Privacy policy

Last Updated: Apr 30, 2026

1. Data controller

The data controller for Galaxy Brainer is: Patryk Szymula, located in Cracow, Poland. You can contact us regarding any privacy concerns or to exercise your data rights at:contact@galaxybrainer.com.

2. What data we collect

We collect only the minimum data necessary to provide our brain training services:

  • Identity & Account: Email address, nickname, and authentication credentials handled by Supabase Auth, including password hashes for password-based accounts.Providing your email address is necessary to create an account. Failure to provide this data will prevent us from offering the service.
  • Game Progress: Scores, reaction times, training history, cognitive stats, ranked-session verification records, and score-validation metadata used to protect fair play.
  • Technical Data: IP address, browser type, device information, basic request metadata, anti-abuse verification signals, error diagnostics, and aggregated performance metrics. This data is used solely for security, debugging, reliability, bot prevention, and performance optimization purposes.
  • Third-Party Auth: If using Google Login, we receive your email and public profile ID provided by Google.

3. Legal bases for processing (GDPR)

We process your data under the following legal grounds according to Art. 6 GDPR:

  • Performance of a Contract: To create your account, manage your profile, facilitate authentication, and store your game results.
  • Legitimate Interest: To ensure the security of our application, prevent fraud and abuse, diagnose technical errors, and analyze usage patterns. We also rely on legitimate interest (Art. 6(1)(f) GDPR) to maintain anonymized game statistics after account deletion to ensure the integrity of global leaderboards.
  • Consent: For optional features and functional settings.

4. Third-party services & data transfers

We use trusted infrastructure providers to run our application:

  • Supabase (PostgreSQL & Auth): Data storage and authentication.
  • Vercel: Hosting the application frontend.
  • Vercel Analytics: Privacy-focused usage analytics to understand aggregated traffic and product usage patterns.
  • Vercel Speed Insights: Real-user performance monitoring (Web Vitals and related telemetry) used to improve loading and runtime stability.
  • Sentry (Functional Software, Inc.): Technical error monitoring and application security. Sentry helps us detect and diagnose software errors. We configure Sentry not to collect user email addresses, nicknames, cookies, or IP addresses, and we use data scrubbing to reduce personal data in error reports.
  • Cloudflare: DNS, security services, and Turnstile bot protection on authentication and password reset forms.

Google Login: Google acts as an independent data controller for the authentication process in accordance with its own privacy policy.

International Data Transfers: We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs). Furthermore, we rely on the EU-U.S. Data Privacy Framework for transfers to certified providers to ensure an adequate level of protection outside the EEA. Where available, we select EU data regions for service data, including Supabase in Frankfurt and Sentry in its EU region.

5. Data retention & deletion

Your personal identifiers are kept as long as your account is active.

  • Account Deletion: Processed immediately and irreversibly via profile settings. Your account identity, email, authentication credentials, profile, and nickname are permanently removed.
  • Anonymization: Game results may remain for leaderboard integrity, but they are stripped of your user identifier and displayed without your nickname, such as under a generic "Former Traveler" label.
  • Technical Logs: Logs containing IP addresses are retained only as long as necessary for security, debugging, and reliability, according to our infrastructure providers' retention settings, and are deleted or anonymized where available.
  • Error Monitoring: Sentry error events are retained according to our Sentry project retention settings. We configure Sentry to avoid storing user identifiers, cookies, and IP addresses in error reports.

6. Your privacy rights

Under GDPR, you have the right to access, rectify, or erase your data. You also have the right to:

  • Withdraw Consent: At any time if processing is based on consent.
  • Data Portability: You can receive your data in a machine-readable format via the "Export My Data" button in your profile settings or by contacting us.
  • Lodge a Complaint: You have the right to complain to your local Data Protection Authority (in Poland: Prezes Urzedu Ochrony Danych Osobowych - PUODO).

7. Automated decision-making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects users within the meaning of Art. 22 GDPR.

8. Children's privacy

Galaxy Brainer is not intended for children under the age of 13 (or 16 in certain EU jurisdictions). We do not knowingly collect personal data from children.

9. Cookies

We use only cookies that are necessary to provide the service you request and to keep your account session secure. We do not use advertising cookies and we do not use third-party tracking cookies.

  • Strictly Necessary (Authentication/Security): Session and authentication cookies used by Supabase Auth to keep you signed in, validate requests, and protect account actions.
  • Strictly Necessary (Bot Protection): Cloudflare Turnstile may process browser and challenge signals, and may use strictly necessary security mechanisms, to distinguish real users from automated abuse on protected forms.
  • Functional: Optional settings related to application behavior and interface preferences.
  • Retention: Some cookies are session-only and expire when you close the browser; others may persist for a limited period required for secure login continuity.
  • Legal Basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (security/legitimate interest). For strictly necessary cookies, consent is not required under applicable EU/Polish ePrivacy rules.

Infrastructure providers involved in cookie-backed authentication and security include Supabase (Auth/database, EU region: Frankfurt), Vercel (hosting), Cloudflare (security, DNS, and Turnstile), and Sentry (technical error monitoring configured without cookies).

Analytics and monitoring note: Vercel Analytics and Vercel Speed Insights are configured as privacy-focused measurement tools. Sentry is used only for technical error monitoring. These tools are not used for advertising profiling, and they are not intended to set tracking or marketing cookies.

You can control or delete cookies in your browser settings, but disabling strictly necessary cookies may prevent login and core app features from working correctly.

10. Contact

For any privacy requests or to exercise your rights, please contact:contact@galaxybrainer.com.