Privacy Policy · PuzzlePie

1. What we collect

When you sign up

Email address
Username (chosen by you)
Hashed password — Supabase Auth handles this. We never see or store your plaintext password.

When you play

Scores, accuracy, time taken, streak data
Which puzzles you've played and when
Hashed IP address and device fingerprint — for anti-cheat. These are one-way hashes; we can match them to detect multi-account use but cannot reverse them to find your actual IP.

When you submit to Community

The puzzle content you submit
Your username, displayed publicly as the creator

When you claim a prize

Full legal name
Date of birth
A copy of government-issued photo ID (driver's licence, passport, or proof of age card)
Payout details (PayPal email or Australian bank account)

We never collect

Credit card numbers — Stripe handles all card payments; we never see card data.
Your contacts, location, calendar, or any data outside PuzzlePie
Your activity on other sites (no third-party advertising or tracking cookies)

2. How we use it

We use your data for one of the following reasons:

Run the service. Let you log in, save scores, and show leaderboards.
Prevent cheating. Match hashed IPs and devices to spot multi-account use. Review session logs before paying prizes.
Pay out prizes. Verify identity and process payment to winners. Comply with Australian AML/CTF Act requirements for payouts over thresholds.
Communicate. Send transactional emails — password resets, prize claim notifications, security alerts. We do not send marketing email without your opt-in consent.
Improve the product. Use aggregated, de-identified play data to fix bugs and design new puzzles. Individual play patterns are never published.

We use the following service providers to operate PuzzlePie:

Supabase — our database and authentication provider. Data is hosted in Supabase's South Asia region (Mumbai, India). Because this is outside Australia, we rely on Supabase's contractual data-protection commitments to ensure your information is handled in line with the Australian Privacy Principles (in particular APP 8 on cross-border disclosure). By using PuzzlePie, you consent to your information being stored in this region. We'll update this page if we change regions.
Vercel — our web hosting platform. Sees request logs and performance metrics, not application data.
Sentry — our error monitoring. Receives error stack traces, which may include your user ID when an error happens during your session.
Stripe and/or PayPal — used to pay out cash prizes. They receive only the information needed to make a single payment to a winner.

We may also disclose data when required by Australian law (e.g. court orders, ATO requirements, AUSTRAC reporting for AML/CTF compliance). We will not voluntarily share your data with anyone else.

4. Cookies

We use one essential cookie — the Supabase auth cookie — to keep you signed in across page loads. Without it, you couldn't log in.

We don't use marketing cookies, advertising trackers, or third-party analytics. You can clear the auth cookie at any time from your browser settings; you'll just need to sign in again next time.

Advertising (planned)

We do not currently show ads. We may introduce advertising in the future to help fund the prize pool. If we do:

Ads would be served by a third-party advertising provider (for example, Google AdSense). That provider may set its own cookies to measure ad performance and limit how often you see the same ad.
Premium subscribers will never see ads, and no advertising cookies will be set for them.
We will never place ads inside a live puzzle, and we will not share your account details, scores, or KYC information with advertisers.
We will update this policy — and notify you on the site — before any ads or advertising cookies go live, so you can review the change first.

5. How long we keep it

Account info: while your account is open, plus 30 days after closure (for dispute resolution), then deleted.
Hashed IP & device fingerprints: rolling 90 days from the last play.
Score history: kept while your account is open. Aggregated/anonymised score data may be retained indefinitely.
Prize claim records and KYC documents: 7 years from the date of payout. Australian tax law (PSAR/AUSTRAC) requires this for cash payments.
Community puzzles you submitted: stay live while we operate PuzzlePie. You can request removal at any time (see section 6).

6. Your rights

Under the Australian Privacy Principles, you have the right to:

Ask what personal information we hold about you
Ask us to correct anything that's inaccurate
Ask us to delete your account and personal data (subject to the retention requirements above for prize records)
Complain to the Office of the Australian Information Commissioner if you believe we've mishandled your information

If you're in the EU or UK, you additionally have the rights under the GDPR / UK GDPR to:

Access a portable copy of your data
Restrict or object to certain processing
Lodge a complaint with your local data protection authority

To exercise any of these rights, email support@puzzlepie.com. We'll respond within 30 days.

7. Children

PuzzlePie is for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we hold data about a minor, email us and we will delete it.

8. Security

All traffic to and from PuzzlePie is encrypted in transit via HTTPS.
Passwords are hashed using bcrypt (handled by Supabase Auth) and are not recoverable, even by us.
Personal data sits behind Postgres row-level security policies — users can only read and modify their own data.
KYC documents (when submitted for prize claims) are stored in a private bucket and deleted once verification is complete and the tax-retention period passes.
We monitor for suspicious account activity. If we discover a data breach that's likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner as soon as practicable, as required under the Notifiable Data Breaches scheme.

9. Changes to this policy

We'll update the "Last updated" date at the top of this page whenever we change it. For material changes — anything that affects how we collect or use your data — we'll display a notice on the site for at least 14 days before the change takes effect.

10. Contact

For all privacy-related questions, requests, or complaints: support@puzzlepie.com. We aim to respond within 5 business days.

See also our Terms of Service and Prize Rules.

1. What we collect

When you sign up

Email address
Username (chosen by you)
Hashed password — Supabase Auth handles this. We never see or store your plaintext password.

