The deal on your data.

This privacy policy is a starting draft. Before launching publicly, have a qualified attorney review and customize this to your specific data practices. We are not lawyers.

What we collect.

Information you give us

• Email address (required to create an account).
• Username (required, public to other players on leaderboards).
• Display name (optional, replaces username on leaderboards if set).
• Age or age range, if you provide it. We use this to gate under-13 features and to ask for parental consent when required.
• Daily goal preference (the XP target you set for yourself).
• Friends you connect with inside the app.
• Anything you write into a support ticket or feedback form.

Information collected automatically

• Practice activity: which questions you answered, whether you got them right, how long you took, and what XP that earned you.
• Progression state: your current streak, XP total, league tier, and belts earned.
• Timezone, so streaks reset at midnight in your local time and not somewhere in the Atlantic.
• Basic device info (operating system, app version) needed to make the app run.
• Crash and error logs (planned, via Sentry) so we can fix things when they break.

What we don't collect

• Your location (no GPS, no IP geolocation beyond what's needed to set a default timezone).
• Your phone number.
• Your contacts, photos, microphone, or camera.
• Payment information — there's no paid tier yet, so we don't handle cards at all.
• Advertising identifiers. We don't run ads.

How we use it.

We use your data for three things, and three things only:

• Run the app. Save your progress, score your answers, rank you in weekly leagues, award belts, hand out XP, and surface review questions for anything you missed.
• Improve the app.We look at aggregate, de-identified stats — which questions are too hard, which lessons get skipped, which features people actually use — and use that to make the content better. We do not analyze individual student data outside of what's needed to power features for that student.
• Communicate when we need to.Account-related emails (password resets, important policy changes). Push notifications about your streak or weekly league, if you've opted in. Nothing else.

Kids under 13.

Octagon is built for students, and some of those students are middle-schoolers. We take the Children's Online Privacy Protection Act (COPPA) seriously, which means a few things change when a user is under 13:

• Verifiable parental consent is required. During sign-up, if a user indicates they are under 13, we pause account creation and require a parent or guardian to provide consent through a verified flow (email confirmation plus a follow-up verification step) before the account becomes active.
• Reduced data collection.For under-13 accounts we don't collect optional fields, we don't enable friend-finding by email, and we strip personal info from any aggregate analytics.
• No behavioral advertising. Ever.We don't run ads in Octagon at all, and we will never serve targeted advertising to a child.
• No third-party trackers.Under-13 accounts are excluded from any third-party analytics or telemetry beyond what's strictly necessary to operate the service.
• Parental review and deletion. Parents and guardians can review what data we have on their child, request corrections, or delete the account entirely by emailing privacy@playoctagon.com from the email used to grant consent. We respond within 7 days and complete deletion within 30.

If we ever learn we've collected personal information from a child under 13 without proper parental consent, we delete it immediately.

Who we share with.

We do not sell your data.Not to advertisers, not to data brokers, not to AI training companies, not to anyone. We don't even barter it — there is no deal in which someone hands us money or services in exchange for access to user data.

We do work with a small set of subprocessors who handle pieces of our infrastructure on our behalf. Each only sees what they need to do their specific job, and each is contractually bound to protect it:

• Supabase — stores our Postgres database and handles authentication. Hosted on AWS in the US-East-2 region.
• Apple Push Notification Service and Google Firebase Cloud Messaging (planned) — deliver push notifications when implemented. They receive a device token and the notification payload, nothing more.
• Sentry (planned) — receives crash and error logs so we can debug issues. We scrub personal info from those logs before they leave the device.

If we ever add another subprocessor, we'll update this list before it goes live. We'll only ever share data with law enforcement if we're legally required to, and we'll push back on requests that look overbroad.

How long we keep it.

We keep your data for as long as your account is active. If you delete your account, all associated personal data is wiped from our systems within 30 days — including from backups, which roll over on that schedule.

One narrow exception: fully de-identified, aggregate analytics (e.g. "72% of users got question X correct") may be retained indefinitely, because at that point the data can no longer be tied back to you.

Your rights.

You have the right to do the following with the data we hold about you. Most of these are one tap away inside the app. Anything you can't do in-app, email us and we'll handle it within 30 days.

• Access. Ask for a copy of the data we hold on you.
• Correction. Fix anything that's wrong (most fields are editable in Settings).
• Deletion. Delete your account, which deletes your data — fully, within 30 days.
• Export. Request a machine-readable export of your account data and practice history.
• Restriction. Ask us to pause certain processing while a dispute is being resolved.
• Objection. Object to specific kinds of processing on legitimate-interest grounds.

Email privacy@playoctagon.com from the address on your account to exercise any of these rights.

For users in the EU / UK (GDPR).

If you're in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (and its UK equivalent) gives you specific rights.

Legal basis for processing

• Performance of a contract. Most of what we do — running your account, saving your progress, ranking leagues — is necessary to deliver the service you signed up for.
• Consent. Anything optional (push notifications, marketing emails if we ever send them, parental consent flows for kids under 13) requires explicit consent you can withdraw at any time.
• Legitimate interest.Security monitoring, fraud prevention, and de-identified product analytics — limited to what's genuinely necessary to keep the service safe and improving.

Your additional rights

On top of the rights listed in Section 6, you have the right to lodge a complaint with your local data protection authority if you believe we've mishandled your data. We'd rather you tell us first so we can fix it — email privacy@playoctagon.com — but the right exists either way.

Data is transferred to and stored in the United States. Where required, we rely on the EU Standard Contractual Clauses to cover that transfer.

For California users (CCPA / CPRA).

California residents have the right to know what personal information we collect, to access it, to delete it, to correct it, and to opt out of any "sale" or "sharing" of personal information.

We do not sell or share personal information as those terms are defined under the CCPA and CPRA. There is no opt-out to provide because there is nothing to opt out of. We will not discriminate against you for exercising any privacy right.

To exercise California-specific rights, email privacy@playoctagon.com and mention "California request" in the subject line. We'll verify your identity through the email on your account and respond within 45 days.

How we keep it safe.

No service is perfectly secure, but we follow standard practices:

• Encryption in transit. All traffic between your device and our servers uses TLS.
• Encryption at rest. Our database is encrypted at the storage layer by our infrastructure provider.
• Row-level security.Our database uses Postgres row-level security (RLS), which means one user's session literally cannot read another user's rows, even at the query level.
• Scoped service keys.Server-only operations use short-lived, scoped service keys. We don't ship admin keys to the app.
• Server-side answer validation.Practice answers are validated on the server in edge functions — clients can't see correct answers ahead of time, which also means league standings stay legitimate.

If we ever experience a data breach that affects your information, we'll notify affected users without undue delay, in line with applicable law.

Changes to this policy.

We'll update this page as Octagon evolves. If we make a material change — meaning something that meaningfully affects what we collect, how we use it, or who we share it with — we'll notify you in the app or by email before the change takes effect. The "last updated" date at the top will always reflect the current version.