← Arguably

Privacy Policy

Last updated: 4 April 2026 · Version 2026-04-04

1. Who We Are

Arguably is an independent, bootstrapped project operated by its creator (“we”, “us”, or “our”) at arguably.app. For purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, we are the data controller of your personal data. For purposes of India's Digital Personal Data Protection Act 2023 (DPDP Act), we are the Data Fiduciary. For purposes of the California Consumer Privacy Act (CCPA), we are the business. Contact us at privacy@arguably.app.

2. What Personal Data We Collect

We collect the following categories of data:

  • Account data: your email address; if you sign in with Google, your name, profile picture URL, and Google account ID.
  • Profile data: display name, username, and any profile fields you set after account creation.
  • Gameplay data: the messages you send during game sessions, character responses, turn-by-turn scores, session outcomes, grades, and XP earned.
  • Technical data: IP address, browser type and version, operating system, device type, screen dimensions, approximate timezone, and locale — collected automatically when you use the Service.
  • Auth & session data: login timestamps, OTP attempt records, token metadata, and session activity logs used for security and fraud prevention.
  • Consent records: a timestamped record of your acceptance of these policies, including the policy version, your IP address, and browser information.

3. How and Why We Use Your Data

We process your data for the following purposes and on the following legal bases:

  • To provide the Service (contract performance / DPDP consent): authenticate your account, run game sessions, compute scores, and maintain leaderboards.
  • To communicate with you (contract performance): send one-time login codes via email. We do not send marketing emails unless you explicitly opt in.
  • To improve the Service (legitimate interests): analyse anonymised, aggregated gameplay patterns to improve the AI engine, character designs, and scoring models. We do not use your identifiable data for AI training without separate consent.
  • Security and fraud prevention (legitimate interests / legal obligation): detect and prevent abuse, unauthorised access, and violations of our Terms of Service.
  • Legal compliance (legal obligation): retain records as required by applicable law, respond to lawful requests from public authorities.

4. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share data only with the following categories of recipients:

  • Anthropic, Inc. (USA): your in-game messages are sent to Anthropic's API to generate character responses and scores. Anthropic processes this data as a subprocessor under their API usage policy and privacy terms.
  • Neon, Inc. (USA): our database provider. All account, gameplay, and session data is stored on Neon's Postgres infrastructure.
  • Vercel, Inc. (USA): hosts our frontend application. May process request logs including IP addresses.
  • Railway Corp. (USA): hosts our backend API. Processes request logs including IP addresses.
  • Resend, Inc. (USA): delivers transactional emails (login codes). Receives your email address for this purpose.
  • Google LLC (USA): if you choose to sign in with Google, Google provides us with your profile data under their OAuth consent flow. Google's own privacy policy governs that interaction.
  • Legal authorities: we may disclose data where required by law, court order, or to protect the rights and safety of users or the public.

5. International Data Transfers

Arguably's infrastructure providers (listed above) are primarily located in the United States. If you are located in the European Economic Area, United Kingdom, Switzerland, India, or another jurisdiction with data transfer restrictions, your personal data is transferred internationally when processed by these providers. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards where required to legitimise such transfers. By using the Service, you acknowledge that your data will be processed outside your country of residence.

6. Cookies and Local Storage

We use a single HTTP-only, Secure, SameSite cookie to store your session refresh token. This cookie is never accessible to JavaScript and is used only to keep you logged in between visits. We do not use advertising cookies, third-party tracking cookies, or fingerprinting technologies. We do not use Google Analytics or similar analytics services. A small entry in localStorage is used temporarily to coordinate token refresh across browser tabs; it contains only a timestamp and is deleted immediately after use.

7. Data Retention

We retain your personal data for as long as your account is active. Security logs (auth events, OTP attempts) are retained for up to 12 months. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., for fraud prevention records, which may be retained for up to 7 years). Anonymised, aggregated gameplay statistics may be retained indefinitely as they no longer constitute personal data.

8. Your Rights

Depending on where you are located, you may have some or all of the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@arguably.app.

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”): request deletion of your personal data. We will action deletion requests within 30 days.
  • Portability: request your data in a structured, machine-readable format (applies to data processed on the basis of contract or consent).
  • Restriction: request that we restrict processing of your data in certain circumstances (e.g., while a complaint is under review).
  • Objection: object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • California residents (CCPA/CPRA): you have the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. We do not sell or share your personal information with third parties for their own marketing purposes.
  • India residents (DPDP Act 2023): you have the right to obtain information about processing, the right to correction and erasure, the right to grievance redressal, and the right to nominate a person to exercise rights on your behalf in the event of death or incapacity. Our Grievance Officer can be reached at privacy@arguably.app.
  • EU/UK residents (GDPR/UK GDPR): you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have infringed your rights.

We will respond to all verifiable rights requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed at children under 13. In the EEA and UK, the Service is not directed at persons under 16 (or the applicable digital age of consent in your country). We do not knowingly collect personal data from children below the applicable age limit. If we become aware that we have collected data from a child below the applicable age, we will delete it promptly. If you believe a child has registered, please contact us at privacy@arguably.app.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include HTTP-only secure cookies, hashed refresh tokens, refresh token rotation, rate limiting, and encrypted connections (TLS). No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page and, for material changes, notify you by email or in-app notice. If changes affect how we use your personal data in a way that requires your consent (e.g., a new purpose), we will seek your fresh consent before making those changes take effect.

12. Contact & Complaints

For privacy enquiries, data subject requests, or to reach our Grievance Officer (India / DPDP Act), contact us at privacy@arguably.app. We aim to respond within 5 business days. EU and UK residents may also contact their local data protection authority if they are not satisfied with our response.

Terms of ServiceBack to game