Privacy Policy

Effective date: May 10, 2026 · Last updated: June 16, 2026

GameWeave is operated by Boris Rayskiy ("we", "us"). This policy explains what information the GameWeave Android app and its server collect, how that information is used, and the choices you have about it.

1. Who can use GameWeave

GameWeave is intended for users 18 years of age or older. The app includes multiplayer card games, including Blackjack, Poker, Durak, Hearts, and Spades. Blackjack and Poker include simulated casino-style gameplay using virtual chips, and the app has been rated 18+ by IARC, PEGI, and several other regional rating boards.

We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has registered an account, contact us at the address below and we will delete the account.

2. Information we collect

We collect only the information we need to operate, secure, and improve the Service.

2.1 Information you give us

• Email address. Required to create an account, sign in, verify your email address, and reset a forgotten password. Stored on our server as the unique account identifier. We send a verification email to confirm the address; an unverified email can sign in and play but cannot make in-app purchases until verified.
• Password. Stored only as a one-way bcrypt hash. We never store, log, or transmit your plaintext password after the moment you submit it for sign-in, sign-up, or password reset.
• Display name. A name shown to other players at a game table. You provide this during sign-up and can change it from the Profile screen. If you leave it blank, the service may create a default display name from the part of your email address before the @ symbol, so choose a display name that does not reveal information you want to keep private.
• Avatar image. Optional. If you upload an avatar, the image is stored in Google Cloud Storage and the URL pointing to it is associated with your account. Avatars are intended to be visible to other players. You can remove or replace your avatar from the Profile screen.

2.2 Information generated by play

• Game and table activity. While you are connected to a table, the server processes the game ID, table ID, seat, moves, bids, bets, scores, hands, and other state needed to run the game and show the same table to all connected players. Active table state is used to operate the game session.
• Per-game statistics. For each finished game, we store the game ID, table ID, outcome (won / lost / drawn), and timestamp. These power the stats summary on your Profile screen and may be used in aggregate to improve the Service.
• Wallet and chip ledger. We store your virtual-chip balance and ledger entries for purchases, welcome bonuses, entry fees, bets, payouts, bot-rental fees, refunds, fraud adjustments, and other balance corrections.
• Purchase records. For Google Play Billing purchases, we receive and store the product ID, purchase token, order ID when provided, validation result, credited amount, and refund or reversal status. We do not receive your payment-card number or full payment account details.

2.3 Information collected automatically

• Install identifier. When you first launch the app, GameWeave generates a random identifier and stores it locally on the device. This identifier is sent with diagnostic events to help us correlate events from the same install. It is not linked to your phone's advertising ID, IMEI, or any device fingerprint.
• Diagnostic and analytics events. The app emits events such as app start / stop, WebSocket connect / disconnect, table creation / join / leave, round start / end, non-gameplay UI clicks and selections, purchase flow status, and errors. Events may include the install identifier, session ID, user ID if signed in, app version, platform, build variant, game ID, table ID, short reason codes, error messages, and stack traces. They do not include passwords, payment-card details, raw form values, private messages, or the contents of your hand.
• Network metadata and server logs. Our server logs may include your IP address, request path, response status, request timing, authentication result, and operational error details.

3. How we use your information

• Operate the Service. Create and authenticate accounts, route real-time game traffic, run tables, render the lobby and profile, maintain chip balances, process purchase credits, and send email-verification and password-reset messages.
• Secure the Service. Detect abuse, debug errors, prevent fraud, validate Google Play Billing receipts, enforce these Terms, and protect users and our systems.
• Improve the Service. Diagnose crashes, measure connection reliability, understand which games and flows are used, and prioritize fixes.
• Communicate with you. Respond to support, privacy, account-deletion, and data-export requests. We do not send marketing email.
• Comply with law. Keep records needed for tax, accounting, fraud-prevention, dispute, and legal-process obligations.

We do not sell your personal information. We do not show ads in the app. We do not use your personal information for cross-context behavioral advertising.

4. Legal bases for EU / UK users

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract. To create your account, authenticate you, operate game tables, maintain your wallet, process purchases, and provide requested app features.
• Legitimate interests. To secure the Service, prevent fraud and abuse, debug errors, measure reliability, improve the product, and keep basic operational records. We balance these interests against your privacy rights.
• Legal obligation. To retain and disclose information when required for tax, accounting, consumer-protection, law-enforcement, or other legal obligations.
• Consent. Where we ask for consent for an optional feature or permission, you may withdraw it through the app, your device settings, or by contacting us. Withdrawal does not affect processing that happened before withdrawal.
• No automated decision-making. We do not use automated decision-making or profiling that produces legal or similarly significant effects about you.

