Kainyne Privacy Policy (DRAFT)

Last updated: [DECIDE: publish date — e.g. "April 21, 2026"]

⚠ DRAFT — NOT LEGAL ADVICE. This document is a working draft prepared from the RFE-134 scope and an audit of data-collection surfaces in the repository. It has not been reviewed by legal counsel. Before this banner lifts, every [DECIDE: …] placeholder must be resolved and the document circulated for qualified-counsel review. Contact [email protected] with questions.

1. Who we are

Kainyne is an independent project that makes browser-native card games. This Privacy Policy describes what personal data kainyne.com (the "Service") collects when you visit the site or play one of the games, how we use it, how long we keep it, and the rights you have over it.

Data controller: [DECIDE: legal entity — e.g. "Kainyne LLC, a [state] limited liability company" OR "[Your Name], doing business as Kainyne" OR "Kainyne, a sole proprietorship operated by [Your Name]"].

Contact for privacy matters: [email protected].

If you are an EU/EEA resident and want to contact our EU representative, [DECIDE: appoint an EU representative via Article 27 of the GDPR if you have a substantive EU user base — otherwise note "We do not currently have an appointed EU representative because the Service does not process personal data of EU residents on a scale requiring one under Article 27(2) of the GDPR"].

2. What we collect, and why

We collect only the minimum data required to run the games and communicate with you if you ask us to. The table below enumerates every data point currently touched, the purpose for each, and the legal basis we rely on (GDPR Article 6).

What	Where	Why	Legal basis
Per-tab game state (`war_<tabId>_`, `president_<tabId>_`)	Your browser's sessionStorage	So reloading the page during a match doesn't lose your seat and hand	Legitimate interest (service functionality)
Your chosen display name (`war.screenName`, `president.screenName`)	Your browser's localStorage	So your name persists between games and across tabs on the same device	Consent (you typed it in)
WebRTC signaling state	The `war-signaling` Cloudflare Worker	To connect you to another player's browser for peer-to-peer gameplay	Legitimate interest
TURN credentials	Fetched from the worker, transiently	NAT traversal fallback when direct peer-to-peer fails	Legitimate interest
Runtime error details (`war_<tabId>_errlog`)	Your browser's sessionStorage (and, once `[RFE-111]` ships, a short-retention server log)	So we can debug crashes you or other users encounter	Legitimate interest (security & service integrity)
Future: your email address — only if you subscribe to the newsletter	Our email service provider `[DECIDE: Buttondown / ConvertKit / self-hosted via Cloudflare Worker — pick one before launching the newsletter]`	To send you the newsletters you subscribed to	Consent (double-opt-in)
Future: aggregated analytics (page views, rough referrers, device class)	Our analytics provider `[DECIDE: Plausible / Fathom / self-hosted Umami / server-side counters — pick one before enabling analytics]`	To understand roughly how the site is used, at an aggregate level	Legitimate interest (we do not profile individuals)

We process all of these data points for the single purpose listed. We do not sell, rent, or share them with anyone outside the processors listed in §4.

3. What we do not collect

For clarity and to prevent scope creep over time:

No audio or video. WebRTC is used only for the game's data channel; the client does not request microphone or camera access.
No location data. We do not request, infer, or store geolocation beyond whatever coarse country/region signal the chosen analytics tool passively picks up from IP before anonymization.
No fingerprinting. We do not run canvas / WebGL / font fingerprinting scripts. We do not use ad-tech SDKs, social-network pixels, or cross-site tracking cookies.
No ad networks. The Service does not display third-party advertising.
No background tracking between sessions beyond the localStorage screen name you entered yourself.

4. Third-party processors

We use a small number of service providers to run the Service. Each of them processes personal data on our behalf under a Data Processing Agreement (DPA) where applicable.

Cloudflare, Inc. — hosts kainyne.com via Cloudflare Pages and runs the signaling Worker and its KV storage. United States, with a global edge network. [DECIDE: confirm our DPA with Cloudflare is signed — Cloudflare provides one at https://www.cloudflare.com/cloudflare-customer-dpa/].
Metered, Inc. — provides TURN servers (NAT traversal). The signaling Worker proxies short-lived credentials; Metered does not receive your Kainyne identity. [DECIDE: verify the Metered DPA covers TURN usage or switch to a provider that provides one].
[DECIDE: email service provider — e.g. Buttondown Software LLC, with DPA at https://buttondown.email/dpa] — processes newsletter emails if you subscribe. Only used once [RFE-114] ships.
[DECIDE: analytics provider — e.g. Plausible Insights OÜ, Estonia, with DPA at https://plausible.io/dpa] — processes anonymized page-view aggregates if analytics is enabled. Only used once [RFE-140] ships.

