MeepleQuest (“we”, “us”, “our”) is a board game companion app that helps you organise sessions, track your collection, and connect with fellow players. This policy explains what personal data we collect, why we collect it, and what rights you have over it. We’re committed to being transparent and to keeping your data safe.
We collect only the data necessary to operate the service:
Email address
Required to create your account and send authentication links. We use a magic-link flow via Resend; no password is ever stored.
Name
Optional. Used to display your identity to other players. If you sign in with Google, your Google display name may be pre-filled, but you can change or remove it at any time.
Game preferences
Your preferred player count, game style (cooperative vs. competitive), and preferred genres. Used exclusively to generate personalised game suggestions.
Game collection and session history
The games you add to your collection, when they were last played, and the game sessions you host or participate in — including dates, invited players, and scores.
Contacts
The other MeepleQuest users you add as contacts, and any “ghost contacts” you create for people who have not yet joined the app. Ghost contacts may include a name and an optional email address you provide.
Push notification subscription tokens
If you enable browser push notifications, your browser generates a subscription object (endpoint URL and encryption keys) that we store to deliver notifications to your device. These tokens are specific to your browser and device and do not identify you across other services.
BoardGameGeek username
If you connect your BGG account, we store your BGG username so we can fetch your collection and game data. We do not store your BGG password; OAuth tokens used for the connection are stored securely and are never exposed to the client.
We use your data solely to operate and improve MeepleQuest:
We do not sell your data, use it for advertising, or share it with any third party for marketing purposes.
For users in the European Economic Area and United Kingdom, we rely on the following legal bases:
Legitimate interests (Art. 6(1)(f) GDPR)
Core functionality of the service — storing your account details, game collection, session history, contacts, and preferences — is necessary to provide a service you have chosen to use. We have balanced these interests against your privacy rights and determined that the processing is proportionate.
Consent (Art. 6(1)(a) GDPR)
Push notification subscriptions are processed only when you explicitly grant browser notification permission. You can withdraw this consent at any time by disabling notifications in your browser settings or in the MeepleQuest preferences page, which will delete your subscription tokens from our servers.
Contract (Art. 6(1)(b) GDPR)
Processing your email address to send authentication links is strictly necessary to fulfil the contract of providing you with access to your account.
We use a small number of carefully chosen third-party services to operate MeepleQuest:
Google (OAuth sign-in)
If you choose “Continue with Google”, your browser is redirected to Google’s authentication service. Google provides us with your email address and display name. Google’s use of your data during sign-in is governed by the Google Privacy Policy.
Resend (transactional email)
Magic-link sign-in emails and any system notifications sent by email are delivered via Resend. Resend receives your email address for the purpose of sending these messages. No marketing email is sent. Resend’s privacy policy is available at resend.com/privacy.
Vercel (hosting and edge functions)
MeepleQuest is hosted on Vercel’s infrastructure. Vercel processes request logs (including IP addresses) as part of normal web hosting operations. Our database is also hosted in a Vercel-adjacent region. Vercel’s privacy policy is at vercel.com/legal/privacy-policy.
BoardGameGeek (game data)
Game metadata (titles, descriptions, images, categories, ratings) is sourced from the BoardGameGeek API. This is a read-only integration — we query BGG for game data only. We do not send any of your personal information to BGG except your BGG username if you choose to connect your BGG account, solely to fetch your collection.
MeepleQuest uses one cookie: a session cookie set by NextAuth.js to keep you signed in. This cookie is httpOnly (not accessible to JavaScript), Secure (only sent over HTTPS), and is deleted when you sign out or when it expires (30 days of inactivity by default). We do not use tracking cookies, advertising cookies, analytics cookies, or any other third-party cookies. There is no cookie consent banner because there is nothing to consent to.
Your data is kept for as long as your account is active. If you delete your account (via Preferences → Account), all data associated with your account — including your profile, game collection, session history, contacts, ghost contacts, and push subscription tokens — is permanently deleted within 30 days. Sessions that you hosted are also deleted at the time of account deletion. Transactional email logs retained by Resend are subject to Resend’s own retention policy.
You have the following rights over your personal data. For most of these, you can act directly within the app without contacting us:
Right of access
You can request a copy of all data we hold about you. Use the “Export my data” button in Preferences → Account to download a JSON file of your complete profile, collection, sessions, contacts, and notification settings immediately.
Right to rectification
You can correct your name and preferences at any time from the Preferences page and your profile settings.
Right to erasure (“right to be forgotten”)
You can permanently delete your account and all associated data from Preferences → Account → Delete my account. Deletion is irreversible.
Right to data portability
Use the “Export my data” button in Preferences → Account to download your data as a structured JSON file.
Right to object
If you believe we are processing your data in a way that is disproportionate or unjustified under our legitimate interests basis, please contact us at privacy@meeplequest.app and we will review your request.
Right to withdraw consent
Where processing is based on consent (push notifications), you can withdraw consent at any time in Preferences without affecting the lawfulness of processing before withdrawal.
If you are located in the EEA or UK and believe your rights have not been respected, you have the right to lodge a complaint with your local data protection authority.
All data is transmitted over HTTPS. Database credentials, API keys, and OAuth tokens are stored as environment variables and are never exposed in client-side code. Push notification encryption keys (p256dh) are stored but never sent back to clients. We conduct periodic reviews of our dependencies and infrastructure. No system is perfectly secure, and we encourage you to use a strong, unique email address and to sign out on shared devices.
MeepleQuest is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us at privacy@meeplequest.app and we will delete the account promptly.
We may update this policy from time to time. When we do, we will update the “Last updated” date at the top. If the changes are material, we will notify you via email or an in-app notice before they take effect. Continued use of MeepleQuest after the effective date constitutes acceptance of the updated policy.
For any privacy-related questions, requests, or complaints, please email privacy@meeplequest.app. We aim to respond within 30 days.