Privacy Policy
Last updated: 2026-05-24.
1. Data controller
Archdle ("we", "us", "our") is a daily architecture-decision training game operated as a non-commercial personal project by Samuel Orlando, a natural person based in Italy. Samuel Orlando is the data controller ("titolare del trattamento") within the meaning of Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by D.Lgs. 101/2018.
Because Archdle is operated by a natural person and processes a limited volume of personal data, no Data Protection Officer is required or appointed. For any privacy-related inquiry, please write to contact@archdle.it.
2. Personal data we collect
We collect personal data in two ways: data you provide directly, and data generated automatically by your use of the Service.
2.1 Data you provide
- Account data — when you create an account: your email address and a password (stored as a bcrypt hash by Supabase Auth — we never see the plaintext). Optionally, on the profile page: a display name, first name, last name, profession, and country.
- Feedback — any thumbs-up/thumbs-down rating, tags, free-text comments, or proposed alternative solutions you submit after a puzzle.
- Newsletter subscription — your email address and explicit consent timestamp if you opt in to the daily-reminder mailing list.
2.2 Data generated automatically
- Gameplay data — for each daily game: category, start time, end time, number of attempts, hints used, score, and status (solved / failed). For authenticated users this data is linked to your account. For guest players it is stored as an anonymous aggregate row with no identifier.
- Technical data — your IP address and user-agent string, collected transiently for rate limiting and, in the case of administrator actions, for audit logging.
3. Legal basis (GDPR Art. 6)
- Performance of a contract (Art. 6(1)(b)) — account data and gameplay data are processed to provide the Service you requested when you registered.
- Legitimate interest (Art. 6(1)(f)) — IP address and user-agent data are processed to prevent abuse, enforce rate limits, and maintain the security of the Service. Our legitimate interest in operating a secure service is balanced against your privacy interests; we do not retain IP addresses beyond what is strictly necessary for these purposes.
- Consent (Art. 6(1)(a)) — the newsletter subscription is processed solely on the basis of your explicit opt-in. You may withdraw your consent at any time by clicking the unsubscribe link in any email we send you.
4. How we use your data
- To authenticate you and maintain your session.
- To record and display your daily puzzle results, streak, and leaderboard ranking.
- To generate your personal dashboard and performance statistics.
- To send the daily-reminder email, if you opted in.
- To produce aggregate, anonymous analytics that help us improve the Service.
- To prevent abuse and enforce the rate limits described in our Terms of Service.
- To maintain audit logs of administrator actions for accountability.
5. Data processors and third-party services
We use the following sub-processors. Each acts under a data-processing agreement with us and may not use your data for purposes beyond those described below.
- Supabase (Supabase, Inc.) — database, authentication, and storage. Your account data, gameplay records, and feedback are stored on Supabase infrastructure. Privacy policy: supabase.com/privacy.
- Vercel (Vercel Inc.) — front-end hosting and serverless functions. Vercel processes your IP address and request headers to route and serve each page load. Privacy policy: vercel.com/legal/privacy-policy.
- Resend (Resend Inc.) — transactional email delivery. Your email address is passed to Resend only when we send you a message (account confirmation, daily reminder). Privacy policy: resend.com/legal/privacy-policy.
- Cloudflare Turnstile (Cloudflare, Inc.) — bot-detection challenge shown on the sign-up form. Cloudflare may process your IP address and browser signals to determine whether you are human. Privacy policy: cloudflare.com/privacypolicy.
We do not sell, rent, or share your personal data with any other third party, and we do not use your data for advertising or profiling.
6. International transfers
We aim to store all data within the European Economic Area. Supabase and Vercel both offer EU-region deployments and Archdle uses them. Should we ever need to transfer data outside the EEA — for example because a sub-processor has no EU option — we will rely on Standard Contractual Clauses (SCCs) approved by the European Commission, update this page, and notify registered users by email before the transfer takes place.
7. Retention
- Account and gameplay data — retained for as long as your account exists. You can export all your data or permanently delete your account at any time from your profile page. Account deletion is irreversible and cascades to your game sessions, attempts, and feedback.
- Newsletter subscriptions — retained until you unsubscribe. Unsubscribing removes your email from the active list immediately; residual log entries are purged within 30 days.
- Administrator audit logs — retained for 12 months, then automatically deleted.
- IP addresses in rate-limit counters — held in memory and expire within 1–60 minutes (sliding window). They are not persisted to disk.
- Guest gameplay rows — anonymous aggregate rows (no identifier) retained indefinitely for statistical purposes.
8. Your rights under GDPR
As a data subject you have the following rights. We will respond to all requests within 30 days as required by Art. 12 GDPR.
- Right of access (Art. 15) — you can download a full copy of your data using the "Export your data" button on your profile page.
- Right to rectification (Art. 16) — you can correct inaccurate profile fields directly on the profile page. For other corrections, write to us.
- Right to erasure (Art. 17) — you can delete your account and all associated data permanently from the profile page. For partial erasure requests, write to us.
- Right to restriction of processing (Art. 18) — write to us.
- Right to data portability (Art. 20) — the export function on your profile page provides your data in JSON format, which is machine-readable and transferable.
- Right to object (Art. 21) — you may object to processing based on legitimate interest. Write to us explaining your situation and we will assess it.
- Right to withdraw consent — for newsletter emails, use the unsubscribe link in any email. For other consent-based processing, write to us.
- Right to lodge a complaint — you may file a complaint with your national supervisory authority. In Italy: Garante per la protezione dei dati personali. If you reside in another EU/EEA country, with your national DPA.
To exercise any right other than those available directly on the platform, contact us at contact@archdle.it. We may need to verify your identity before acting on the request.
9. Changes to this policy
We will update this page whenever our data practices change and bump the "Last updated" date at the top. For material changes — changes that affect the purposes for which we process your data, the categories of data collected, or your rights — we will notify registered users by email at least 15 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
10. Contact
For any privacy-related question, request, or complaint, write to contact@archdle.it. We aim to respond within 72 hours and are required by law to respond within 30 days.