← Back to About

Privacy Policy

Last updated: 2026-05-01

Who we are

Neotolis Game Promotion Diary is operated by an indie game developer. The service is open-source and MIT-licensed; the source code lives at https://github.com/d954mas/neotolis-game-promotion-diary. For all data-protection questions, contact [email protected].

What data we collect

Identity: your Google email address and your unique Google account identifier. Usage: every API request's IP address and user-agent are recorded in the per-user audit log. User content: game cards, registered data sources, events (videos, posts, conferences), notes, tags — exactly the content you enter. OAuth tokens (Google access + refresh tokens) AND per-user API keys are envelope-encrypted at rest with a per-row DEK wrapped by a KEK loaded from the environment.

Lawful basis (GDPR Art. 6)

We process your data to perform the service contract you initiated by signing in (Article 6(1)(b)). We do not use your data for marketing, analytics, advertising, or training of AI models.

Who we share with

Cloudflare Inc. — CDN, TLS termination, DDoS protection, edge caching. Google LLC — OAuth identity provider. Cloudflare R2 — encrypted off-site backups (server-side encryption + bucket-lock retention).

Where data is stored

Primary database lives on a VPS in the EU. Backups are stored in Cloudflare R2 with server-side encryption.

Retention

Active accounts: stored for as long as the account is open. Soft-deleted accounts: kept for 60 days, then purged. Backups: rotating 30-day window via R2 bucket-lock retention. Worst-case latency to physical disappearance: ~90 days (60 active + 30 backup overlap).

Your rights (GDPR Articles 15 to 22)

Article 15 — Right of Access: download every record we have about you via Settings → Account → Export my data. Article 16 — Right to Rectification: edit anything in-app, or email [email protected]. Article 17 — Right to Erasure: delete your account from Settings → Account → Delete my account. A 60-day grace period lets you restore. Article 20 — Right to Data Portability: same export endpoint; the JSON shape is documented in our public install runbook. Article 21 — Right to Object: email [email protected]. Article 22 — No automated decision-making: we do not run AI on your data.

Cookies

We set one session cookie (Better Auth) for authentication. We do not use analytics cookies, tracking pixels, or third-party advertising.

Children

The service is intended for adults (18+). We do not knowingly collect data from children. If we learn we have inadvertently received children's data, we will delete it on notification to [email protected].

Security measures

Envelope encryption (AES-256-GCM) for at-rest secrets, TLS 1.3 with HSTS in transit, per-tenant audit log, INSERT-only audit trail, source code public on GitHub.

Updates to this policy

Last updated date appears at the top of this page. Material changes are notified via in-app banner.

Complaints

You can complain to your national Data Protection Authority. The European Data Protection Board lists national authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Contact

For privacy questions, exercise of rights, or any data-protection concern: [email protected]