Legal
Effective date: June 3, 2026
Atlas Diplomacy (“we,” “us,” or “our”) is an online implementation of the board game Diplomacy, operated at atlasdip.com. This Privacy Policy explains what personal information we collect when you use Atlas Diplomacy, how we use and share it, and the rights and choices available to you.
By creating an account or otherwise using Atlas Diplomacy, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the service.
Where this policy refers to “personal information” or “personal data,” we mean any information that identifies or could reasonably be used to identify you, directly or indirectly.
When you register, we collect:
You may optionally provide:
We record all gameplay data necessary to operate the game, including:
Atlas Diplomacy supports diplomatic messaging between players. We store:
Message visibility is governed by game type rules (for example, Gunboat games do not permit direct messaging). Messages are retained for the lifetime of the game and a reasonable archive period thereafter.
If you configure notifications, we store:
We record limited internal engagement events — such as logging in, submitting orders, viewing a game, reading a message, and opening a notification — in an internal cache (Upstash Redis). These events are retained for 31 days and are used solely to determine whether to send reminder notifications. We do not share this data with third-party analytics services, and it is not used for advertising.
Like most web services, our hosting provider (Vercel) and database provider (Supabase) automatically record standard server-side information including IP addresses, browser type, and request timestamps as part of normal infrastructure operations. We do not use this data to profile or track individual users beyond what is necessary for security and operations.
To detect and deter collusion, multi-accounting, and ban evasion in competitive games, we record a small set of association signals when you join a game:
These signals are derived server-side from standard request headers — we do not run a browser-based fingerprinting script and do not track you across other websites. They are used solely to surface possible links between accounts to our moderation team for human review; they are never used for advertising or profiling beyond fair-play enforcement, and they never automatically penalize an account. A shared network or device signal is treated only as weak, correlational evidence. This processing is carried out under our legitimate interest in keeping ranked play fair (Art. 6(1)(f) GDPR).
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the game | Performance of a contract (Art. 6(1)(b)) |
| Authenticating your account and maintaining sessions | Performance of a contract (Art. 6(1)(b)) |
| Delivering in-app, email, and Discord notifications | Your consent (Art. 6(1)(a)) — opt-in only |
| Calculating and displaying ELO ratings and career statistics | Performance of a contract / Legitimate interests (Art. 6(1)(f)) |
| Displaying your username and stats on the public leaderboard | Legitimate interests (Art. 6(1)(f)) |
| Determining whether to send turn-reminder notifications (engagement events) | Legitimate interests (Art. 6(1)(f)) |
| Preventing abuse and enforcing community rules | Legitimate interests (Art. 6(1)(f)) |
| Detecting collusion, multi-accounting, and ban evasion (fraud-prevention signals) | Legitimate interests (Art. 6(1)(f)) |
| Diagnosing technical issues and ensuring service reliability | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal information. We do not use your data for behavioral advertising or share it with advertising networks.
The following information is visible to anyone who visits Atlas Diplomacy, including unauthenticated visitors:
If you wish to remove this information from public view, please contact us as described in Section 13.
We share personal information only with service providers necessary to operate Atlas Diplomacy, and only to the extent required for their specific function. These providers are contractually prohibited from using your data for their own marketing purposes.
| Provider | Role | Data Shared |
|---|---|---|
| Supabase (US) | Database & authentication | All user accounts, profiles, game data, messages, notifications, and notification preferences |
| Vercel (US) | Application hosting & CDN | All application traffic (including IP addresses processed in transit) |
| Resend (US) | Transactional email delivery | Your notification email address and the content of notification emails |
| Discord (US) | Optional notification & message routing | Your Discord User ID and notification / diplomatic cable content — only if you opt in |
| Upstash / Redis (US) | Caching & task scheduling | Internal engagement events, Discord routing context, and in-game session mappings |
| Upstash QStash (US) | Background job scheduling | Game phase advancement triggers — no personal data |
We may also disclose personal information: (a) if required by law or legal process; (b) to protect the rights, property, or safety of Atlas Diplomacy, our users, or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you via the email on your account or a prominent in-app notice.
Atlas Diplomacy is operated in the United States. All third-party service providers listed in Section 5 are headquartered or process data in the United States. If you access Atlas Diplomacy from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
We rely on the following transfer mechanisms where required by GDPR:
By using Atlas Diplomacy, you acknowledge that your data will be processed in the United States, where data protection laws may differ from those in your home jurisdiction.
| Category | Retention Period |
|---|---|
| Account and profile data | Until you delete your account |
| Game records and outcomes | Indefinitely — game history and ELO ratings are a core feature of the service |
| In-game messages | Duration of the game plus a reasonable archive period |
| Notification preferences and delivery logs | Until you delete your account or update your settings |
| Fraud-prevention / fair-play signals (salted IP hash, coarse geolocation, user-agent hash) | 180 days (auto-purged) |
| Engagement events (Redis) | 31 days (auto-purged) |
| Discord routing context (Redis) | 72 hours (auto-purged) |
| Server access logs (Vercel / Supabase) | As governed by each provider's standard retention policy |
When you delete your account, we will delete or anonymize your personal data within a reasonable period, except where we are required to retain it by law or where it is necessary to maintain the integrity of completed game records for other participants.
