Privacy Policy

Big 2 (bigtwo.online) is a free multiplayer card game operated from California, United States.

For the purposes of GDPR, UK GDPR, and similar laws, the operator named above is the data controller for personal data processed via this site. The contact for any privacy question or request is [email protected].

Anonymous play (no account): we generate a random UUID stored in your browser's localStorage to identify your device across game sessions. We do not collect your name, email, or any account-linked data when you play anonymously.

Account data (if you sign in): your email address, the OAuth provider identifier from Google or Discord (if you used social sign-in), the display name you choose, the timestamp at which you accepted these terms, and the date your account was created or last modified.

Gameplay and technical data: room codes, in-game actions, connection events, browser locale, and IP addresses. IP addresses are collected automatically by our infrastructure providers (Cloudflare, Netlify, PartyKit) for fraud prevention, abuse detection, and DDoS protection. We do not store IPs in our application database.

Cookies and similar technologies: a strictly necessary cookie for your authentication session (set by Supabase when you sign in), analytics cookies set by Google Analytics, and advertising cookies set by Google AdSense and its certified advertising partners to serve and measure ads. Non-essential cookies are gated by consent where local law requires it.

We use your account data to authenticate you, render your profile, sync your game progress, and (if you purchase a cosmetic item in the future) tie purchases to your account so you keep what you paid for. We use gameplay and technical data to operate the multiplayer service and prevent abuse.

We do not sell your personal data and we do not use your data to train machine learning models. To keep the game free we display ads served by Google AdSense; Google and its certified advertising partners use cookies and similar identifiers to serve and measure those ads, and may use this information to personalise ads you see across the web. See the AdSense entry below for details and links to opt out.

Where GDPR applies, our legal bases are: (a) performance of a contract with you when you sign in or make a purchase; (b) our legitimate interests in operating a secure, working game (fraud prevention, debugging, abuse mitigation); and (c) your consent for any non-essential analytics cookies, which you can withdraw at any time.

When you have given consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

We use the following third-party services to run Big 2. Each receives only the data necessary for its function and is bound by its own privacy terms.

Supabase — authentication and database hosting. Stores your account row, session cookies, and any data you save through your profile. Privacy: supabase.com/privacy.

PartyKit (Cloudflare Workers) — real-time multiplayer game server. Receives gameplay events, player IDs, and IPs (for connection management). Privacy: cloudflare.com/privacypolicy.

Netlify — Next.js application hosting. Receives request logs including IP, user agent, and URL. Privacy: netlify.com/privacy.

Cloudflare — DNS, CDN, and bot protection in front of the site. Receives IPs and request metadata. Privacy: cloudflare.com/privacypolicy.

Google (Sign in with Google) — only if you choose to sign in with Google. Google receives a sign-in request and returns your email and a stable identifier. Privacy: policies.google.com/privacy.

Discord (Sign in with Discord) — only if you choose to sign in with Discord. Discord receives a sign-in request and returns your email and a stable identifier. Privacy: discord.com/privacy.

Google Analytics 4 — anonymised usage analytics (page views, browser, country at the city level, not address). IPs are anonymised before storage. Privacy: policies.google.com/privacy.

Google AdSense — displays advertisements on the site to support free play. Google and its certified third-party advertising partners use cookies, device identifiers, and similar technologies to serve, personalise, and measure ads, and may combine this with information you have provided to other Google services. You can review Google's use of advertising cookies at policies.google.com/technologies/ads, opt out of personalised advertising via Google's Ads Settings (adssettings.google.com), and opt out of third-party personalised advertising at youradchoices.com (US) or youronlinechoices.eu (EU/UK). Privacy: policies.google.com/privacy.

Ko-fi — optional donation widget. Loaded from Ko-fi's CDN; only triggers data exchange when you actively click it. Privacy: ko-fi.com/privacy.

Our service providers are mostly based in the United States. If you access Big 2 from the European Economic Area, the United Kingdom, or other regions with data-localisation rules, your data will be transferred to and processed in the United States. We rely on the Standard Contractual Clauses and equivalent mechanisms published by our providers (Supabase, Netlify, Cloudflare, Google) to lawfully transfer this data.

We keep account data for as long as your account exists. When you delete your account, we soft-delete the row immediately (your email is removed and login is disabled), and we hard-delete it within 30 days unless we are required to retain a minimal record for legal or financial reasons (for example, transaction records related to a purchase, which tax law typically requires us to keep for several years).

Gameplay logs and analytics events are retained for a maximum of 14 months and then deleted or aggregated.

Depending on where you live, you have some or all of the following rights over your personal data:

Right to access — request a copy of the personal data we hold about you. If you create an account, you'll be able to self-serve via the 'Download my data' button in your profile. Anonymous players have no account-linked data on file.

Right to erasure — delete your account and the associated data. If you create an account, you'll be able to self-serve via the 'Delete account' button in your profile. If you played anonymously, we hold no account-linked data to delete; you can clear the random device ID we generated by clearing your browser's site data for bigtwo.online.

Right to portability — receive your data in a machine-readable format. If you create an account, the 'Download my data' button will return JSON. Anonymous players have no account-linked data to export.

Right to rectification — correct inaccurate personal data. If you create an account, you can edit your display name in your profile. To request other corrections, email us.

Right to object / restrict processing — ask us to stop or limit certain processing.

Right to complain — contact your local data-protection authority. Examples: ICO (UK), CNIL (France), Datenschutzbehörde (Austria), Ministry of Digital Affairs (Taiwan).

To exercise any of these rights, email [email protected]. We will respond within 30 days. We will never charge you for exercising your rights and will not require ID beyond what is necessary to verify the request.

Big 2 is not directed at children under 13. When you create an account, we ask you to confirm you are at least 13 years old. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact [email protected] and we will delete it.

We rely on Supabase, Netlify, and Cloudflare for industry-standard transport encryption (TLS), at-rest encryption of databases, and access controls. No system is perfectly secure, and we cannot guarantee against every conceivable breach, but in the event of a personal-data breach affecting you we will notify you and the relevant supervisory authority as required by law.

We may update this policy as the service evolves (for example, when we add Stripe for purchases). When we make material changes, we will update the 'Last updated' date at the top of this page and, for substantial changes, notify you in-app or by email at least 14 days before the change takes effect.

Privacy questions, deletion requests, or anything else: [email protected].