Privacy policy

Last updated: May 14, 2026

Privacy policy of the aiboardgames.cloud service

Last updated: May 14, 2026

1. Scope of this policy

This privacy policy describes the rules for processing data in connection with the use of:

  • the website available at the domain aiboardgames.cloud (the "Service"),
  • the game "Koleją przez Polskę" (Trains Through Poland),
  • related features including sign-in, leaderboard, game saving, feedback forms, and the admin panel.

2. Data controller

The controller of personal data processed by the Service is the operator of the aiboardgames.cloud website, operating under the AI Board Games brand (the "Controller").

Contact for data protection matters: privacy@aiboardgames.cloud

If a Data Protection Officer (DPO) is appointed for selected processing activities, their contact details will be provided separately on the Service or in direct correspondence.

3. What data we process

Depending on how you use the Service, we may process:

  • the email address provided when signing in via magic link,
  • the email address and the unique Google account identifier (sub) - solely when you choose to sign in with Google. First name, last name, and profile picture from the Google account are not stored,
  • a technical player identifier (Player ID) derived cryptographically from the email address using HMAC-SHA256 - this constitutes pseudonymization; the identifier cannot be used to recover the email address without knowledge of a secret key stored on the server side,
  • the chosen player nickname (pseudonym),
  • gameplay data, including saved games, game state checkpoints (LangGraph), move history, final scores (points for routes, tickets, longest line, stations), turn count, leaderboard position, language settings, and AI model settings used in a given game,
  • feedback content, rating (1-5), feedback type (general, bug report, crash report, post-game), game session identifier, simplified game context, and submission date,
  • technical and security data, such as IP address, timestamps, session identifiers, HTTP request paths, basic error logs, and information about failed admin panel login attempts,
  • information stored locally in the browser using essential or functional technologies, described in Section 9.

4. Data related to AI and API keys

The Service enables the use of external LLM (Large Language Model) services that control AI opponents and the narrator. The default provider is OpenAI, but the user may specify a different compatible endpoint.

The LLM provider API key may be stored in one of two modes - the choice rests with the user:

Mode A (default) - key stored exclusively in the browser.

  • The key is provided by the user when starting a game and held only in the browser tab memory. It is discarded when the tab is closed.
  • The key is not saved in the application database, in game checkpoints, or in server logs.
  • The key is transmitted to the backend only as an HTTP header (X-LLM-Api-Key) for the duration of a specific request to the selected LLM provider.

Mode B (optional, requires explicit user opt-in) - key encrypted in the user's account.

  • The user may, from the Account panel ("LLM API keys" section) or via an optional checkbox in the API-key dialog, save the key to the Service database.
  • The key is encrypted on the server using AES-256-GCM, with an additional binding (AAD) tying the ciphertext to the user identifier and the provider, before it reaches the database. The master encryption keys live exclusively in process environment variables, never in the database.
  • The raw (plaintext) key is never displayed in the UI after it has been stored - only an identification fingerprint (e.g. sk-abc-***...***) is visible, intended solely to help the user recognise their own key.
  • The key is decrypted only in process memory, for the duration of a single call to the selected LLM provider. It is never persisted or logged in plaintext anywhere.
  • The user may delete the stored key at any time from the Account panel. Deletion is immediate and irreversible.
  • The ollama_local provider (local development server) cannot be stored in Mode B - such a key is not required and the database rejects the operation at the integrity-constraint level.

In both modes, data necessary for the game to function may be transmitted to the selected LLM provider, in particular the player nickname or name, game state, move history, tickets, scores, board data, game language, and selected model settings. If the user specifies their own LLM endpoint, the provider chosen by the user also becomes a data recipient.

4.1. Data retention on the OpenAI side (default provider)

According to OpenAI's policy in effect as of the date this document was last updated:

  • data transmitted via the API (inputs and outputs) is not used to train OpenAI models (opt-out by default since March 1, 2023),
  • input and output data is retained by OpenAI for up to 30 days solely for abuse monitoring purposes, after which it is deleted,
  • eligible customers may apply for Zero Data Retention (ZDR) or Modified Abuse Monitoring, under which the content of requests and responses is not logged on OpenAI's side at all.

Details: API data usage policies (OpenAI), Data Processing Addendum (OpenAI).