For EU/EEA users, cross-border transfers to U.S.-based processors (Cloudflare, and potentially the email and analytics providers) rely on [DECIDE: Standard Contractual Clauses with the processor, the EU-U.S. Data Privacy Framework where the processor participates, or equivalent transfer mechanism]. Request the list of transfer-mechanism documents via the privacy contact in §1.

5. How long we keep your data

Data	Retention
Per-tab sessionStorage	Until you close the tab (browser-controlled)
Your screen name (localStorage)	Until you clear it yourself in our UI or via browser settings
WebRTC signaling state in the Worker	Cleared by the Worker's TTL within minutes of the match ending
Errlog client ring buffer	50 entries rolling, cleared on tab close
Errlog server log (once `[RFE-111]` ships)	7 days, then automatically deleted
Newsletter email address	Until you unsubscribe (immediate deletion on unsubscribe)
Analytics aggregates	`[DECIDE: typically 12 months is a sensible ceiling; Plausible defaults to rolling-window aggregates so no individual events persist past the window]`

For proof-of-consent records (§6) we retain the timestamp and consent scope for [DECIDE: 6 years after the consent ends, per the GDPR statute-of-limitations convention] to be able to respond to later regulator audits.

6. Your rights

Depending on where you live, you may have any of the following rights over your personal data:

Access — Get a copy of the data we hold on you.
Deletion — Ask us to delete your data (subject to the retention floors in §5 where we're legally required to keep records).
Portability — Receive your data in a machine-readable format and, where technically feasible, have it transmitted to another controller.
Correction — Have inaccurate data corrected.
Objection — Object to processing that relies on legitimate interest (§2).
Withdraw consent — Where processing relies on consent (newsletter, screen name), withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Lodge a complaint — With your local data-protection authority (EU/EEA residents) or the appropriate regulator (UK, California, etc.).

To exercise any of these rights, email [DECIDE: privacy contact from §1] with your request. We will respond within 30 days. We may ask for enough information to confirm that the request comes from you (not from someone trying to extract your data by impersonation); we will collect the minimum needed for that check.

California residents have additional rights under the CCPA/CPRA, including the right not to be discriminated against for exercising these rights.

7. Children's privacy

The Service is not directed at children under 13 (United States, per the Children's Online Privacy Protection Act) or under 16 [DECIDE: or whichever threshold applies in the specific EU member state — 13 to 16 depending on national GDPR transposition]. We do not knowingly collect personal data from users below these ages.

If you believe a child has provided personal data to us, please contact [DECIDE: privacy contact from §1] and we will delete the data within 30 days, without requiring a guardian's retroactive signed consent and without penalty to the child.

8. Cookies and similar technologies

The Service is cookie-free by default as of the publication date of this policy. We set no cookies through our own origin, and we do not load third-party scripts that set cookies on your device.

Browser-side storage we do use, which is not a cookie but is subject to similar user controls:

localStorage on your device — stores your chosen screen name (§2).
sessionStorage on your device — stores per-tab game state during a match.

You can clear either at any time via your browser's developer tools or site settings. Doing so will reset your display name and end any in-progress match.

If the analytics tool chosen under [RFE-140] ends up using cookies (e.g. if we migrate from a cookie-less tool to a tool like Google Analytics, which we currently do not plan to do), this section will be updated, a cookie banner will appear before such cookies are set, and EU/EEA users will be asked for explicit consent per the ePrivacy Directive.

9. Security

Traffic between your browser and the signaling Worker, and between browsers during a match, is encrypted (HTTPS for the static site; DTLS for the WebRTC data channel).
We do not store plaintext identifiers in logs where a hashed form is sufficient — [RFE-168] plans pseudonymization of IPs at collection time for the errlog endpoint and analytics.
We maintain an incident-response process and will notify affected users of any confirmed personal-data breach within the timelines required by applicable law (for GDPR: within 72 hours of discovery for notifications to the supervisory authority; without undue delay for affected data subjects when the breach is high risk to their rights and freedoms).

We cannot guarantee absolute security of any system, but we commit to using reasonable measures consistent with the risk profile of the data we hold (primarily: ephemeral game state and opt-in newsletter addresses).

10. Changes to this policy

We will revise this policy when our practices change.

Material changes (new data categories, new processors, new purposes) — we will give at least 30 days' notice via a banner on the site and, if you are subscribed, via the newsletter. The new version's "Last updated" date will be the effective date.
Minor changes (wording clarifications, typo fixes) — we will update the "Last updated" date.

Previous versions of this policy will be retained [DECIDE: linked from a /legal/privacy/archive/ page, or stored in the repo's git history and linked via a permalink — the latter is zero-maintenance] so you can see what the policy said at any given time.

11. Contact

For privacy questions, rights requests, or anything else covered here:

Email: [email protected]
Postal address: [DECIDE: a physical address is required under both GDPR and CCPA for certain requests — a registered business address or a PO box is acceptable]

For general, non-privacy questions, reach us at [email protected].