Privacy
Privacy Policy
Last updated: June 18, 2026
The short version. We collect only what we need to run the app and improve it. There are no third-party analytics or advertising trackers, no Google Analytics, no Segment, no Hotjar, no Mixpanel, no ad pixels. We do not sell your personal data, and we do not share it for advertising. You can delete your account and its data at any time. Questions or requests: privacy@crakdotbam.app.
Crak Dot Bam ("the app", "we", "us", "our") is a training tool and live-play companion for American Mahjong, operated by Inkwell Solutions, LLC. This policy explains what personal data we collect, why, who processes it on our behalf, how long we keep it, and the choices you have.
The app is currently free during the TestFlight beta and early-access period; a paid subscription begins only when in-app purchases are enabled (see section 2.7).
1. Who we are
The data controller is Inkwell Solutions, LLC ([address]). For any privacy question or request, contact privacy@crakdotbam.app.
2. Data we collect
2.1 Account data
When you sign in, we store:
- your authentication provider (Clerk) user ID,
- your email address,
- optionally, your first name or display name;
- a self-declared age (provided once at sign-up), used only to confirm you meet the minimum age and to gate age-restricted features (see section 7). Where we can, we keep only a coarse indicator (whether you are 18 or older) rather than your full date of birth.
2.2 Gameplay and app data
While you use the app, we store:
- gameplay statistics (sessions, hands played, Charleston picks, puzzle solves, play time per day, and similar progress data);
- your saved AI-generated or photo backgrounds and your theme and appearance settings;
- lesson progress, tile-calibration sets (if you create them), and Garden milestone state;
- a session-level event log used to compute progress, milestones, and basic product metrics (this log is first-party only, see section 3);
- any feedback you submit, and the in-app state attached to it (see section 2.5);
- social features you opt into, such as friends, teams, Game Night scheduling polls, and charity-vote allocations.
2.3 Photos you submit for recognition (OCR)
When you take or upload a photo of your tile rack or your American Mahjong card, the image is sent to our server for preprocessing and then to Anthropic's Claude vision API to recognize the tiles or card. We do not retain the raw image after the request completes. We cache only the recognition result (the recognized tiles or text), keyed by a hash of the image, not by your account, for 30 days, so that re-uploading the same photo doesn't repeat the API cost.
2.4 AI-generated backgrounds
When you generate a custom background, a text prompt describing the desired image is sent to Google's Gemini image-generation API. If you supplied a reference photo, Anthropic's Claude first analyzes that photo and writes the text description; the reference photo itself is never sent to Google, and the reference is not kept after the prompt is produced. The generated image is stored in your account (see section 3, Vercel Blob).
2.5 Feedback content
When you submit in-app feedback, the record includes your current hand state, the AI advice you saw, your picks, the surface you were on, and any comment you write. If you type an email address or other contact info into the comment box, it is stored in the feedback record as-is; we treat that as you consenting to share that contact info with us for follow-up and triage only.
2.6 Technical and diagnostic data
- Crash and error reports: when the app errors, we record a diagnostic report (the error, the surface, channel, and session it occurred on, and your user-agent string) to help us fix bugs.
- Anti-abuse and rate-limiting: for unauthenticated requests (for example, a landing-page contact form), we record a hashed network prefix of the IP address to prevent abuse. We do not build advertising profiles from this.
- We do not fingerprint you beyond what is described here.
2.7 Payment data (when subscriptions ship)
Subscriptions, when offered, are purchased through the Apple App Store or Google Play in-app purchase systems. We do not collect or store your payment card details. The platform handles billing and shares only the subscription or entitlement status needed to unlock paid features. See the Apple and Google privacy policies for how they handle payment data.
3. Who processes your data (third-party processors)
We use the following service providers ("processors") to run the app. Each processes data only as needed to provide its service, under its own privacy terms:
| Processor | What it does | What it receives |
|---|---|---|
| Clerk | Authentication, sign-in, session and profile management. | Your email, user ID, and sign-in activity. We mirror your email and user ID into our own database to attribute records to you. |
| Vercel | Hosting, serverless functions, and the primary data store (Vercel KV, a Redis-compatible database). AI-generated background image files are stored in Vercel Blob; your account record holds only an unguessable link to the file. | Substantially all of your account and gameplay records. |
| Anthropic (Claude) | Strategy advice (Charleston and Hand Match) and vision recognition of the photos you submit (section 2.3), plus reference-photo analysis for background generation (section 2.4). | Your tiles and hand context with each advice request; your submitted photo with each recognition request. Anthropic states it does not use this data to train its models; refer to Anthropic's own privacy policy for the authoritative position. |
| Google (Gemini API) | AI background image generation only (section 2.4), via the Gemini Developer API. | Only the text prompt describing the image. Your reference photo is never sent to Google. |
We do not use any third-party analytics, advertising, attribution, or cross-site tracking services.