If using a different LLM provider, the user should review that provider's privacy and data retention policy.

5. Purposes, legal bases, and retention periods

5.1. Sign-in, access verification, and session management

Purpose:

  • sending a one-time sign-in link (magic link),
  • verifying whether the user has active game access as part of a LangHug Club subscription,
  • maintaining the signed-in user's session,
  • linking the game account to the technical player identifier (Player ID).

Legal basis:

  • Art. 6(1)(b) GDPR - performance of a contract or taking steps at the user's request prior to using the service,
  • Art. 6(1)(f) GDPR - legitimate interest of the Controller in ensuring sign-in security and protecting the service from abuse.

Retention period:

  • the magic link is valid for 15 minutes,
  • the sign-in session cookie is valid for up to 24 hours from issuance or until logout,
  • the email address is not stored in the game database as a separate account record; however, it may be processed for the time necessary to handle sign-in, within the email delivery provider's system (Resend), and in security logs.

5.2. Gameplay, game saving, and statistics

Purpose:

  • running games with AI opponents,
  • saving and resuming games (LangGraph checkpoints),
  • calculating scores, leaderboard rankings, and player career statistics,
  • displaying estimated costs and AI model token usage in the game interface.

Legal basis:

  • Art. 6(1)(b) GDPR - performance of the game service contract.

Retention period:

  • nickname, saved games, checkpoints, scores, and statistics are retained for the duration of service use, and subsequently until deletion at the user's request, service closure, or expiration of the period necessary for defense against claims.

5.3. Public leaderboard

Purpose:

  • publishing a player leaderboard based on nickname and aggregated scores.

Legal basis:

  • Art. 6(1)(b) GDPR - functionality constituting part of the game service.

Retention period:

  • until account/data deletion, service closure, or successful objection, provided continued publication is not necessary for score accountability.

Note: the leaderboard displays only the nickname and game statistics, without publishing the email address. We recommend not using your real name or other easily identifiable information as your nickname.

5.4. Feedback, bug reports, and crash reports

Purpose:

  • handling reports,
  • improving game quality,
  • diagnosing bugs and crashes,
  • defense against claims related to service operation.

Legal basis:

  • Art. 6(1)(f) GDPR - legitimate interest of the Controller in product development, report handling, and ensuring security.

Limitations: maximum 5 submissions per player within 60 minutes.

Retention period:

  • as a rule, up to 24 months from the closure of the report, and longer only when necessary to investigate an incident, defend against claims, or fulfill legal obligations.

5.5. Security, logs, and the admin panel

Purpose:

  • detecting abuse,
  • protecting system integrity,
  • limiting unauthorized access attempts,
  • diagnosing errors.

Legal basis:

  • Art. 6(1)(f) GDPR - legitimate interest of the Controller in protecting the Service,
  • Art. 6(1)(c) GDPR - where processing is required by law.

Retention period:

  • technical and security logs are retained as a rule for no longer than 30 days, unless longer retention is necessary for incident analysis, evidence preservation, or defense against claims.

5.6. Stored LLM provider API key (Mode B, optional)

Purpose:

  • to simplify use of the Service by removing the need to manually type the API key for each new game.

Scope of data:

  • the provider identifier (e.g. openai, ollama_cloud),
  • the API key in encrypted form (AES-256-GCM, AAD binding on user_id + provider + encryption key version),
  • the identification fingerprint shown in the UI (<first 6 characters>-***...),
  • timestamps: validation date, creation date, last modification date, and last use date.

Legal basis:

  • Art. 6(1)(a) GDPR - the user's consent, expressed by deliberately opting in to this feature (checking the "Save key in my account" checkbox or adding the key in the Account panel).

Retention period:

  • until the user deletes the entry (from the Account panel or by deleting their account).

Withdrawal of consent: at any time by deleting the stored key from Account -> LLM API keys. Deletion is immediate and irreversible; afterwards the key can still be used in Mode A (per-request header) without being stored.

5.7. Audio and video streaming in private matches (WebRTC)

Purpose:

  • to allow players in a private match to see and hear each other during gameplay, increasing the sense of shared presence ("social presence") without relying on a separate communicator.

