Last updated: 1 July 2026. This Privacy Policy explains how the operator of flags.games ("we", "us") handles personal data when you use flags.games (the "Service"). It applies to the public website and game experience at flags.games.
Who is responsible
For data protection questions, contact us at support@flags.games. We will identify the legal controller in replies when required (for example regulatory requests).
Data we collect
Depending on how you use the Service, we may process:
- Gameplay and technical data: scores, challenge progress, difficulty, multiplayer room activity, and anti-cheat signals.
- Anonymous session identifier: a cookie-based session token so solo play and rate limits work without an account.
- Account data (if you register): email address, authentication provider identifiers (Google/GitHub), username, avatar, XP, stats, friend code, and privacy preferences (such as leaderboard opt-out and friend-request settings).
- Multiplayer: connection and room participation data processed by our game server.
- Contact form: email, message content, reason for contact, optional page URL, and a device snapshot you submit with the form.
- Security: IP address (from standard proxy headers) for bot checks, abuse rate limits, and similar verification when you sign in or use protected forms.
- Client settings: sound, appearance, and privacy toggles stored in your browser (local storage) before or after sign-in.
- Error and usage diagnostics: crash reports and product analytics in production (see service providers below).
Why we use data
We use data to run the game, secure the Service, improve features, respond to contact messages, and comply with law. Typical legal bases under GDPR include performance of a contract (accounts), legitimate interests (security, anti-cheat, analytics at a proportionate level), and consent where required (for example certain optional communications if we add them later).
Who we share data with
We do not sell your personal data. We use service providers that process data on our behalf, including:
- Vercel for hosting, serverless functions, edge delivery, and web analytics.
- Convex for authentication, backend functions, and app database storage.
- Cloudflare for DNS, CDN/storage, Workers, and Turnstile bot checks.
- Sentry for error, performance, log, and metrics monitoring.
- PostHog EU for optional product analytics and session replay when enabled.
- Resend and Router.so for account/support email and contact form routing.
- OAuth providers such as Google and GitHub when you choose those sign-in methods. Their privacy policies also apply to that sign-in.
How long we keep data
We keep data only as long as needed for the purposes above, unless law requires longer retention. Account/profile data is kept until account deletion or closure. Auth sessions and refresh tokens are kept until expiry, revocation, or account deletion. Some short-lived technical rows are purged automatically, such as expired game tokens and XP idempotency rows after their safety window.
Contact messages are kept long enough to handle your request and improve support. Product analytics, error monitoring, hosting logs, and security records follow provider retention settings and security needs. Anonymous aggregate gameplay and community metrics may be kept when they no longer identify a player.
You can ask us about retention for your account by emailing the contact address below.
Your choices and rights
In the Service you can adjust privacy-related settings (for example opting out of public leaderboard activity or controlling friend requests) where those controls are available.
Depending on where you live, you may have rights to access, export, port, correct, delete, restrict, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. Email us at the address below; we will respond within reasonable timeframes required by law.
Signed-in players can export app account data from Settings. The export is JSON and covers app database data such as profile, stats, Daily history, learning progress, friends, activity, auth-provider summary, and privacy preferences. Provider-side logs, analytics, and raw anti-abuse internals are handled through verified privacy requests.
Signed-in players can delete their account from Settings. This deletes direct account records such as profile, sign-in data, XP, stats, Daily history, learning progress, friends, requests, and account activity. Non-identifying aggregate gameplay, security records needed for abuse prevention, provider logs within provider retention windows, and anonymous historical rows that are not reliably attributable to the account may remain.
You can change cookie choices in Settings or from the Cookie settings link on our Terms and Privacy pages.
If you signed in with a third party, you can also manage some data in that provider's account settings.
Security
We use technical and organisational measures appropriate to a web game (encryption in transit, access controls on providers, rate limits, and monitoring). No online service can guarantee perfect security.
Children
The Service is not directed at young children. If you believe a child has given us personal data without appropriate permission, contact us and we will take reasonable steps to delete it.
International transfers
Our providers may process data in the European Union, United States, or other countries. Where required, we rely on appropriate safeguards offered by those providers (such as standard contractual clauses).
Changes to this policy
We may update this Privacy Policy. The date at the top will change when we do. Material changes may be described on the site or by email where appropriate for account holders.
Contact
Privacy questions and requests: support@flags.games (subject line "Privacy" helps us route your message).
See also our Terms of Service for rules on using the Service.