Start playing

Privacy Policy

Effective April 28, 2026

TongueTied is an online multilingual word game, run as an independent project. This policy explains what information we collect when you use TongueTied, why we collect it, who we share it with, and how you can get your data deleted. “We,” “us,” and “TongueTied” all refer to the project operators.

Information we collect

When you sign in with Google

If you sign in with Google, we receive from Google: your Google account identifier, your email address, your profile name, your profile picture URL, and your locale. We only request Google’s standard openid, email, and profile scopes — we do not request access to Gmail, Drive, Calendar, Contacts, or any other Google service.

When you sign in with email

If you sign in with email, we collect the email address you submit so we can sign you in.

When you play

To run your games and your profile, we store: your chosen display name; the games you participate in (moves, scores, rack contents, tile bag state, board state, final results); chat messages and reactions you send to opponents; the words you look up in our in-game word-info panel; your language preferences; and your theme and notification preferences.

Automatically

Our hosting and error-monitoring providers automatically collect standard request logs: IP address, browser user-agent, and the URL you requested. If something goes wrong, our error-monitoring provider (Sentry) captures the error together with your IP address and, where relevant, your email, so we can diagnose and fix the problem. Our analytics tools record aggregate page views and performance metrics.

How we use your information

  • Authenticate you and keep you signed in.
  • Run the game: sync moves between you and your opponents, save game state, compute scores and word validity.
  • Show your display name to your opponents in games, chat, and lobby lists.
  • Send you transactional email (sign-in links, turn notifications, rematch invitations, game-finished summaries) at the address you signed up with.
  • Diagnose bugs and performance issues through aggregated analytics and error reports.
  • Improve TongueTied: tune word dictionaries, translations, hint quality, and gameplay features.

Use of Google user data

Google data (your Google ID, email, name, profile picture, and locale) is used only to authenticate you, display your name to other players, and deliver game-related email to you. We do not sell, rent, or trade Google user data. We do not use Google user data for advertising or ad-targeting. We do not use Google user data to train, fine-tune, or evaluate machine-learning or AI models.

Third-party processors

We rely on these service providers to run TongueTied. Each processor receives only the data it needs for its role:

  • Supabase — authentication, PostgreSQL database, and real-time game synchronization. Stores your account, profile, games, and chat.
  • Vercel — web hosting and edge request delivery. Receives standard HTTP request logs. We also use Vercel for aggregated traffic and performance measurement.
  • Sentry — error monitoring. Receives stack traces, the URL where an error occurred, your IP address, and, where relevant, your email, when something in the app breaks.
  • Postmark — transactional email delivery. Receives your email address and the contents of sign-in links and game notifications.
  • Klaviyo — email list and lifecycle messaging. Receives your email address, display name, and gameplay milestone events (game created, joined, finished).
  • Discord — operational webhook. Receives anonymous operational signals (e.g., an admin invite was created) to an internal channel the project maintainers watch. Does not receive your email or chat content.
  • OpenAI — language model used by optional in-game features such as translations and the AI assistant. When you invoke these features, the specific text you queried may be sent to OpenAI. Your account data is not sent.
  • Google — OAuth sign-in provider (only if you chose Google to sign in).

We do not sell personal data to anyone, ever.

Data retention

We keep your account, profile, and gameplay history until you ask us to delete them. Error-monitoring data is retained by Sentry per their standard retention policy (typically around 30 days). Aggregated analytics are retained by Vercel per their standard retention. Marketing-list membership at Klaviyo is retained until you unsubscribe.

How to access, export, or delete your data

Delete in-app. Open Settings → scroll to Danger zoneDelete my account. Type DELETE to confirm. Once you confirm:

  • Your profile, chat history, push notifications, and any active games are removed in real time. Active games are forfeited to your opponents.
  • Your past completed games are kept (so opponents’ records stay intact) but rendered as “Deleted user” with no link back to you.
  • You’re signed out of every device. We send a confirmation email so you have a record.
  • Signing in again with the same email creates a fresh, unrelated account — no carry-over.

Data export is coming soon. To request a copy of your data in the meantime, email privacy@tonguetied.app.

Need help? If self-serve deletion isn’t working, email privacy@tonguetied.app from the email address on your account.

Security

Traffic between your device and TongueTied is encrypted in transit (HTTPS/TLS). Our database enforces row-level security so each user can only read the rows that belong to them (their profile, their games, and games they are participating in). Access to administrative tooling is limited to the project maintainers and protected by account-level multi-factor authentication.

Children’s privacy

TongueTied is a general-audience word game and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created a TongueTied account, please contact privacy@tonguetied.app and we will delete the account.

International users

TongueTied is operated from the United States and our service providers store data primarily in the United States. By using TongueTied you consent to your information being transferred to and processed in the United States, which may have different data-protection standards than your country.

Changes to this policy

If we make material changes to this policy, we will update the Effective date above and notify users with active accounts by email before the changes take effect.

Contact

Questions about this policy, requests to access or delete your data, or other privacy concerns: email privacy@tonguetied.app.