Scope of processing on the Controller's side:

  • the host's decision to allow streaming in a given game (streaming_enabled = true/false) - stored in the game state,
  • short-lived TURN server credentials (username, HMAC string typically valid for 1 hour) - generated on request and not persisted to the database,
  • WebRTC signaling metadata (SDP offers, SDP answers, ICE candidates) - relayed between players through an in-memory event bus in an ephemeral manner, without database persistence.

What we do NOT process:

  • we do not record or store any audio or video - the streams flow directly between players' browsers (peer-to-peer, WebRTC),
  • the server has no access to media content; even in the fallback scenario (TURN-relay, when a firewall blocks the direct connection) the packets are encrypted (DTLS-SRTP) and only relayed in transit,
  • we do not process biometric features of participants (no face recognition, no voice analysis) - we simply have no access to them.

Disclosure of IP address to other participants:

  • enabling the camera or microphone may expose your IP address to the other players in the same game - this is a standard property of the WebRTC protocol (ICE candidates carry IP addresses) that cannot be avoided without losing connection quality. Streaming is only available in private matches with people invited by the host, so the situation is analogous to a video call with friends in any communicator. This information is additionally surfaced in the application as a one-time informational dialog the first time you try to enable a camera or microphone.

Legal basis:

  • Art. 6(1)(a) GDPR - the user's consent, expressed by deliberately enabling the camera or microphone during the game (opt-in, separately per device), combined with the browser's prompt for device access.

Retention period: no retention - all signaling metadata vanishes together with the server process at the end of the session.

Withdrawal of consent: at any time by turning the camera or microphone off in the game's chat panel, or by revoking permission in browser settings.

5.8. Multiplayer game invitation emails

Purpose:

  • delivering a short email with a private-lobby join link to a player invited by another platform user, but only when the host explicitly ticks the "Email the invitation to the player" checkbox in the invite dialog.

Processing scope:

  • to dispatch the email we read the invitee's stored email address (we have it because the invitee already holds a platform account) and hand the message off to our email processor (Resend),
  • the message contains only: the platform name, the host's nickname, the map name, and the auto-join link with the invite code; we do not reveal the host's address to the invitee nor the invitee's address to the host,
  • every send call is recorded as a single audit row (auth_audit_log, events invite_email_sent / invite_email_failed / invite_email_rate_limited / invite_email_skipped) carrying the game id, the invitee's player id and an optional failure reason - but never the body of the message,
  • technical rate limits apply (at most 10 invite emails per recipient per hour, 30 per host per hour) to prevent abuse of the feature for spam.

Legal basis:

  • Art. 6(1)(b) GDPR - processing necessary for performance of the user agreement, which includes the ability to organise a private match with other registered platform users.

Retention period:

  • we do not archive the message body on our side (the retention on Resend's side is described in section 6.1),
  • the audit-log entry - 90 days (matching the standard auth_audit_log retention),
  • the invite token (code) itself expires together with the lobby and is removed by cascade when the game is deleted.

Objection / channel opt-out:

  • the mechanism is organisational, not technical: the host can simply leave the checkbox unchecked and share the link via any other channel (e.g. an instant messenger). We do not keep a separate notification-preferences table because game invitations are fully transactional - always initiated explicitly by another user.

6. Data recipients and processors

Data may be disclosed to the following categories of recipients:

6.1. Resend, Inc. (USA)

  • Scope of data: user's email address.
  • Purpose: sending emails with sign-in links (magic links).

6.2. Google LLC (USA) - OAuth authentication

  • Scope of data: the email address and unique Google account identifier (sub) transmitted by Google to the Controller as a result of OAuth 2.0 authentication; redirects between the Service and Google.
  • Purpose: enabling sign-in to the Service using a Google account as an alternative to magic link. The client secret and the authorization code exchange (Authorization Code + PKCE) take place exclusively between the Controller's server and Google's servers.
  • Legal basis: Art. 6(1)(a) GDPR - user consent (given by selecting "Sign in with Google" and accepting Google's consent screen).
  • Google's privacy policy: https://policies.google.com/privacy

6.3. AI/LLM service provider (OpenAI by default)

  • Scope of data: data necessary for gameplay - player nickname/name, game state (map, cards, player positions), move history, tickets, scores, board data, game language, model settings. The email address and API key are not transmitted to the language model as prompt content.
  • Purpose: generating AI opponent decisions and optional in-game narration.
  • Retention on OpenAI's side: up to 30 days as part of abuse monitoring (data is not used for model training). Details in Section 4.1.
  • Note: the user independently provides the API key and may choose a different AI service provider. The Controller has no control over the data processing terms of the provider chosen by the user. The user should review the privacy policy of their chosen provider (e.g., https://openai.com/policies/row-privacy-policy).