We implement reasonable technical and organizational measures to protect your personal information, including:
No method of transmission over the internet is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.
We use a single first-party session cookie to keep you logged in:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Supabase authentication session token — keeps you signed in | Session / rolling expiry |
We do not use advertising cookies, tracking pixels, third-party analytics (e.g., Google Analytics, Mixpanel), session-replay tools, or client-side fingerprinting scripts. We do not use cookies to track you across other websites. The server-side fraud-prevention signals described in Section 2.8 (a salted IP hash, coarse geolocation, and a user-agent hash) are derived from standard request headers rather than from a browser script, and are used solely for fair-play enforcement.
Because we use only a strictly necessary authentication cookie, no cookie consent banner is required under the ePrivacy Directive for the session cookie itself. If you disable cookies in your browser, you will not be able to stay logged in.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or applicable national data protection law:
You have the right to request a copy of the personal data we hold about you and information about how we process it.
You have the right to ask us to correct inaccurate or incomplete personal data.
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent (and there is no other legal basis), or where you object and we have no overriding legitimate interest. Note that anonymized game records (e.g., aggregate statistics with your username removed) may be retained to preserve the integrity of completed game history for other participants.
You have the right to ask us to restrict processing of your personal data in certain circumstances, for example while we verify a correction request.
You have the right to receive a copy of the personal data you provided to us in a structured, machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
You have the right to object to processing based on our legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or processing is necessary for the establishment, exercise, or defence of legal claims.
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. ELO ratings are calculated algorithmically but do not produce legal effects — they are informational game statistics.
Where processing is based on your consent (email and Discord notifications), you may withdraw that consent at any time in your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
You have the right to lodge a complaint with your national data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, please contact us as described in Section 13. We will respond within 30 days (extendable by two further months for complex requests, with notice).
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.
In the preceding 12 months we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Collected? |
|---|---|---|
| Identifiers | Email address, username, IP address (server logs), salted IP hash and user-agent hash (fraud prevention) | Yes |
| Personal information (Cal. Civ. Code §1798.80(e)) | Name (username), email address | Yes |
| Protected classification characteristics | None | No |
| Commercial information | None | No |
| Biometric information | None | No |
| Internet or network activity | Engagement events (orders submitted, game views, notification opens) | Yes |
| Geolocation data | Coarse country/region/city derived at game join for fraud prevention (no precise/GPS location) | Yes |
| Sensory data | Profile avatar image (if uploaded) | Yes (optional) |
| Professional or employment information | None | No |
| Non-public education information | None | No |
| Inferences drawn from personal information | None — ELO ratings are game statistics derived from game results you participated in, not profiling inferences | No |
| Sensitive personal information | Account log-in credentials (hashed); Discord User ID (if opted in) | Yes |
We collect personal information for the purposes described in Section 3 above, including:
We do not sell your personal information and have not done so in the preceding 12 months. We do not share personal information with third parties for cross-context behavioral advertising. Accordingly, we do not offer an opt-out of sale or sharing because no such sale or sharing occurs.
We use sensitive personal information only as necessary to provide the service, and do not use or disclose it for any purpose not permitted under Cal. Civ. Code § 1798.121. We do not offer a “Limit the Use of My Sensitive Personal Information” opt-out because our use is already restricted to permitted service-provision purposes.
To submit a verifiable consumer request, contact us at the address in Section 13. We will verify your identity before fulfilling your request (typically by confirming access to the email address on your account). We will respond within 45 days; we may extend this by an additional 45 days with prior notice.
You may designate an authorized agent to submit a request on your behalf by providing written authorization or power of attorney. We may require the agent to verify their identity and your authorization before processing the request.
This Privacy Policy constitutes our notice at collection. Personal information is collected at the point of account registration, profile update, game participation, and notification opt-in, as described in Section 2.
Atlas Diplomacy is not directed at children under 13 (or under 16 for users in the EEA where applicable law requires a higher age for consent to data processing). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has created an account, please contact us and we will delete it promptly.
For questions about this Privacy Policy, to exercise your rights, or to report a concern, please contact us at:
Atlas Diplomacy
Email: privacy@atlasdiplomacy.com
We will acknowledge your request within 5 business days and respond fully within the timeframes specified in the relevant sections above.
We may update this Privacy Policy from time to time. When we make material changes, we will post a notice within the Atlas Diplomacy application and update the effective date at the top of this page. For significant changes affecting how we use your personal information, we will also notify you by email where we hold a valid email address for your account.
Continued use of Atlas Diplomacy after the revised policy takes effect constitutes your acknowledgment of the changes. If you do not agree to the revised policy, please discontinue use of the service and contact us to delete your account.
Last reviewed: June 3, 2026 — Atlas Diplomacy