5. How we share your information

We share information only as needed to operate, secure, and support the Service:

• Google Cloud Platform — hosts our server, database, Cloud Logging, telemetry storage when configured, and avatar image storage. Subject to Google Cloud's privacy and security commitments.
• Google Play / Google Play Billing — handles in-app purchases of virtual chip packs. Google processes payment details under Google's own policies. GameWeave receives purchase identifiers and validation/refund information needed to credit, consume, audit, and reverse purchases.
• SendGrid (Twilio) — our transactional email provider. To deliver account-verification and password-reset emails, SendGrid receives your email address and the message content needed to send them. SendGrid processes this data on our behalf as a service provider. For other support and privacy requests we use ordinary email handling.
• Legal and safety recipients. We may disclose information if required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, users, or systems.
• Business transfers. If GameWeave is involved in a merger, acquisition, reorganization, or asset sale, user information may be transferred as part of that transaction, subject to this policy or a replacement policy disclosed to you.

6. How long we keep your information

• Account data (email, password hash, display name, avatar URL) — retained until you request account deletion, unless a longer period is required for legal, security, or fraud-prevention reasons.
• Avatar images — retained until you remove or replace the avatar or request account deletion. Superseded avatar files may remain in storage backups or object history for a limited period before deletion.
• Per-game statistics — retained until you request account deletion.
• Wallet, purchase, refund, and ledger records — retained while your account is active and may be retained after deletion where needed for tax, accounting, fraud prevention, chargeback, dispute, or legal compliance.
• Diagnostic events — retained for up to 90 days unless retained longer in aggregated, de-identified, security, or legal records.
• Server logs — retained according to Google Cloud logging settings, currently expected to be about 30 days unless a longer retention period is configured for security or legal reasons.
• Backups — deleted on the normal backup rotation schedule. We do not use backups to restore deleted accounts except where needed for security, disaster recovery, or legal compliance.

7. Your choices and rights

• Edit your profile. You can change your display name and avatar from the Profile screen.
• Delete your account. You can request deletion using the public account-deletion instructions at https://brayskiy.github.io/gameweave-legal/delete-account.html or by emailing us at the address below. We will delete or de-identify your account, profile, avatar image, and per-game statistics within 30 days after we verify the request, subject to records we must retain for legal, accounting, tax, security, fraud-prevention, or dispute reasons.
• Export your data. Email us and we will send you a JSON export of the data tied to your account within 30 days after verifying the request.
• Authorized agents. You may submit a deletion, export, or other privacy-rights request through an authorized agent who provides written proof of authorization; we may still ask you to verify your identity directly before we act on the request.
• Sign out. You can sign out of the app at any time from the menu. Sign-out invalidates the refresh token; later sessions require a fresh sign-in.
• Device controls. You can use Android settings to manage app permissions, clear local app storage, or uninstall the app. Clearing local storage or uninstalling the app does not delete server-side account data.

If you are in the European Union, the United Kingdom, California, or another jurisdiction with privacy rights, you may have rights to access, correct, delete, port, restrict, or object to certain processing of your personal information. You may also have the right to appeal or lodge a complaint with a supervisory authority. To exercise these rights, contact us using the details below.

California residents: we do not sell or share personal information as those terms are commonly used for cross-context behavioral advertising, and we do not use sensitive personal information to infer characteristics. California residents also have the right not to receive discriminatory treatment for exercising their privacy rights; we do not deny the Service, charge different prices, or provide a different level or quality of service because you exercised a privacy right.

8. Security

Passwords are hashed with bcrypt before storage. In production builds, all traffic between the app and our server is encrypted in transit (HTTPS for requests, WSS for WebSocket connections); development and debug builds may connect to a local or custom server over an unencrypted connection. Authentication tokens and the local install identifier are stored in app-private storage and are excluded from Android's automatic cloud backup and device-to-device transfer, so they are not copied to backup servers or restored onto another device — after reinstalling or restoring the app you must sign in again. Access to production infrastructure is limited to operational needs. Avatar uploads are checked for valid image content before being stored.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within the timeframes required by applicable law.

9. International transfers

Our server runs in us-central1 (Iowa, USA). If you access the app from outside the United States, your information will be transferred to and processed in the United States.

Where EU, UK, or other international-transfer rules apply, we rely on lawful transfer mechanisms such as contractual commitments from service providers, standard contractual clauses, adequacy decisions, or other safeguards available under applicable law.

10. Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, also notify you within the app or by email where practical. Continued use after the change means you accept the updated policy.

11. Contact

Questions, account deletion requests, data export requests, and privacy rights requests:

• Data controller: Boris Rayskiy (United States). A postal address for formal legal notices is available on request to the email below.
• Email: brayskiy@gmail.com

We will respond within 30 days unless applicable law allows or requires a different response period.