CardScores

Data Retention

• Account and profile data: Retained for as long as your account is active. Upon deletion, your profile is immediately and completely anonymized, and associated OAuth session tokens are deleted.
• Gameplay history: Retained indefinitely in anonymized form after account deletion to preserve historical leaderboards, group statistics, and Elo calculations for other players.
• Feedback submissions: Retained indefinitely in our database and mirrored as development issues on GitHub (using only your username and user ID) for product tracking; these are not automatically deleted upon account deletion.

Cookies We Use

CardScores uses only essential cookies:

• Authentication cookies: Session tokens managed by Auth.js to keep you signed in (essential for the service).
• Privacy notice version: Tracks which privacy notice version you've acknowledged (expires after 365 days).
• Install prompt state: Remembers if you've dismissed the PWA installation prompt (expires after 30 days).
• Theme preference: Stores your dark/light mode preference for a better user experience.

All cookies are first-party cookies from CardScores itself. We do not use any third-party tracking cookies.

OAuth Providers

When you sign in using an OAuth provider, you're directly authenticating with that provider (GitHub, Google, Discord, Twitch, Pocket ID, or Homey). They may collect data according to their own privacy policies. CardScores receives only the information necessary for authentication: your display name, profile photo, and your email (which we immediately hash and do not store in plaintext).

Your OAuth access tokens are stored in our database to maintain your authentication session and allow re-authentication. You can disconnect any OAuth provider at any time from your Account Settings , as long as you maintain at least one connected sign-in method.

Account Deletion

You have the right to delete your account at any time from your Account Settings page.

What happens when you delete your account:

• Your account is immediately signed out.
• All connected OAuth providers are disconnected.
• Your profile is anonymized: name becomes a deleted-user placeholder and email is replaced with a deleted.local placeholder address.
• Your profile photo is removed.
• Your sessions are deleted.
• Your game history is retained (anonymized) to preserve the integrity of historical game scores and statistics for other players in your groups.

We retain anonymized game history because card games are inherently social activities where your past participation affects other players' statistics. Removing this data would corrupt historical leaderboards and Elo calculations.

Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to access: You can view your data at any time (including your feedback history mirrored in the feedback page) and download a complete copy of your information from your Account Settings .
• Right to rectification: You can update your display name and profile photo from your account settings.
• Right to erasure: You can delete your account at any time (with anonymization as described above).
• Right to data portability: You can download a structured JSON archive of your profile, linked auth providers, game history, group memberships, join requests, invitations, and notifications from the Account Settings section (Data & Privacy) of your account.
• Right to restriction of processing: You can contact the system administrator to request that processing of your data be restricted while any dispute is being resolved.
• Right to object: You can object to processing based on legitimate interests by contacting the system administrator.
• Right to withdraw consent: You can disconnect OAuth providers or delete your account at any time.
• Right to lodge a complaint: If you believe your data is being handled unlawfully, you have the right to lodge a complaint with the Norwegian Data Protection Authority ( Datatilsynet ).

Public Groups

When you create a public group or join one, your display name and profile photo are visible to other members of that group. Game scores within groups are visible to all group members. This is necessary for the social nature of the service.

Changes to This Privacy Information

If we make significant changes to what data we collect or how we use it, we will update this page and notify you through the application with an updated privacy notice banner.

Last updated: June 8, 2026

Questions or Concerns

If you have questions about your privacy or data, or if you wish to exercise any of your GDPR rights, please contact the system administrator.