4. Why we use your data (purposes and legal bases)
We process personal data to:
- provide the service, authenticate you, store your hands and settings, and return advice and recognition results (legal basis: performance of a contract);
- maintain and secure the service, debug crashes, prevent abuse, and enforce rate limits (legal basis: legitimate interests);
- improve the product, understand which features are used and fix problems, using first-party data only (legal basis: legitimate interests);
- respond to you, handle feedback, support, and your privacy requests (legal basis: legitimate interests or consent).
We do not use your data for advertising or profiling, and we do not sell it.
5. How long we keep it (retention)
Our retention periods follow the time-to-live settings configured in our data store:
| Data | Retention |
|---|---|
| Account record, gameplay stats, saved backgrounds, entitlements, lesson and calibration data, preferences | 1 year from last sign-in; the timer resets each time you use the app. |
| Session logs and event traces | 1 year from the session start. |
| Feedback records | 1 year from submission. |
| Game Night scheduling polls and votes | 90 days from creation. |
| Share links (backgrounds, custom cards, calibration, poll invites) | 30 days from creation. |
| OCR recognition-result cache (keyed by image hash, not your account) | 30 days. |
| Client-side crash and error reports | 7 days from the crash. |
| Charity-vote cycle records | 1 year. |
When you delete your account (section 6), the records keyed to your account are erased promptly; a small number of shared records and derived caches are removed by our offline deletion tooling and otherwise expire on the schedule above.
6. Your rights and choices
6.1 Delete your account and data
You can delete your account and its server-side data from within the app (Settings, then account deletion), in line with Apple's account-deletion requirement. This erases the records keyed to your account, including your profile, stats, backgrounds (and the stored image files), saved settings, lesson progress, and your own social, scheduling, and charity-vote records. You may also email privacy@crakdotbam.app and we will delete your data for you.
6.2 Access, correction, portability
You can request a copy of the personal data we hold about you, ask us to correct it, or ask us to delete it. Email privacy@crakdotbam.app with your sign-in email or your user ID (shown in the in-app Settings popover). We aim to respond within 30 days.
6.3 EU and UK residents (GDPR)
If you are in the EU or UK, you have the rights to access, rectify, erase, restrict, and object to processing, and to data portability. You may also lodge a complaint with your local data-protection authority. Our legal bases are described in section 4.
6.4 California residents (CCPA and CPRA)
If you are a California resident, you have the right to know what personal information we collect and why, to request deletion, and to correct inaccurate information. We do not sell or "share" (as defined under California law) your personal information, so there is no opt-out to exercise, but you may still contact us at privacy@crakdotbam.app to make a request. We will not discriminate against you for exercising these rights.
7. Age, children, and age-gated features
Minimum age 13. The app is intended for users 13 and older. If you are between 13 and 18 (or the age of majority where you live), you may use the app only with the consent and supervision of a parent or legal guardian, who accepts the Terms on your behalf and is responsible for any purchase.
Under 13. We do not knowingly collect personal data from children under 13. A child under 13 should not create their own account; if a young child plays, they should do so on a parent's account. If you believe a child under 13 has created an account or given us data, contact privacy@crakdotbam.app and we will delete it.
Why we ask your age. We collect a self-declared age once at sign-up solely to (a) confirm you meet the minimum age and (b) restrict age-gated features. In particular, Game Night, the group-scheduling feature and its notes thread, is limited to users 18 and older, so the only freeform user-to-user messaging in the app is adults-only.
Parental rights. A parent or guardian may contact privacy@crakdotbam.app to access, correct, or delete their child's data.
8. Security
We rely on reputable infrastructure providers (Clerk, Vercel) and apply authentication, rate limiting, and least-privilege access controls. No system is perfectly secure, but we work to protect your data and to limit what each processor receives to what its function requires.
8a. User content and moderation
The app has limited user-to-user content: the optional notes thread inside a Game Night (an 18+ feature, visible only to people the host invited), an optional shared item (an AI-generated background), and user-chosen display, team, and group names (which may be shown to other users, for example on a leaderboard). You can report objectionable content and block another user or leave a shared activity using the in-app controls; every Game Night note and shared item has a Report control on the screen where it appears, and you can block a user to hide their content and stop them from inviting you again. We review reports and remove objectionable content and/or eject the responsible user within 24 hours of a credible report. Reports are stored with the reporter's account id so we can de-duplicate and follow up; they are visible only to our moderation review, not to other users. Moderation or abuse concerns: abuse@crakdotbam.app.
9. International transfers
Our processors may store or process data in the United States and other countries. Where required, we rely on appropriate safeguards for international transfers.
10. Changes to this policy
We will update this policy when we add or change a processor, change a retention period, or change what we collect. When we make material changes, we will update the effective date above and, where appropriate, notify you in the app. The in-app Privacy page reflects the same practices; the version line in the app indicates which build you are running.
11. Contact
Privacy questions or requests: privacy@crakdotbam.app. Moderation or abuse concerns: abuse@crakdotbam.app.
Inkwell Solutions, LLC ([address]).