Privacy Policy

Last updated: November 15, 2025

This Privacy Policy explains how Saltong ("Saltong," "we," "us," or "our") collects, uses, discloses, and safeguards information about you when you use our website and services (the "Services"), including at https://saltong.com and any page that links to this Policy.

By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services. You can contact us any time at carl@carldegs.com.

Quick Summary

  • We collect information you provide (email, password when creating an account) and technical data generated by your device (IP address, device type, usage events).
  • We use third-party providers: Supabase (authentication, database), Google Analytics (analytics), Google AdSense (advertising), and Sentry (error monitoring). Details and links to their policies are provided below.
  • We use cookies and similar technologies for essential operations, authentication, analytics, and advertising. Where required by law, we obtain consent before setting non-essential cookies.
  • You have rights over your data, which may include rights to access, correct, delete, or object to processing, and to opt out of targeted advertising and certain data sharing, depending on your jurisdiction.

Table of Contents

  1. What Information We Collect
  2. How We Use Your Information
  3. Legal Bases for Processing (EEA/UK/Switzerland)
  4. Cookies and Similar Technologies
  5. Third-Party Providers We Use
  6. Sharing of Information
  7. Data Retention
  8. Security
  9. International Transfers
  10. Children's Privacy
  11. Your Privacy Rights
  12. Your US Privacy Rights
  13. Do Not Track and Global Privacy Control
  14. Third-Party Links and Services
  15. Changes to This Policy
  16. Contact Us and Data Controller Information

What Information We Collect

1) Information You Provide Directly

  • Account data: Email address, password (stored in hashed form by our authentication provider), display name or username (if provided).
  • OAuth data: If you sign in with Google, Discord, or X/Twitter, we receive basic profile information (such as email address and provider user ID) from that provider via Supabase, as permitted by that provider's terms and the permissions you grant.
  • Communications: Content of messages you send to us (for example, support emails or feedback).
  • User-generated content: Any content you create, post, or submit through the Services (such as game data, preferences, or other information you choose to provide).

2) Information Collected Automatically

  • Device and usage data: IP address, browser type and version, operating system, device identifiers, pages viewed, features accessed, actions taken, time spent on pages, approximate location derived from IP address, referrer URLs, UTM parameters, and similar technical information.
  • Cookies and similar technologies: We use authentication/session cookies (Supabase), preference cookies (for example, sidebar state), analytics cookies and events (Google Analytics), and advertising identifiers (Google AdSense). We may also store certain preferences in your browser's local storage (for example, theme selection).
  • Performance and diagnostic data: Technical logs, crash reports, error messages, and performance metrics collected through Sentry and our hosting infrastructure.

3) Information from Third Parties

  • OAuth providers: Google, Discord, and X/Twitter send us basic account information when you choose to authenticate through them.
  • Analytics and advertising partners: Our service providers may generate aggregated reports, audience segments, and analytics data derived from your interactions with the Services.
  • Publicly available sources: We may supplement the information we collect with publicly available information for fraud prevention and security purposes.

Note on sensitive data: We do not intentionally collect sensitive personal data such as health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or information about your sex life or sexual orientation. Please do not provide such information in free-text fields or communications with us.

How We Use Your Information

We process personal data for the following purposes:

  • Provide and operate the Services: Account creation and management, authentication via Supabase, saving your game progress and account preferences, maintaining active sessions, and delivering core functionality.
  • Improve and optimize the Services: Measuring, debugging, and improving performance and reliability through Sentry error and performance monitoring, internal logs, and usage analytics.
  • Understand usage patterns: Using Google Analytics event measurement and aggregated insights to understand how users interact with our Services and identify areas for improvement.
  • Display and measure advertising: Showing advertisements through Google AdSense and measuring their performance. Where required by law, we obtain consent before delivering personalized advertisements.
  • Communicate with you: Sending service notices, important updates about changes to our Services or policies, responding to your inquiries and support requests, and providing customer service.
  • Maintain safety and security: Detecting, preventing, and addressing technical issues, abuse, fraud, security incidents, spam, violations of our Terms of Service, and other harmful or unlawful activity.
  • Comply with legal obligations: Meeting legal and regulatory requirements, responding to lawful requests from authorities, and enforcing our legal agreements.
  • Business operations: Conducting internal research and development, business analytics, auditing, and corporate transactions such as mergers or acquisitions.

