FLAGS
Home
Play
Multiplayer
Challenges
Leaderboards
World Activity
Explorer
Learn
Help
Contact

Privacy Policy

How we handle data on flags.games. Contact us if you have questions or want to exercise your rights.

Last updated: 1 July 2026. This Privacy Policy explains how the operator of flags.games ("we", "us") handles personal data when you use flags.games (the "Service"). It applies to the public website and game experience at flags.games.

Who is responsible

For data protection questions, contact us at support@flags.games. We will identify the legal controller in replies when required (for example regulatory requests).

Data we collect

Depending on how you use the Service, we may process:

  • Gameplay and technical data: scores, challenge progress, difficulty, multiplayer room activity, and anti-cheat signals.
  • Anonymous session identifier: a cookie-based session token so solo play and rate limits work without an account.
  • Account data (if you register): email address, authentication provider identifiers (Google/GitHub), username, avatar, XP, stats, friend code, and privacy preferences (such as leaderboard opt-out and friend-request settings).
  • Multiplayer: connection and room participation data processed by our game server.
  • Contact form: email, message content, reason for contact, optional page URL, and a device snapshot you submit with the form.
  • Security: IP address (from standard proxy headers) for bot checks, abuse rate limits, and similar verification when you sign in or use protected forms.
  • Client settings: sound, appearance, and privacy toggles stored in your browser (local storage) before or after sign-in.
  • Error and usage diagnostics: crash reports and product analytics in production (see service providers below).

Why we use data

We use data to run the game, secure the Service, improve features, respond to contact messages, and comply with law. Typical legal bases under GDPR include performance of a contract (accounts), legitimate interests (security, anti-cheat, analytics at a proportionate level), and consent where required (for example certain optional communications if we add them later).

Cookies and similar technologies

We use cookies and similar browser storage for core functionality and, only if you allow it, analytics.

Essential cookies (always on): an anonymous session token and device hint so solo play, rate limits, and security work. If you sign in, an authentication cookie keeps your session active.

Optional analytics (your choice): usage statistics, some session replays, and related identifiers sent to EU-hosted service providers through our own domain where possible. We do not use ad trackers.

Error monitoring runs separately to keep the Service stable; it does not use analytics cookies and avoids sending personal details by default.

You can choose Essential only or Help us improve in the cookie banner on your first visit, or open Cookie settings for more control. Change your choice anytime in Settings or from our legal pages. You can also limit storage in your browser; some features may not work without the session cookie.

Who we share data with

We do not sell your personal data. We use service providers that process data on our behalf, including:

  • Vercel for hosting, serverless functions, edge delivery, and web analytics.
  • Convex for authentication, backend functions, and app database storage.
  • Cloudflare for DNS, CDN/storage, Workers, and Turnstile bot checks.
  • Sentry for error, performance, log, and metrics monitoring.
  • PostHog EU for optional product analytics and session replay when enabled.
  • Resend and Router.so for account/support email and contact form routing.
  • OAuth providers such as Google and GitHub when you choose those sign-in methods. Their privacy policies also apply to that sign-in.

How long we keep data

We keep data only as long as needed for the purposes above, unless law requires longer retention. Account/profile data is kept until account deletion or closure. Auth sessions and refresh tokens are kept until expiry, revocation, or account deletion. Some short-lived technical rows are purged automatically, such as expired game tokens and XP idempotency rows after their safety window.

Contact messages are kept long enough to handle your request and improve support. Product analytics, error monitoring, hosting logs, and security records follow provider retention settings and security needs. Anonymous aggregate gameplay and community metrics may be kept when they no longer identify a player.

You can ask us about retention for your account by emailing the contact address below.

Your choices and rights

In the Service you can adjust privacy-related settings (for example opting out of public leaderboard activity or controlling friend requests) where those controls are available.

Depending on where you live, you may have rights to access, export, port, correct, delete, restrict, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. Email us at the address below; we will respond within reasonable timeframes required by law.

Signed-in players can export app account data from Settings. The export is JSON and covers app database data such as profile, stats, Daily history, learning progress, friends, activity, auth-provider summary, and privacy preferences. Provider-side logs, analytics, and raw anti-abuse internals are handled through verified privacy requests.

Signed-in players can delete their account from Settings. This deletes direct account records such as profile, sign-in data, XP, stats, Daily history, learning progress, friends, requests, and account activity. Non-identifying aggregate gameplay, security records needed for abuse prevention, provider logs within provider retention windows, and anonymous historical rows that are not reliably attributable to the account may remain.

You can change cookie choices in Settings or from the Cookie settings link on our Terms and Privacy pages.

If you signed in with a third party, you can also manage some data in that provider's account settings.

Security

We use technical and organisational measures appropriate to a web game (encryption in transit, access controls on providers, rate limits, and monitoring). No online service can guarantee perfect security.

Children

The Service is not directed at young children. If you believe a child has given us personal data without appropriate permission, contact us and we will take reasonable steps to delete it.

International transfers

Our providers may process data in the European Union, United States, or other countries. Where required, we rely on appropriate safeguards offered by those providers (such as standard contractual clauses).

Changes to this policy

We may update this Privacy Policy. The date at the top will change when we do. Material changes may be described on the site or by email where appropriate for account holders.

Contact

Privacy questions and requests: support@flags.games (subject line "Privacy" helps us route your message).

See also our Terms of Service for rules on using the Service.

Terms of Service · Privacy Policy · · Contact