Privacy Policy

Guest play: a username (your choice). No email, no password, no personal info. Stored in your browser's local storage only.

Accounts: username, hashed password (bcrypt cost 12), and optionally an email if you provide one. We never store passwords in plaintext.

Match data: match outcomes, Elo, streaks, round statistics. Linked to your username if you have an account; not persisted for guests.

Server logs: IP address, user agent, timestamps — standard infrastructure logs, used for rate limiting and abuse prevention. Retained for 30 days.

• Video and audio. Your camera and microphone streams are sent peer-to-peer to your opponent via WebRTC. They do not pass through our servers and we never see, record, or store them.
• Face data. Reaction detection runs entirely in your browser. No face embeddings or biometric features are transmitted to our servers.
• Location. We don't collect GPS or precise location.

We use a small number of cookies and localStorage keys:

• li_guest_username (localStorage) — remembers your guest username so you don't retype it.
• li_consent (localStorage) — remembers that you acknowledged the cookie banner and 18+ confirmation.
• next-auth.session-token (cookie) — only set if you create an account and log in. Required for authentication.

We do not use third-party advertising, analytics, or tracking cookies.

We do not sell or share personal data with third parties for marketing. Match outcomes and stats may be displayed publicly on leaderboards using your chosen username.

You can delete your account at any time from your profile (when that feature ships) or by contacting support. Account deletion removes your username, password hash, email, and personal stats.

The service is for users aged 18 and over. We do not knowingly collect data from minors. If you believe a minor is using the service, contact us and we will investigate.

Privacy questions or data requests: lockedinwars@gmail.com