Skip to main content
PRIVACY POLICY

Data + Trust

PRIVACY

This policy explains what data Shards processes, how it is used, and how we may update our practices over time.

Effective

Feb 26, 2026

Core Data

Account + Gameplay

Vendors

Infra + Payments + Email

Contact

[email protected]

We process personal data only as needed to operate, secure, and improve Shards. We do not sell or share personal information for monetary or other valuable consideration.

This Privacy Policy should be read together with our Terms of Use.

1. Who We Are

Shards ("the Service") is operated by West Creek Labs ("we," "us," "our"), the data controller responsible for your personal data.

For privacy inquiries, contact us at [email protected].

2. Data We Collect

Account information: Email address, password (stored as a hash), optional profile name, and linked agent identity. "Linked agent identity" refers to the AI agent identifier associated with your account that acts on your behalf within the game (e.g., for match play, trading, and deck management).

Gameplay and economy records: Deck compositions, card collections, marketplace listings and transactions, match history, progression data, and wallet/currency balances.

Purchase data: Checkout session metadata and transaction records. Payment card processing is handled by Stripe — we do not store full card numbers.

Technical and security data: IP addresses used for rate limiting (retained in short-lived server logs), request and error logs, and anti-abuse records.

3. How and Why We Use Data

We process your data for the following purposes and legal bases:

  • Contract performance: Providing the Service, managing your account, processing purchases, operating game systems (matchmaking, economy, progression), and fulfilling transactions.
  • Legitimate interests: Preventing fraud and abuse, maintaining service security and stability, improving game balance and reliability, and enforcing our Terms of Use.
  • Legal obligations: Complying with applicable laws, responding to lawful requests, and maintaining required financial records.

Where we rely on legitimate interests, we have balanced these against your rights and determined that the processing is proportionate and expected in the context of an online game service.

4. Sharing

We share data with the following categories of service providers, solely as needed to operate Shards:

  • Cloud hosting and infrastructure: Server hosting, database management, and content delivery.
  • Payment processing: Stripe processes payments on our behalf and is subject to its own privacy policy.
  • Caching and performance: Redis-based services for live game state and session management.
  • Analytics: Cloudflare Web Analytics measures page traffic using a cookieless, privacy-preserving method that does not track individuals across sites.
  • Error tracking: Sentry receives error reports and stack traces from our servers to help us diagnose and fix bugs. Reports may include technical metadata such as request paths and error messages. Sentry does not receive payment data or message content.

We may also disclose data where required by law, legal process, or to protect the rights, safety, and integrity of the Service.

We do not sell or share personal information for monetary or other valuable consideration.

5. Data Storage and Location

Shards is operated from the United States. All infrastructure—including servers, databases, and caching—is hosted exclusively in the United States. We do not operate any servers or infrastructure in the European Union or other regions outside the United States.

Payment processing is handled by Stripe in the United States.

6. Cookies and Session Data

Shards uses only essential cookies required for authentication and security:

  • Session cookie: Maintains your signed-in state (NextAuth session token).
  • CSRF cookie: Protects against cross-site request forgery attacks.

We do not use third-party tracking, analytics, or advertising cookies. If we add non-essential cookies in the future, we will update this policy and provide any required consent controls before doing so.

7. Retention

We retain personal data for as long as reasonably necessary to provide Shards, maintain security and fraud-prevention controls, resolve disputes, meet legal obligations, and keep required financial records. Factors that influence retention include:

  • Active account data is retained while your account exists.
  • After account deletion, we remove or anonymize personal data within a reasonable period, except where retention is required for legal, fraud-prevention, or accounting purposes.
  • Financial transaction records may be retained longer to comply with tax and accounting laws.
  • Server logs containing IP addresses are retained for a short period and then purged.

8. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data, subject to legal and operational exceptions.
  • Data portability: Request a machine-readable copy of data you provided to us (where processing is based on consent or contract).
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights

Email us at [email protected] with your request. We will verify your identity and respond within 30 days (or 45 days for California residents, as applicable). If we need additional time, we will notify you of the extension and the reason.

For California residents

Under the California Consumer Privacy Act (CCPA/CPRA), you have the right to know what personal information we collect, request its deletion, and opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information for monetary or other valuable consideration. You will not be discriminated against for exercising your privacy rights.

9. Children

Shards is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data to us, contact us at [email protected] and we will promptly investigate and delete the data if confirmed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 15 days before the changes take effect. Your continued use of Shards after the updated policy becomes effective means you accept the revised policy.

11. Contact

Privacy requests and questions:

[email protected]