1. What we collect
When you sign up
- Email address
- Username (chosen by you)
- Hashed password — Supabase Auth handles this. We never see or store your plaintext password.
When you play
- Scores, accuracy, time taken, streak data
- Which puzzles you've played and when
- Hashed IP address and device fingerprint — for anti-cheat. These are one-way hashes; we can match them to detect multi-account use but cannot reverse them to find your actual IP.
When you submit to Community
- The puzzle content you submit
- Your username, displayed publicly as the creator
When you contact us
- Your name, email address, and the message you send via our contact form (or by emailing us directly). Used only to respond to your enquiry.
When you verify your age or claim a prize
- Full legal name and date of birth
- Age & identity verification via Stripe Identity. Before you can withdraw a prize, we confirm you're 18 or older using Stripe Identity, which checks a government photo ID and a selfie. Stripe collects and stores that document on its own secure infrastructure — we receive only the verified result (such as "verified, 18+"), not the ID image itself.
- Payout details (PayPal email or Australian bank account). Depending on the claim, you may also provide a copy of government ID, which is stored privately and deleted after the legal retention period.
We never collect
- Credit card numbers — Stripe handles all card payments; we never see card data.
- Your contacts, location, calendar, or any data outside PuzzlePie
2. How we use it
We use your data for one of the following reasons:
- Run the service. Let you log in, save scores, and show leaderboards.
- Prevent cheating. Match hashed IPs and devices to spot multi-account use. Review session logs before paying prizes.
- Pay out prizes. Verify identity and process payment to winners. Comply with Australian AML/CTF Act requirements for payouts over thresholds.
- Communicate. Send transactional emails — password resets, prize claim notifications, security alerts. We do not send marketing email without your opt-in consent.
- Improve the product. Use aggregated, de-identified play data to fix bugs and design new puzzles. Individual play patterns are never published.
3. Who we share it with
We use the following service providers to operate PuzzlePie:
- Supabase — our database and authentication provider. Data is hosted in Supabase's South Asia region (Mumbai, India). Because this is outside Australia, we rely on Supabase's contractual data-protection commitments to ensure your information is handled in line with the Australian Privacy Principles (in particular APP 8 on cross-border disclosure). By using PuzzlePie, you consent to your information being stored in this region. We'll update this page if we change regions.
- Vercel — our web hosting platform. Sees request logs and performance metrics, not application data.
- Sentry — our error monitoring. Receives error stack traces, which may include your user ID when an error happens during your session.
- Stripe and/or PayPal — used to pay out cash prizes. They receive only the information needed to make a single payment to a winner.
- Stripe Identity — verifies your age and identity before a prize can be withdrawn. Stripe collects and stores the ID document and selfie on its own secure, compliant infrastructure; we receive only the verified result.
- Resend — delivers our transactional and contact-form emails. Receives the email address and message content needed to send the message.
- Google AdSense — serves ads to free (non-Premium) users. Google may set cookies to measure ad performance and cap repetition. We never share your account, scores, or verification data with Google or advertisers. See section 4.
We may also disclose data when required by Australian law (e.g. court orders, ATO requirements, AUSTRAC reporting for AML/CTF compliance). We will not voluntarily share your data with anyone else.
4. Cookies
We use one essential cookie — the Supabase auth cookie — to keep you signed in across page loads. Without it, you couldn't log in.
For free accounts, our advertising provider (Google AdSense) may set cookies to measure ad performance and limit how often you see the same ad. Premium subscribers get no advertising cookies at all. We don't use third-party analytics trackers. You can clear cookies at any time from your browser settings; you'll just need to sign in again next time.
Advertising
We show ads to free accounts to help fund the prize pool, served by Google AdSense. When ads are shown:
- Google may set its own cookies to measure ad performance and limit how often you see the same ad. You can manage ad personalisation at Google Ad Center.
- Premium subscribers never see ads, and no advertising cookies are set for them.
- We never place ads inside a live puzzle, and we never share your account details, scores, or verification information with advertisers.
5. How long we keep it
- Account info: while your account is open, plus 30 days after closure (for dispute resolution), then deleted.
- Hashed IP & device fingerprints: rolling 90 days from the last play.
- Score history: kept while your account is open. Aggregated/anonymised score data may be retained indefinitely.
- Prize claim records and KYC documents: 7 years from the date of payout. Australian tax law (PSAR/AUSTRAC) requires this for cash payments.
- Community puzzles you submitted: stay live while we operate PuzzlePie. You can request removal at any time (see section 6).
6. Your rights
Under the Australian Privacy Principles, you have the right to:
- Ask what personal information we hold about you
- Ask us to correct anything that's inaccurate
- Ask us to delete your account and personal data (subject to the retention requirements above for prize records)
- Complain to the Office of the Australian Information Commissioner if you believe we've mishandled your information
If you're in the EU or UK, you additionally have the rights under the GDPR / UK GDPR to:
- Access a portable copy of your data
- Restrict or object to certain processing
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email contact@puzzlepie.com.au. We'll respond within 30 days.
7. Children
PuzzlePie is for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe we hold data about a minor, email us and we will delete it.
8. Security
- All traffic to and from PuzzlePie is encrypted in transit via HTTPS.
- Passwords are hashed using bcrypt (handled by Supabase Auth) and are not recoverable, even by us.
- Personal data sits behind Postgres row-level security policies — users can only read and modify their own data.
- Age/identity verification is handled by Stripe Identity, which stores the ID document on its own infrastructure — we don't hold a copy. Any ID submitted directly with a prize claim is stored in a private bucket and deleted once verification is complete and the tax-retention period passes.
- We monitor for suspicious account activity. If we discover a data breach that's likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner as soon as practicable, as required under the Notifiable Data Breaches scheme.
9. Changes to this policy
We'll update the "Last updated" date at the top of this page whenever we change it. For material changes — anything that affects how we collect or use your data — we'll display a notice on the site for at least 14 days before the change takes effect.
10. Contact
For all privacy-related questions, requests, or complaints: contact@puzzlepie.com.au. We aim to respond within 5 business days.
See also our Terms of Service and Prize Rules.