Privacy Notice — jpgames.app

Effective: 2026-07-13

In one paragraph

jpgames.app is a small self-hosted card-game service. It collects the minimum needed to run the game: a random identifier so you can close the tab and come back to your seat, the gameplay state of games you take part in (hands, bids, scores), and short-lived operational data (your IP address for rate limiting, your browser's User-Agent in server logs). There is no email address, no name, no payment information, no analytics, no advertising, and no third-party trackers. If you want the data associated with your visit removed, clear the site's cookies and — if you played long enough for a game to persist — email the address below.

1. Who runs the service

Operated by John Paist. Contact: hello@jpaistiv.com.

2. What is collected, and why

  1. A player identifier (playerId). A random 128-bit value generated the first time you visit and stored in a signed cookie so you can reclaim your seat if you disconnect. It is not tied to any real-world identity. Deleting the cookie disconnects you from any past gameplay under that id.
  2. Gameplay state. Hands, bids, plays, scores, and table configuration for games you take part in. Stored in a SQLite database on the server so games survive a restart.
  3. IP address. Used at connection time for per-IP rate limits and abuse prevention. Not stored in the game database; visible in server logs for a short window (typically a few weeks).
  4. User-Agent string. Visible in the same server logs alongside your IP. Not linked to your playerId in any stored record.

That is the complete list. There is no email, no display name, no payment data, no analytics, no third-party trackers.

3. Cookies

  1. One cookie today: the signed playerId. Flagged HttpOnly and Secure. Its only purpose is to let you reclaim your seat.
  2. If accounts arrive in the future, a session cookie will be added and this notice will be updated to describe it.

4. Retention

  1. Live gameplay state: in-progress tables are kept in the database and reaped after an idle window (currently thirty minutes) or when the game completes.
  2. Nightly database backups are kept for fourteen days, then deleted.
  3. Server access logs are retained per host configuration; typically no more than a few weeks.

5. Sharing

  1. Nothing is shared with third parties for analytics, advertising, or any marketing purpose. The service does not use any external CDN.
  2. Three infrastructure providers are involved by virtue of being on the public internet: Porkbun (the DNS registrar for jpgames.app), Let's Encrypt (which issues the TLS certificate), and Hetzner Cloud (which hosts the server). None of them can see gameplay content; they see only what any operator of DNS, PKI, or network transit sees.

6. Your rights

Because the data footprint is small and no real-world identity is collected, there is little to request. If you would like:

  1. A summary of the data associated with your playerId, or
  2. Deletion of that data,

email hello@jpaistiv.com and include your playerId (visible in your browser's DevTools under Application → Cookies for jpgames.app) or an approximate date and time when you played.

Clearing your browser's site data for jpgames.app is the fastest way to disconnect from any past sessions.

7. Security

Security reports are handled per SECURITY.md in the source repository — private reports via GitHub Security Advisories or email to hello@jpaistiv.com.

8. Changes to this notice

Material changes are reflected in the effective date at the top of this page. When accounts and email are introduced (later phases of the roadmap), this notice will be updated to describe them before the feature ships.


This notice is written in good faith to describe how the service actually works, and is intentionally short because there is little to describe. It is not legal advice. Compliance with specific jurisdictions (GDPR, CCPA, and others) should be confirmed with a lawyer before wider public promotion.