Legal Bases for Processing (EEA/UK/Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the GDPR and UK GDPR:

  • Consent: For non-essential cookies, personalized advertising, and certain marketing communications. You may withdraw consent at any time.
  • Contract performance: To provide the Services you have requested and maintain your account.
  • Legitimate interests: To secure and improve our Services, prevent fraud and abuse, conduct analytics with aggregated data, and pursue other legitimate business purposes that do not override your rights and freedoms.
  • Legal obligations: To comply with applicable laws, regulations, legal processes, and governmental requests.

Cookies and Similar Technologies

We and our third-party partners use cookies, web beacons, local storage, and similar technologies. Below are the categories of technologies we use:

Essential/Functional Cookies

Purpose: Required for the Services to function properly, including authentication, session management, and basic functionality.

Examples: Supabase authentication and session cookies, essential UI state (such as sidebar open/closed status).

Can you disable them? These cannot be disabled as they are necessary for the Services to work.

Preference Cookies and Local Storage

Purpose: Store non-essential settings and preferences such as theme selection, layout preferences, and language settings.

Can you disable them? Yes, through browser settings, though this may affect your experience.

Analytics Cookies

Purpose: Understand traffic patterns, measure engagement, and improve our Services through Google Analytics (GA4).

Data processed: Event data tied to device or client IDs, approximate geolocation from IP address. GA4 does not log or store raw IP addresses.

Retention: Event-level data is retained for up to 14 months unless otherwise required by law.

Can you disable them? Yes, through browser settings, Google Ads Settings, or industry opt-out tools (see controls below).

Advertising Cookies

Purpose: Display, deliver, measure, and personalize advertisements through Google AdSense and its Ad Technology Providers.

Data processed: Ad request and impression data, device identifiers, coarse location from IP address, and (where consented or permitted) signals used for ad personalization.

Can you disable them? Yes, through the controls described below.

Your Cookie Controls

  • Browser settings: Most browsers allow you to block, delete, or manage cookies through their settings menu. Disabling cookies may affect functionality.
  • Google Ads Settings: Manage ad personalization at adssettings.google.com.
  • Industry opt-out tools: Opt out of interest-based advertising through Network Advertising Initiative and Digital Advertising Alliance.
  • Mobile device settings: Use your device's advertising identifier settings to limit ad tracking.
  • Consent management (EEA/UK/Switzerland): Where required by law, we will present a consent banner before setting non-essential cookies. You may withdraw consent at any time by adjusting your cookie preferences through our consent management interface or by contacting us.

Default for EEA/UK/Switzerland users: We serve non-personalized advertisements by default and will only deliver personalized ads after obtaining your explicit consent.

Third-Party Providers We Use

We integrate the following key service providers into Saltong:

1) Authentication and Database — Supabase

Purpose: User authentication (email/password and OAuth with Google, Discord, X/Twitter), session management, and database storage.

Data processed: Email address, hashed passwords, OAuth provider identifiers and profile data (as permitted by the providers), session tokens and IDs, basic device information for security purposes, and application data you create.

Cookies: Supabase sets authentication and session cookies to maintain your login state.

Data location: May be processed on servers in the United States and other jurisdictions where Supabase operates.

Privacy and security: supabase.com/privacy | supabase.com/security

2) Analytics — Google Analytics (GA4)

Purpose: Measure traffic, events, user interactions, and generate aggregated usage reports.

Data processed: Event data tied to device or client IDs, approximate geolocation from IP address. GA4 does not log or store raw IP addresses. We implement Google Analytics using @next/third-parties/google.

Retention: Event-level data is typically retained for 2-14 months. We configure retention up to 14 months unless otherwise required by law.

