Privacy Policy

Last updated: 2026-04-07

What we collect

When you sign in with Discord, we receive and store:

  • Your Discord user ID, username, and avatar
  • Your email address (from Discord, used only as an internal identifier — never for outbound communications)
  • Optional profile data you provide: display name, location, country
  • OAuth connection credentials (access token, refresh token, permission scope — stored by our authentication provider, not shared externally)

As you use the platform, we store:

  • Competition registrations and crew memberships
  • The 4-digit crew code you choose when creating a crew (stored to allow teammates to join)
  • Votes you cast as a judge (preliminary rounds, bracket battles, tiebreaks)
  • Jams you organize and their configuration
  • First login timestamp and session records
  • Moderation records if a Terms of Service violation is issued (timestamps and reasons for bans or timeouts)

How we use it

Data is used solely to operate the platform:

  • Authenticating your account
  • Displaying your profile to other users
  • Recording tournament results and history
  • Moderation (ban/timeout) when Terms of Service are violated

We do not sell your data. We do not serve advertising.

Where it lives

Your data is processed by:

  • MongoDB Atlas — primary database
  • UploadThing — file storage (jam flyers, images)
  • Discord — OAuth identity provider
  • Railway — application hosting

Your rights

You can:

  • Access & edit your profile from the user dropdown on your dashboard
  • Delete your accountvia the “Terminate Account” option in the user dropdown. This removes your profile, sessions, votes, registrations, and crew memberships. Historical tournament records (jams you organized, competitions you managed) remain for other participants’ history — your identity is removed from those records and your name will appear as “Deleted User” where previously shown. Bracket judging votes are retained for tournament integrity but are no longer linked to your profile.
  • Contact us at cypherbreak@protonmail.com for any data request we cannot fulfill via the app

Retention

Active account data is retained for as long as your account exists. Session records expire after 30 days of inactivity. Audit logs (without personal data) may be retained for up to 12 months for security purposes.

Cookies

We use a session cookie for authentication (managed by NextAuth). Admin accounts also receive a short-lived verification cookie during admin portal access (1-hour expiry, never set for regular users). No tracking or analytics cookies are set.

Changes

We may update this policy. Material changes will be announced in the app. Your continued use after changes means you accept the updated policy.

Contact

Questions? Reach us at cypherbreak@protonmail.com.