sent.
  • Render — hosts our backend API server. All requests pass through Render infrastructure.
  • Vercel— hosts the frontend application. Page requests are served from Vercel's edge network.
  • Stripe— processes payments and manages subscription billing. When you subscribe or update your payment method, your payment details are entered directly into Stripe's secure forms and stored on Stripe's infrastructure. We receive only a non-sensitive customer ID and subscription status. Stripe is PCI-DSS Level 1 certified.

We do not sell your data to any third party — ever.

Data retention

Your account data is kept for as long as your account exists. Verification tokens expire automatically. If you delete your account, all associated data is permanently removed from our database.

Stripe retains billing records (invoices, payment history) independently for their own legal and compliance obligations. Deleting your Guess the Reading account cancels any active subscription but does not erase Stripe's records of past transactions.

Your privacy rights

Depending on where you are located, you may have rights under applicable data protection laws, including the Lei Geral de Proteção de Dados (LGPD) in Brazil and the General Data Protection Regulation (GDPR) in the European Union. These rights typically include:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update your email address, username, or other account details via the Settings page.
  • Deletion — delete your account entirely from the Settings page. This removes your data from our database immediately.

To exercise any of these rights or to ask questions about how your data is handled, contact us at support@guessthereading.app.

Children

This service is not intended for children under 13. If you are under 13, please do not create an account. If we become aware that we have collected data from a child under 13, we will delete it promptly.

Changes to this policy

If we make material changes, we will update the “Last updated” date at the top of this page. Continued use of the service after a change constitutes acceptance of the updated policy.

← Back to homeTerms of Service →