When you play

Scores, accuracy, time taken, streak data
Which puzzles you've played and when
Hashed IP address and device fingerprint — for anti-cheat. These are one-way hashes; we can match them to detect multi-account use but cannot reverse them to find your actual IP.

When you submit to Community

The puzzle content you submit
Your username, displayed publicly as the creator

When you claim a prize

Full legal name
Date of birth
A copy of government-issued photo ID (driver's licence, passport, or proof of age card)
Payout details (PayPal email or Australian bank account)

We never collect

Credit card numbers — Stripe handles all card payments; we never see card data.
Your contacts, location, calendar, or any data outside PuzzlePie
Your activity on other sites (no third-party advertising or tracking cookies)

2. How we use it

We use your data for one of the following reasons:

Run the service. Let you log in, save scores, and show leaderboards.
Prevent cheating. Match hashed IPs and devices to spot multi-account use. Review session logs before paying prizes.
Pay out prizes. Verify identity and process payment to winners. Comply with Australian AML/CTF Act requirements for payouts over thresholds.
Communicate. Send transactional emails — password resets, prize claim notifications, security alerts. We do not send marketing email without your opt-in consent.
Improve the product. Use aggregated, de-identified play data to fix bugs and design new puzzles. Individual play patterns are never published.

We use the following service providers to operate PuzzlePie:

Supabase — our database and authentication provider. Data is hosted in Supabase's South Asia region (Mumbai, India). Because this is outside Australia, we rely on Supabase's contractual data-protection commitments to ensure your information is handled in line with the Australian Privacy Principles (in particular APP 8 on cross-border disclosure). By using PuzzlePie, you consent to your information being stored in this region. We'll update this page if we change regions.
Vercel — our web hosting platform. Sees request logs and performance metrics, not application data.
Sentry — our error monitoring. Receives error stack traces, which may include your user ID when an error happens during your session.
Stripe and/or PayPal — used to pay out cash prizes. They receive only the information needed to make a single payment to a winner.

We may also disclose data when required by Australian law (e.g. court orders, ATO requirements, AUSTRAC reporting for AML/CTF compliance). We will not voluntarily share your data with anyone else.

4. Cookies

We use one essential cookie — the Supabase auth cookie — to keep you signed in across page loads. Without it, you couldn't log in.

We don't use marketing cookies, advertising trackers, or third-party analytics. You can clear the auth cookie at any time from your browser settings; you'll just need to sign in again next time.

Advertising (planned)

We do not currently show ads. We may introduce advertising in the future to help fund the prize pool. If we do:

Ads would be served by a third-party advertising provider (for example, Google AdSense). That provider may set its own cookies to measure ad performance and limit how often you see the same ad.
Premium subscribers will never see ads, and no advertising cookies will be set for them.
We will never place ads inside a live puzzle, and we will not share your account details, scores, or KYC information with advertisers.
We will update this policy — and notify you on the site — before any ads or advertising cookies go live, so you can review the change first.

5. How long we keep it

Account info: while your account is open, plus 30 days after closure (for dispute resolution), then deleted.
Hashed IP & device fingerprints: rolling 90 days from the last play.
Score history: kept while your account is open. Aggregated/anonymised score data may be retained indefinitely.
Prize claim records and KYC documents: 7 years from the date of payout. Australian tax law (PSAR/AUSTRAC) requires this for cash payments.
Community puzzles you submitted: stay live while we operate PuzzlePie. You can request removal at any time (see section 6).

6. Your rights

Under the Australian Privacy Principles, you have the right to:

Ask what personal information we hold about you
Ask us to correct anything that's inaccurate
Ask us to delete your account and personal data (subject to the retention requirements above for prize records)
Complain to the Office of the Australian Information Commissioner if you believe we've mishandled your information

If you're in the EU or UK, you additionally have the rights under the GDPR / UK GDPR to:

Access a portable copy of your data
Restrict or object to certain processing
Lodge a complaint with your local data protection authority

To exercise any of these rights, email support@puzzlepie.com. We'll respond within 30 days.

7. Children

PuzzlePie is for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we hold data about a minor, email us and we will delete it.

8. Security

All traffic to and from PuzzlePie is encrypted in transit via HTTPS.
Passwords are hashed using bcrypt (handled by Supabase Auth) and are not recoverable, even by us.
Personal data sits behind Postgres row-level security policies — users can only read and modify their own data.
KYC documents (when submitted for prize claims) are stored in a private bucket and deleted once verification is complete and the tax-retention period passes.
We monitor for suspicious account activity. If we discover a data breach that's likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner as soon as practicable, as required under the Notifiable Data Breaches scheme.

9. Changes to this policy

10. Contact

For all privacy-related questions, requests, or complaints: support@puzzlepie.com. We aim to respond within 5 business days.

See also our Terms of Service and Prize Rules.

1. What we collect

When you sign up

When you play

When you submit to Community

When you claim a prize

We never collect

2. How we use it

3. Who we share it with

4. Cookies

Advertising (planned)

5. How long we keep it

6. Your rights

7. Children

8. Security

9. Changes to this policy

10. Contact

1. What we collect

When you sign up

When you play

When you submit to Community

When you claim a prize

We never collect

2. How we use it

3. Who we share it with

4. Cookies

Advertising (planned)

5. How long we keep it

6. Your rights

7. Children

8. Security

9. Changes to this policy

10. Contact