← Back to Spiky

Privacy Policy

Last updated: 20 June 2026

The short version

Spiky is a party-trivia game that's free to play. You can optionally sign in with Google or Apple to subscribe to Gold Cactus, our paid tier. We do not run ads and we do not sell your data. We collect the minimum needed to make the game work: a nickname, an anonymous device ID, the answers you submit, and — for subscribers — a record of your subscription status.

What we collect

  • Nickname — the display name you type before joining or creating a room.
  • Anonymous device ID — a random UUID generated in your browser the first time you visit. It lets us recognise you if you reconnect to the same room. It is not tied to any real-world identity.
  • Gameplay data — room codes, the category and question you played, your answer, your bluff, your votes, and your score. We keep a record of the answers and bluffs you submit, which may be reviewed for moderation and used to improve our questions (see “Content moderation” below).
  • Feedback — anything you type into the bug / feedback form, plus context (current screen, room code, browser user-agent) so we can reproduce the issue.
  • If you sign in with Google or Apple (optional) — your email address and name. Google also provides a profile picture URL. Apple may provide a relay email address instead of your real one if you choose to hide it. See the section below.
  • If you subscribe (optional) — your subscription status and current period end, plus an opaque customer ID from our payment provider. See “Payments” below.

What we do not collect

  • No email, phone number, or real name unless you sign in with Google or Apple, or put it in your nickname.
  • No advertising trackers, ever. Optional product analytics (PostHog) and error tracking (Sentry) — see below.
  • No location beyond the approximate region your IP reveals to our hosting providers.
  • No payment-card numbers or full billing details — those stay with our payment provider, never with us.

Signing in with Google or Apple (optional)

Spiky never requires an account to play. Sign-in is only used to unlock the Gold Cactus subscription and to remember your subscription state across devices.

Sign in with Google: Google sends us your email address, name, and profile picture URL. We store these in our authentication provider (Supabase Auth) and link them to your anonymous device ID.

Sign in with Apple: Apple sends us your name and either your real email address or an Apple-generated relay address (your choice at sign-in time). We store whichever email Apple provides; we never see your real address if you chose to hide it. We do not receive any other Apple account data.

In both cases the linked identity lets the same Gold Cactus entitlement follow you between devices. You can sign out at any time, or email us to delete your account entirely.

Payments (Gold Cactus)

Gold Cactus subscriptions are available on web, Android, and iOS. The payment processor depends on where you subscribe:

  • Web — processed by Dodo Payments, merchant of record. You enter card details on their hosted checkout. We never see your card number, expiry, CVC, or billing address. From Dodo we receive only: an opaque customer ID, subscription ID, status, and current period end date.
  • Android — processed by Google Play Billing. Payment details are handled entirely by Google. We receive only subscription status and entitlement data via RevenueCat.
  • iOS — processed by Apple in-app purchase. Payment details are handled entirely by Apple. We receive only subscription status and entitlement data via RevenueCat.

In all cases we store only: an opaque customer ID, subscription status (active, canceled, past-due, etc.), and current period end date. These are used solely to grant or revoke Gold Cactus features. Each provider's handling of your payment data is governed by their own privacy policy.

Where the data lives

Game data and subscription metadata live in Supabase, a managed Postgres database. The site is hosted on Vercel. Payment data is held by Dodo Payments (our merchant of record). Each provider sees standard server logs (IP address, timestamps) which they retain on our behalf.

How long we keep it

Rooms, rounds, and the answers, bluffs, and nicknames submitted in them are kept so we can track game history, balance scoring, investigate bug reports, review moderation reports, and improve our questions. For anonymous guests this is essentially anonymous gameplay data; for signed-in players, these submissions may be linked to your account. Deleting your account (from your account page, or by emailing us) removes the data tied to your account, and you can email us to remove a specific room or feedback message.

Cookies and local storage

We store your anonymous device ID, nickname, theme preference, and (if you accept the analytics banner) a PostHog distinct ID in your browser's local storage. We do not use cookies for advertising. Clearing your site data resets every ID and ends any active sessions.

Analytics and error tracking

We use two third-party services for operational visibility:

  • Sentry — application error tracking. Runs on the web and both native apps (Android and iOS use the same Next.js bundle inside a Capacitor wrapper, so Sentry is active in all three). Always on, under the legitimate-interest basis (we need crash reports to keep the game stable). Configured with PII disabled: no IP addresses, no request bodies, no cookies. Only stack traces, the URL or screen that errored, and the app/browser version.
  • PostHog — product analytics (which features are used, where flows break). Web only — not active in the native apps. Off by default on the web; only enabled if you click Accept on the analytics banner. You can revoke by clearing site data. We mask form inputs by default, so nicknames and bluff text are not captured.

Neither service sells data, runs ads, or feeds advertising graphs.

Content moderation

Because the answers, bluffs, and nicknames you submit are shown to other players, we moderate them:

  • Automatic filtering — submissions containing slurs or hard profanity are blocked before they're saved, so you'll be asked to choose something else.
  • Player reporting — players can report an answer or a player they find offensive; reports go to our moderation queue for review.
  • Review & retention — we keep a record of submitted answers, bluffs, and nicknames so we can review reports, enforce the rules, and improve our questions. For signed-in players these submissions may be linked to your account. We may hide content and warn, suspend, or ban accounts that break the rules (see our Terms).

Children

Spiky is intended for general audiences. It does not knowingly collect data from children under 13. If you believe a child has submitted personal information, contact us and we'll remove it.

Your choices

  • Pick any nickname you like — it does not need to be your real name.
  • Clear your browser's local storage (or reinstall the app) to reset your device ID.
  • Delete your account — go to your account page and use the “Delete account” section. This removes your Google-linked profile, subscription record, and any data tied to your account. If you can't sign in (e.g. locked out), email us instead.
  • Email us to request deletion of any feedback or specific room data.
  • Cancel your Gold Cactus subscription at any time from your account page; cancellation stops future renewals immediately.

Contact

Questions, deletion requests, or concerns: support@playspiky.com.

Changes

If we change this policy, we'll update the date at the top. Continued use of Spiky after a change means you accept the updated policy.