Privacy Policy
Last updated: 2026-05-27
1. Who we are
Board Game Guru ("we," "us") is operated by Akash Awase as a sole proprietor. We run the website at boardgameguru.org and its subdomains.
For anything in this Privacy Policy, contact privacy@boardgameguru.org.
We are the data controller (GDPR / UK GDPR), business (CCPA/CPRA), and enterprise (Quebec Law 25) for the personal information described here.
2. Scope
This policy applies to the boardgameguru.org website and the services delivered through it. It does not apply to third-party sites we link to, which have their own policies.
3. The personal information we collect
Account data — your email, full name, a hashed password if you sign up with email, and, if you sign in with a third-party identity provider, the user ID and avatar provided by that provider.
Usage data — the questions you ask the assistant, the answers you are shown, your game progress, feedback comments you submit, and which games you have viewed.
Technical data — IP address, browser User-Agent, device type, referring URL, and approximate location derived from IP (country/region level).
Analytics and session replay (with your consent) — page views, clicks, custom in-product events, and video-like replays of how you interacted with the site. Session replay records the characters you type into form fields, including the chat assistant. It is linked to your account once you log in. No replay or analytics capture starts until you have accepted in our cookie banner.
We do not collect special-category data (race, religion, health, etc.). We do not engage in behavioural advertising and we do not sell or rent personal information to anyone.
4. Why we collect it (and the legal basis under GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Create and authenticate your account | Contract — Art. 6(1)(b) |
| Provide AI rules answers and save your chat history | Contract — Art. 6(1)(b) |
| Respond to feedback and game requests | Legitimate interest — Art. 6(1)(f) |
| Keep the service secure (rate limiting, abuse prevention) | Legitimate interest — Art. 6(1)(f) |
| Analytics and session replay | Consent — Art. 6(1)(a) |
| Comply with legal obligations | Legal obligation — Art. 6(1)(c) |
5. How long we keep it
| Data | Retention |
|---|---|
| Account record | Until you delete your account, then deleted within 30 days |
| Chat history | Until you delete it or your account, then deleted within 30 days |
| Game progress | Until you delete your account, then deleted within 30 days |
| Feedback and game requests | Up to 24 months from submission |
| Server access logs | Per our hosting provider's then-current retention (typically 30 days) |
| Analytics events and session replays | 12 months from collection |
| Backups | Up to 30 days; deletions propagate on the backup expiry cycle |
If you ask us to delete data earlier, we will action it within 30 days.
6. Who we share it with
We share personal data only with the service providers we need to run the product. Our subprocessors cover the following categories:
- Hosting and content delivery — to serve the website.
- Database, authentication, and file storage — to manage your account and store your content.
- AI model providers — to generate the assistant's answers and the learning guides. Your question, the relevant game's rules text, and your conversation excerpts are sent on a per-request basis.
- Product analytics and session replay — to understand how the assistant is used (only with your consent).
All subprocessors operate under written contracts that bind them to confidentiality, security, and the limits of this policy. They are based in the United States. A current list of named subprocessors and the regions they operate in is available on request from privacy@boardgameguru.org. We will give you 30 days' advance notice of material changes if you ask us to.
We do not sell personal information. We do not share personal information with third parties for their own purposes, except where required by law.
7. International data transfers
Our systems and our subprocessors are based in the United States. For transfers out of the EU/EEA we rely on the European Commission's Standard Contractual Clauses. For transfers out of the UK we rely on the UK International Data Transfer Addendum. Where additional safeguards are required by guidance from the European Data Protection Board, we apply them.
8. Your rights
To exercise any of the rights below, email privacy@boardgameguru.org. We will verify the request (usually by replying to the email on your account) and respond within 30 days. If a request is complex and needs longer, we will tell you why.
If you are in the EU, UK, or Switzerland (GDPR / UK GDPR): access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and the right to lodge a complaint with your national data protection authority.
If you are in California (CCPA / CPRA): the right to know, access, delete, correct, and limit use of sensitive personal information; the right to non-discrimination for exercising these rights; the right to opt out of "sale" and "sharing" (we do neither). We honour the Global Privacy Control browser signal.
If you are in Quebec (Law 25): access, rectification, withdrawal of consent, data portability, de-indexing, and the right to be informed of automated decisions. The person in charge of personal information protection is Akash Awase, reachable at privacy@boardgameguru.org.
Everywhere else: we extend the same access, correction, and deletion rights as a matter of policy.
9. Children
The service is for users 13 and older. We do not knowingly collect personal information from anyone under 13. Full posture in our Children's Privacy Notice.
In EU member states with a higher digital-age-of-consent (14–16, depending on the country), users under that age should not create an account until we have deployed the appropriate parental-consent flow.
10. Cookies and similar technologies
Strictly necessary cookies keep you logged in. Analytics and session replay run only after you accept them in our cookie banner. Full details in our Cookie Policy. You can change your choice at any time via "Cookie preferences" in the footer.
11. Automated decision-making and AI
Our assistant uses large language models to generate answers from a prompt that includes the game's rules text and your conversation. Answers can be wrong. See our AI / Rules Accuracy Disclaimer.
We do not use these models, or any other automated process, to make decisions about you that produce legal effects or that significantly affect you. Your right under GDPR Art. 22 and Quebec Law 25 not to be subject to such decisions is not engaged.
12. Security
We use industry-standard measures to protect your data: TLS in transit, encryption at rest, Row Level Security on the database, principle of least privilege for administrative access, and API keys stored as environment variables.
No system is 100% secure. If we become aware of a personal-data breach, we will notify affected users and the relevant supervisory authority as required by applicable law (within 72 hours of becoming aware, where GDPR applies).
13. Changes to this policy
We will post any changes on this page and update the "Last updated" date. For material changes we will give reasonable advance notice — by email to your account address or a prominent in-app notice.
14. EU / UK Article 27 representative
We do not currently meet the threshold that requires us to appoint an Article 27 representative. We will appoint one and update this policy if and when we do.
Questions? privacy@boardgameguru.org.