What's the Sound?

Privacy Policy

Last updated: 2026-04-17

1. Who we are

What's the Sound? ("WTS") is a web game maintained by the project team. This policy describes how we handle your data in compliance with the Brazilian General Data Protection Law (LGPD — Law 13.709/2018).

2. Data we collect

When you create an account via OAuth (Google or Discord): email, public name, public avatar, and a unique provider identifier.

While you play: nickname, typed guesses, score, XP, level, Daily Sound streak, match history, and Daily results.

Technical data: session cookie (managed by Supabase Auth), server-side IP in logs, browser user agent for abuse detection.

Guest mode (no account): we store only a temporary identifier on your device (localStorage) and the nickname you provided. No personal data is collected or sent to our servers beyond what is required for gameplay during a match.

3. How we use data

  • display your public profile (nickname, avatar, XP, level, statistics);
  • enable multiplayer (real-time sync via Socket.io);
  • generate global and personalized rankings;
  • compute and persist the Daily Sound streak;
  • detect and mitigate spam, cheating, or abusive use;
  • communicate terms or policy changes (by email, accounts only).

4. Sharing with third parties

We do not sell, rent, or transfer your data to third parties. We use the following operators strictly as technical processors:

  • Supabase (authentication, database, and storage): hosts our data in the South America (São Paulo) region when available.
  • Google / Discord: solely as OAuth providers at login time.
  • Vercel and Railway: frontend and backend hosting respectively. Technical logs reside on these platforms.

5. Your rights (LGPD)

To exercise any right, email guiponsoni@gmail.com. We respond within 15 calendar days; complete deletions complete within 30 days.

You have the right to:

  • confirm that we process your data;
  • access your data;
  • correct incomplete or outdated data;
  • anonymize or delete unnecessary data;
  • portability to another provider;
  • revoke consents and request complete deletion of the account.

6. Data retention

We keep your data while the account exists. After a deletion request, we remove the data within 30 days, except where there is a legal obligation to retain (e.g., security logs for a legally defined term).

7. Cookies and telemetry

We use only strictly necessary cookies (Supabase Auth session and the `NEXT_LOCALE` language preference). We do not use advertising tracking cookies nor third-party analytics in the MVP.

8. Security

We apply reasonable security controls: enforced HTTPS, Row Level Security on the database, rate limiting, server-side input validation, and structured logging for audit. No system is 100% secure; report suspected incidents to guiponsoni@gmail.com.

9. Changes to this policy

Significant updates will be communicated by email (accounts only) and highlighted on the site. The "Last updated" field indicates when this version took effect.

10. Data officer and contact

Contact for any matter related to personal data: guiponsoni@gmail.com.