Controls: Browser opt-outs, Google Ads Settings, NAI/DAA industry opt-out tools.

Data location: Google processes data globally in accordance with its infrastructure.

Privacy policy: policies.google.com/privacy

3) Advertising — Google AdSense

Purpose: Display advertisements, measure ad performance, and (where consented) personalize ads based on your activity and general location. May utilize Google's Ad Technology Providers (ATPs).

Data processed: Ad request and impression data, device and usage identifiers, coarse location from IP address, and (if consented or where permitted) signals for ad personalization.

Controls: Google Ads Settings, NAI/DAA opt-out tools, browser cookie settings, and our consent management interface (where applicable).

Data location: Google processes data globally in accordance with its infrastructure.

Ad Technology Providers: Learn about Google's ad partners at support.google.com/admanager/answer/9012903.

Privacy policy: policies.google.com/technologies/ads

Default for EEA/UK users: Non-personalized ads are shown by default unless you provide explicit consent for personalized advertising.

4) Error and Performance Monitoring — Sentry

Purpose: Capture errors, crashes, exceptions, and performance metrics to help us identify and resolve technical problems.

Data processed: Error messages, stack traces, truncated URLs, component names, browser type, operating system, device information, and technical context. Sentry may receive IP addresses as part of request metadata, but we do not use this data to identify you personally.

Retention: Event data is typically retained for up to 90 days, subject to Sentry's project settings and our configuration.

Data location: Sentry processes data in the United States and other jurisdictions where it operates.

Privacy policy: sentry.io/privacy

5) Hosting and Content Delivery

Purpose: Host and deliver the Services efficiently and securely.

Provider: We use cloud hosting and content delivery network (CDN) services such as Vercel.

Data processed: Operational logs (request timing, generic headers, IP addresses) for security, reliability, and performance optimization.

Data location: May be processed on servers globally based on our hosting provider's infrastructure.

Privacy policy: vercel.com/legal/privacy-policy

Data Processing Agreements

We maintain written agreements with our service providers requiring them to process personal data only on our instructions, implement appropriate security measures, and comply with applicable data protection laws.

Sharing of Information

We share personal data in the following circumstances:

Service Providers and Processors

We share data with third-party service providers that perform functions on our behalf, including authentication, database management, analytics, advertising, error monitoring, hosting, CDN services, customer support, and payment processing (if applicable). These providers are contractually obligated to use your data only as necessary to provide their services to us.

Legal Requirements and Protection of Rights

We may disclose personal data when required by law, legal process, litigation, or governmental request, or when we believe disclosure is necessary to:

  • Comply with applicable laws, regulations, or legal obligations
  • Enforce our Terms of Service or other agreements
  • Protect the rights, property, or safety of Saltong, our users, or others
  • Detect, prevent, or address fraud, security issues, or technical problems
  • Respond to claims that content violates third-party rights

Business Transfers

If Saltong is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Services of any change in ownership or use of your personal data, as well as any choices you may have.

With Your Consent

We may share data for other purposes with your explicit consent or at your direction.

Aggregated or De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, without restriction.

No Sale of Personal Information for Money

We do not sell your personal information in exchange for monetary consideration. However, in some US jurisdictions, the use of third-party advertising and analytics technologies may be considered "sharing" or "selling" for purposes of cross-context behavioral advertising under state privacy laws. See "Your US Privacy Rights" below for information on how to opt out.

Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

  • Account data: Retained while your account is active and for a reasonable period after account closure or deletion to comply with legal obligations, resolve disputes, enforce agreements, and maintain security.
  • Analytics data: Google Analytics event data is retained for up to 14 months, subject to our configuration and Google's policies.
  • Error logs: Sentry stores event data for up to 90 days by default, subject to our configuration.
  • Cookies and local storage: Persist according to their configured lifetimes or until you delete them through your browser settings.
  • Communications: Support emails and other communications are retained as necessary to provide customer service and maintain records of our interactions.

