Privacy Policy

Effective date: 2025-09-23

This Privacy Policy describes how Convoke ("we", "us", "our") collects, uses, discloses, and protects information when you use convoke.gg and related services (the "Service"). We comply with applicable privacy laws, including Quebec Law 25, Canada's PIPEDA, the EU/UK GDPR, and the California CCPA/CPRA, where relevant. Your use of the Service is also subject to ourTerms of Use.

1) Who We Are (Controller) & How to Contact Us

Controller: Convoke (Data Controller)

Address: Montreal, QC, Canada

Contact: viviann.k.c@gmail.com

2) What We Collect

  • Account & Profile Data: email, username/display name, and preferences you choose to set.
  • Identity & Auth Data (Auth0): We use Auth0 as our identity provider to create and manage your account, store authentication data (e.g., email, OAuth profile basics), and issue tokens for secure access.
  • Usage & Device Data: pages/screens viewed, feature usage (e.g., card-recognition toggles), error/crash logs, diagnostic events, IP address (for security/approximate location), device/browser, OS, and language.
  • Community Content: chat messages, room names, decklists, avatar images, and other content you submit.
  • Payment Metadata: handled by our payment provider (e.g., transaction IDs, timestamps). We do not store full card numbers.
  • Support Communications: messages you send to us (email/forms) and related metadata.
  • Cookies & Local Storage: tokens and preferences needed to operate the Service; non-essential analytics only with consent where required.

3) Sources

We collect information directly from you, automatically from your devices, and from service providers we use to operate the Service (e.g., Auth0 for identity, payments, and optional analytics).

4) How We Use Information

  • Provide, secure, and improve the Service (including authentication, abuse prevention, and debugging).
  • Operate optional AI features (e.g., card recognition) and measure performance/quality.
  • Personalize experiences, remember preferences, and communicate service updates/security notices.
  • Comply with legal obligations and enforce our Terms.

5) Legal Bases (GDPR/UK GDPR)

  • Contract: to provide the Service you request (e.g., account, rooms, gameplay features).
  • Legitimate Interests: service security, analytics to improve product reliability, and fraud/abuse prevention.
  • Consent: where required (e.g., certain cookies/analytics or marketing emails).
  • Legal Obligation: to meet compliance and regulatory requirements.

6) Cookies, Local Storage & Consent

We use cookies/local storage for authentication, session continuity, and preferences. Where required (e.g., EU/UK), we obtain your consent before setting non-essential cookies such as analytics, and you can withdraw consent at any time in your browser or in-product controls.

7) AI Processing

To provide optional AI features like card recognition, we may process images or video frames transiently and generate logs/metrics to improve accuracy and reliability. Where feasible, we minimize retention and favor aggregated statistics over raw content. AI outputs may be inaccurate; see the Terms for limitations.

8) Sharing & Disclosures

  • Service Providers/Processors: identity (Auth0), hosting, security, payments, and optional analytics—under appropriate contracts and safeguards.
  • Community Integrations: e.g., Discord, only when you choose to connect or interact with them.
  • Legal/Protection: to comply with law or protect the rights, safety, and property of users or Convoke.
  • Business Transfers: e.g., merger, acquisition, or restructuring, with notice as required by law.

We do not sell or “share” personal information as defined by the CPRA. If this ever changes, we will update this Policy and provide opt-out mechanisms, including honoring Global Privacy Control (GPC) signals.

9) International Transfers

We may process data outside your country (including transfers to the United States and other jurisdictions). We use appropriate safeguards (e.g., Standard Contractual Clauses) and conduct transfer assessments. For Quebec residents (Law 25), we consider the sensitivity of information, purposes of use, and measures in place in the destination country.

10) Retention

We retain personal data only as long as necessary for the purposes described or as required by law. Typical periods:

  • Account data: for the life of the account, then delete or de-identify within 30–90 days, unless we must retain longer for legal reasons.
  • Logs/diagnostics: generally 30–180 days unless required longer for security/investigation.
  • Payment metadata: retained as required by tax/financial laws.

11) Security & Breach Notices

We implement reasonable technical and organizational measures to help protect personal data. No method of transmission or storage is 100% secure. We maintain an internal confidentiality-incident log. Where an incident presents a risk of serious injury, we will notify the Quebec Commission d’accès à l’information (CAI) and affected individuals as required by law.

12) Your Rights & Requests

  • GDPR/UK GDPR: access, rectification, erasure, restriction, portability, and objection; withdraw consent where processing is based on consent; lodge a complaint with your supervisory authority.
  • CCPA/CPRA (California): right to know/access, delete, correct, and opt-out of sale/share; limit use of sensitive personal information where applicable. We do not knowingly sell/share personal information.

To exercise rights, email viviann.k.c@gmail.comWe respond within 30 days (extendable as permitted). We may need to verify your identity and location; authorized agents may submit requests with proof of authorization.

13) Children’s Privacy

The Service is not directed to children under 13, and under 14 in Quebec. We do not knowingly collect data from such children. If you believe a child provided us personal data, contact us and we will take appropriate steps (including deletion).

14) Do Not Track / Global Privacy Control

We honor applicable Global Privacy Control (GPC) signals for opt-out preferences where legally required. Because technical standards and legal requirements vary by region, responses may differ. You can also use in-product privacy settings and cookie controls where available.

15) Automated Decision-Making

We do not use automated decision-making that produces legal or similarly significant effects without human involvement.

16) Subprocessors

We use trusted providers (e.g., Auth0 for identity, hosting, payments, optional analytics). An up-to-date list of key subprocessors is available on request at viviann.k.c@gmail.com

17) Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice (e.g., by email or in-app). The updated policy is effective when posted unless otherwise stated.

18) Contact

Questions or requests about privacy? Contact us at viviann.k.c@gmail.com. If you are in the EEA/UK, you may also contact your local data protection authority.

This page is provided for convenience only and does not constitute legal advice. Consider having counsel review before launch.