Legal

Privacy Policy

Last updated: January 2026

1. Introduction

This Privacy Policy explains how Marathon Variety Lda ("we", "us", or "our"), operating under the product name Gameframe, collects, uses, discloses, and protects your personal information when you use our version control platform for game design documents.

Marathon Variety Lda is a company registered in Portugal and is the data controller responsible for your personal data. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller: Marathon Variety Lda
Contact: support@tinytaps.games

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (display name)
  • Password (stored as a secure hash, never in plain text)
  • Profile information you choose to provide

2.2 Document Content

We store the game design documents, spreadsheets, and other content you upload to our platform. This content is necessary to provide our version control services.

2.3 Integration Data

If you connect third-party services:

  • Google OAuth tokens (encrypted) for Google Sheets integration
  • Connection metadata for linked services

2.4 Usage and Analytics Data

  • Activity logs (document views, edits, version history)
  • Feature usage patterns
  • Session information

2.5 Technical Data

  • IP addresses
  • Browser type and version
  • Device information
  • Operating system

2.6 Payment Data

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details on our servers. We retain only transaction identifiers and billing history necessary for our records.

3. How We Use Your Data

We use your personal data to:

  • Provide our services: Store and version your documents, enable collaboration, and manage your account
  • AI-powered analysis: Process your documents through our AI features to extract entities, generate summaries, and provide design insights
  • Improve the platform: Analyze usage patterns to enhance features and user experience
  • Communicate with you: Send service-related notifications, updates, and support responses
  • Ensure security: Detect and prevent fraud, abuse, and security threats
  • Comply with legal obligations: Meet regulatory requirements and respond to lawful requests

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on:

4.1 Contract Performance

Processing necessary to provide you with our services as described in our Terms of Service, including storing your documents, managing your account, and processing payments.

4.2 Legitimate Interests

Processing for our legitimate business interests, such as:

  • Improving our services and developing new features
  • Understanding how users interact with our platform
  • Ensuring platform security and preventing abuse
  • Marketing our services to existing users

4.3 Consent

Where required, we obtain your consent before processing, such as for optional marketing communications or non-essential cookies.

4.4 Legal Obligations

Processing necessary to comply with applicable laws, regulations, or legal proceedings.

5. Third-Party Services

We use trusted third-party services to operate our platform. These providers process data on our behalf under strict data processing agreements:

Supabase

Database hosting and authentication services

Stripe

Payment processing (PCI-DSS compliant)

Google

OAuth authentication and Google Sheets API integration

Anthropic

AI-powered document analysis and entity extraction

Railway & Netlify

Application hosting infrastructure

6. Data Retention

We retain your data for the following periods:

  • Account data: Until you delete your account, plus 30 days for technical cleanup
  • Document content: Until you delete it or close your account
  • Version history: Retained as long as the parent document exists (immutable for audit purposes)
  • Backup copies: Up to 90 days after deletion
  • Activity logs: 12 months for security and debugging purposes
  • Billing records: 7 years as required by Portuguese tax law

7. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to restrict processing: Request limitation of processing in certain circumstances
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at support@tinytaps.games. We will respond to your request within 30 days.

Supervisory Authority: If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissao Nacional de Proteccao de Dados - CNPD) or your local supervisory authority.

8. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all third-party processors
  • Verification that recipients maintain adequate security measures

9. Cookies and Similar Technologies

We use cookies and similar technologies to operate our platform:

Essential Cookies

Required for the platform to function, including:

  • Session management and authentication
  • Security tokens and CSRF protection
  • User preferences (e.g., selected workspace)

Analytics Cookies

Help us understand how you use our platform to improve the user experience. These are only set with your consent where required by law.

10. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption at rest and in transit (TLS 1.3)
  • Secure password hashing using modern algorithms
  • Row-Level Security (RLS) policies in our database
  • Regular security audits and vulnerability assessments
  • Access controls and authentication requirements
  • Encrypted storage for sensitive data like OAuth tokens

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect and how we use it
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

12. Children's Privacy

Gameframe is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at support@tinytaps.games.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, sending you an email notification. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Marathon Variety Lda
Email: support@tinytaps.games