When retention periods expire, we delete or anonymize personal data unless we must retain it to comply with legal obligations, resolve disputes, or enforce our agreements. Upon your request, we will delete your personal data in accordance with applicable law and our retention policies.

Security

We implement technical, administrative, and physical security measures designed to protect personal data from unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using industry-standard protocols (TLS/SSL)
  • Encryption of sensitive data at rest where appropriate
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Employee training on data protection and security practices
  • Incident response procedures

No system is perfectly secure. While we strive to protect your personal data, we cannot guarantee absolute security. Please use a strong, unique password for your account and keep it confidential. If you become aware of any security breach, please notify us immediately at carl@carldegs.com.

International Transfers

Saltong is based in [your jurisdiction/Philippines]. We may process, store, and transfer personal data in countries other than your own, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data from the EEA, UK, or Switzerland to countries that do not provide an adequate level of data protection as determined by the European Commission or UK authorities, we implement appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission or UK authorities
  • Adequacy decisions recognizing certain countries as providing adequate protection
  • Other legally approved transfer mechanisms

You may request information about the safeguards we use for international transfers by contacting us at carl@carldegs.com.

Children's Privacy

Our Services are not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction, such as 16 in some EEA countries). We do not knowingly collect personal data from children under these ages.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at carl@carldegs.com. We will take steps to delete such information from our systems.

If you are 13 years of age or older (or the applicable age in your jurisdiction), you may use the Services subject to our Terms of Service and this Privacy Policy.

Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal data. These rights may include:

General Rights (Applicable in Many Jurisdictions)

  • Access: Request confirmation of whether we process your personal data and obtain a copy of your data.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data, subject to certain exceptions (such as legal obligations or legitimate interests).
  • Objection: Object to processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Restriction: Request restriction of processing under certain circumstances.
  • Data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (where technically feasible).
  • Withdrawal of consent: Where processing is based on consent, withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

EEA, UK, and Switzerland Residents

If you are located in the EEA, UK, or Switzerland, you have the rights listed above under the GDPR and UK GDPR. You also have the right to:

  • Lodge a complaint: Contact your local data protection authority if you believe we have violated your data protection rights.
    • EEA: Find your authority at edpb.europa.eu
    • UK: Information Commissioner's Office (ICO) at ico.org.uk
    • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch

How to Exercise Your Rights

To exercise any of these rights, please contact us at carl@carldegs.com. In your request, please:

  • Clearly describe the right you wish to exercise
  • Provide information to help us verify your identity (such as your account email address)
  • Specify your location or jurisdiction if relevant

We may ask for additional information to verify your identity and ensure we are responding to the correct individual. We will respond to your request within the timeframe required by applicable law (typically 30 days, though we may extend this period in certain circumstances).

If you use an authorized agent to submit a request on your behalf, we may require:

  • Proof of the agent's authorization to act on your behalf
  • Verification of your identity directly from you

If we deny your request, we will explain the reason for the denial. Where applicable, you have the right to appeal our decision by contacting us at the same email address.

Cookie and Advertising Controls

For specific information about managing cookies and opting out of targeted advertising, see "Cookies and Similar Technologies" and "Your US Privacy Rights" sections above.

Your US Privacy Rights

If you reside in a US state with a comprehensive consumer privacy law, including California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Florida (FDBR), Indiana (ICDPA), Iowa (ICDPA), Kentucky (KCDPA), Maryland (MPDPA), Minnesota (MCDPA), Montana (MCDPA), Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJDPA), Oregon (OCPA), Rhode Island (RIDPA), Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA), you may have the following rights, subject to certain exceptions and limitations:

Your Rights

  • Right to know/access: Confirm whether we process your personal information and access categories and specific pieces of personal information we have collected about you.
  • Right to correction: Request correction of inaccurate personal information.
  • Right to deletion: Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to data portability: Receive your personal information in a portable and readily usable format (where technically feasible and required by law).
  • Right to opt out of:
    • Sale of personal information (as defined by applicable state law)
    • Sharing of personal information for cross-context behavioral advertising (targeted advertising)
    • Profiling in furtherance of decisions that produce legal or similarly significant effects
  • Right to limit use of sensitive personal information: Where applicable (we generally do not collect sensitive personal information).
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to appeal: If we deny your request, you may appeal our decision.