6.4. Hosting service provider

  • Scope of data: all data processed by the Service (within the scope of server and database infrastructure).
  • Purpose: maintaining and making the Service available.

6.5. Supporting entities

  • Entities supporting the Controller in IT operations, security, and bug resolution - to the extent necessary for performing these tasks.

6.6. Entities authorized under applicable law

  • Government authorities and other entities authorized to request access to data under applicable legal provisions.

7. Data transfers outside the EEA

Some service providers used by the Service may process data outside the European Economic Area, in particular:

  • Resend (USA) - magic link email delivery,
  • Google LLC (USA) - OAuth authentication (only if the user chooses this sign-in method),
  • the LLM provider chosen by the user, OpenAI (USA) by default.

In such cases, data is transferred only when an appropriate legal basis for the transfer exists, in particular:

  • a European Commission adequacy decision (e.g., the EU-US Data Privacy Framework, if the entity in question is certified), or
  • appropriate safeguards under Art. 46 GDPR, in particular Standard Contractual Clauses (SCCs) adopted by the European Commission.

If the user specifies a non-standard LLM provider, the scope and geography of the transfer also depend on the user's choice.

8. Is providing data mandatory

Providing data is voluntary, but in some cases necessary to use the service:

  • email address - required to sign in via magic link,
  • active subscription to LangHug Club - required to access the game,
  • player nickname - required to start a game and use the leaderboard,
  • LLM API key - voluntary, but may be necessary to run a game with AI features depending on the selected endpoint,
  • feedback - providing it is entirely voluntary.

Failure to provide data required for sign-in or starting a game will prevent the use of the corresponding functionality.

9. Cookies and local browser data

The Service - as of the code state on the date this policy was last updated - does not use advertising or analytics cookies. Google Analytics and any other external analytics tools are not used.

Only essential and functional technologies are used:

9.1. Essential cookies

NamePurposeTypeValidity
ppp_sessionMain session cookie - authenticated session identifier (with HMAC signature), rotated on every authenticated operationHttpOnly, Secure, SameSite=Lax30 days (extended on activity) or until logout
ppp_authAuxiliary session cookie - synchronous hint for server components (Player ID derived from the email without an extra database round-trip)HttpOnly, Secure, SameSite=Lax24 hours or until logout
ppp_oauthShort-lived one-shot cookie - holds CSRF/PKCE parameters during the redirect to Google and back (only during OAuth sign-in)HttpOnly, Secure, SameSite=Lax10 minutes or until sign-in completes

9.2. Browser localStorage data

KeyPurposeValidity
ppp-usd-pln-rate-v1Caching the USD/PLN exchange rate from the National Bank of Poland API (for displaying estimated cost in PLN)24 hours
localeRemembering the user's chosen interface language (Polish/English)Until manually cleared

9.3. Browser sessionStorage data

KeyPurposeValidity
LLM provider API keyCommunication with the AI language model serviceUntil the browser tab is closed
Game start parametersTemporary storage of new game configuration (number of AI players, language, selected model)Consumed once
Admin panel session tokenAuthentication in the admin panel (if applicable)Until the browser tab is closed

Data stored in localStorage and sessionStorage is not automatically transmitted to the server (unlike cookies) and remains exclusively in the user's browser.

9.4. Legal basis

The legal basis for using the above technologies is Art. 399(3)(1) and (2) of the Act of July 12, 2024 - Electronic Communications Law, insofar as they are necessary for transmission or delivery of the requested service functionality, and Art. 6(1)(b) or (f) GDPR - depending on the purpose of processing.

If analytical, marketing, or other non-essential technologies are implemented in the Service in the future, an appropriate consent mechanism will be deployed before their activation.

10. User rights

Under the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council), every user has the following rights:

  1. Right of access (Art. 15 GDPR) - the right to obtain information on whether the Controller processes the user's personal data, and to obtain a copy of such data.