How We Use and Share Personal Information (California-Specific Disclosures)

In the preceding 12 months, we have collected the following categories of personal information and used them for the purposes described in "How We Use Your Information":

  • Identifiers: Email address, username, IP address, device identifiers, cookies
  • Commercial information: Purchase history (if applicable), account preferences
  • Internet activity: Browsing history on our Services, interactions with our Services and advertisements
  • Geolocation data: Approximate location derived from IP address
  • Inferences: Preferences and characteristics inferred from usage patterns

We share these categories of personal information with the third parties described in "Third-Party Providers We Use" and "Sharing of Information."

Sales and Sharing: We do not sell personal information for monetary consideration. However, our use of Google Analytics and Google AdSense may constitute "sharing" or "selling" under California law for purposes of cross-context behavioral advertising. You may opt out using the methods described below.

How to Exercise Your US Privacy Rights

For access, correction, deletion, or portability requests:

  • Email us at carl@carldegs.com with the subject line "Privacy Rights Request"
  • Include your full name, email address, state of residence, and the specific right(s) you wish to exercise
  • We will verify your identity before responding

To opt out of sale/sharing/targeted advertising:

  • Use browser cookie controls and the Google Ads Settings and NAI/DAA opt-out tools described in "Cookies and Similar Technologies"
  • Email us at carl@carldegs.com with the subject line "Opt-Out of Sale/Sharing/Targeted Advertising"
  • Enable Global Privacy Control (GPC) in your browser (see below)

Response timeframes: We will respond to verified requests within 45 days (or as otherwise required by your state's law). If we need additional time, we will notify you of the extension and the reason.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization and verification of your identity.

Appeals: If we deny your request, you may appeal by replying to our response or emailing us at carl@carldegs.com with "Privacy Rights Appeal" in the subject line. We will respond to your appeal within the timeframe required by applicable law.

Do Not Track and Global Privacy Control

Do Not Track (DNT)

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry consensus on how to respond to DNT signals. We do not currently respond to DNT signals because we are awaiting the development of a common industry standard. However, you can use the cookie and opt-out controls described in this Policy to manage tracking.

Global Privacy Control (GPC)

We recognize and honor Global Privacy Control (GPC) signals as an opt-out of the sale or sharing of personal information for cross-context behavioral advertising, where required by applicable law (including California, Colorado, Connecticut, and other states that recognize GPC).

To enable GPC, you can:

  • Install a GPC-enabled browser extension
  • Use a browser that supports GPC natively
  • Learn more at globalprivacycontrol.org

When we detect a GPC signal from your browser, we will apply your opt-out preference to that specific browser on that device. GPC signals are browser and device-specific, so you will need to enable GPC on each browser and device you use.

Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Privacy Policy does not apply to those third-party sites or services.

We are not responsible for the privacy practices, content, or security of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites or services before providing them with your personal information.

When you connect your account to third-party OAuth providers (Google, Discord, X/Twitter), those providers' privacy policies govern their collection and use of your information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons.

When we make changes, we will:

  • Update the "Last updated" date at the top of this Policy
  • Post the revised Policy on this page

If we make material changes that significantly affect your rights or how we use your personal data, we will provide additional notice by:

  • Displaying a prominent notice on our Services
  • Sending an email to the address associated with your account (where applicable)
  • Obtaining your consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the Services.

Contact Us and Data Controller Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: carl@carldegs.com

Data Controller: Saltong

We will respond to your inquiry as promptly as possible and in accordance with applicable law.

For EEA, UK, and Switzerland residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Thank you for trusting Saltong with your information. We are committed to protecting your privacy and being transparent about our data practices.

Email: carl@carldegs.com

Data controller: Saltong