  2. Right to rectification (Art. 16 GDPR) - the right to request correction of inaccurate or completion of incomplete personal data.

  3. Right to erasure ("right to be forgotten") (Art. 17 GDPR) - the right to request deletion of personal data when:

    • the data is no longer necessary for the purposes for which it was collected,
    • the user has withdrawn consent and there is no other legal basis for processing,
    • the user objects to the processing,
    • the data has been processed unlawfully.

  4. Right to restriction of processing (Art. 18 GDPR) - the right to request restriction of data processing in certain cases.

  5. Right to data portability (Art. 20 GDPR) - the right to receive personal data in a structured, commonly used, machine-readable format and the right to transmit that data to another controller.

  6. Right to object (Art. 21 GDPR) - the right to object to processing based on the Controller's legitimate interest (Art. 6(1)(f) GDPR).

  7. Right to withdraw consent - where processing is based on consent, the right to withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.

  8. Right to lodge a complaint - the right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl

Exercising your rights

To exercise the above rights, please send a message to: privacy@aiboardgames.cloud

For security reasons, the Controller may request additional information to confirm that the request is being made by the appropriate person, in particular confirmation of the email address used to sign in.

The Controller will process the request without undue delay, no later than 30 days from receipt of the request. For complex requests, the deadline may be extended by an additional 60 days, of which the user will be informed.

Account deletion

To delete your account (along with all associated data: player profile, scores, game histories, feedback), please send a message to privacy@aiboardgames.cloud from the email address associated with the account.

11. Automated decision-making

User data is not used for making automated decisions that produce legal effects concerning them or similarly significantly affect them within the meaning of Art. 22 GDPR.

AI models are used solely for controlling AI opponent behavior, generating narration, and operating game features.

12. Data security

The Controller applies appropriate technical and organizational measures to protect personal data, including:

  • Pseudonymization: the player identifier is generated cryptographically (HMAC-SHA256) from the email address - the email address is not stored in the game database in plain text.
  • Encryption in transit: all communication takes place over the HTTPS (TLS) protocol.
  • Cookie security: the session cookie is marked with the HttpOnly (inaccessible to JavaScript), Secure (transmitted only over HTTPS), and SameSite=Lax flags.
  • Passwordless authentication: the magic link system eliminates the risk of password leaks or theft.
  • Database privilege separation: the application uses an account with minimal privileges (read and write data only), separate from the administrative account (schema migrations).
  • Limited sign-in tokens: the sign-in link (magic link) expires after 15 minutes.
  • Protection of AI provider API keys: in the default mode (A) AI provider API keys are stored exclusively in the user's browser memory and never reach the database or server logs. If the user deliberately enables Mode B (saving the key in their account), the key is encrypted with AES-256-GCM and additionally bound (AAD) to the user identifier and provider name. Master encryption keys are kept only in process environment variables and rotated periodically. The raw key is never displayed in the UI after being stored - only an identification fingerprint is available.

At the same time, no internet transmission can guarantee complete security. We therefore recommend:

  • choosing a nickname that does not reveal your identity,
  • not including sensitive data, third-party data, or other people's API keys in feedback.

13. Age requirements

The Service is intended for persons who are at least 16 years old (in accordance with Art. 8 GDPR and the Act of May 10, 2018 on Personal Data Protection). The Controller does not knowingly collect personal data from persons under 16 years of age. If the Controller becomes aware that personal data has been provided by a person under 16 without the consent of a parent or legal guardian, such data will be deleted without delay.

14. Legal references

This privacy policy has been prepared in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
  • Act of May 10, 2018 on Personal Data Protection (Journal of Laws 2018, item 1000, as amended) - the Polish act implementing the GDPR.
  • Act of July 18, 2002 on Providing Services by Electronic Means (Journal of Laws 2002, No. 144, item 1204, as amended).
  • Act of July 12, 2024 - Electronic Communications Law (Journal of Laws 2024, item 1221) - with regard to the use of cookies and analogous technologies (Art. 399).

15. Changes to this privacy policy

This policy may be updated as the Service's features, providers, or applicable laws change. Users will be notified of significant changes through appropriate notices on the Service. The current version will be published with a new update date.

Privacy policy - version 5, dated May 14, 2026.