← Atlas Diplomacy/Privacy Policy

Legal

Privacy Policy

Effective date: June 3, 2026

1. Introduction

Atlas Diplomacy (“we,” “us,” or “our”) is an online implementation of the board game Diplomacy, operated at atlasdip.com. This Privacy Policy explains what personal information we collect when you use Atlas Diplomacy, how we use and share it, and the rights and choices available to you.

By creating an account or otherwise using Atlas Diplomacy, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the service.

Where this policy refers to “personal information” or “personal data,” we mean any information that identifies or could reasonably be used to identify you, directly or indirectly.

2. Information We Collect

2.1 Account Information

When you register, we collect:

2.2 Profile Information

You may optionally provide:

2.3 Game Activity Data

We record all gameplay data necessary to operate the game, including:

2.4 In-Game Communications

Atlas Diplomacy supports diplomatic messaging between players. We store:

Message visibility is governed by game type rules (for example, Gunboat games do not permit direct messaging). Messages are retained for the lifetime of the game and a reasonable archive period thereafter.

2.5 Notification Preferences

If you configure notifications, we store:

2.6 Engagement Data

We record limited internal engagement events — such as logging in, submitting orders, viewing a game, reading a message, and opening a notification — in an internal cache (Upstash Redis). These events are retained for 31 days and are used solely to determine whether to send reminder notifications. We do not share this data with third-party analytics services, and it is not used for advertising.

2.7 Automatically Collected Data

Like most web services, our hosting provider (Vercel) and database provider (Supabase) automatically record standard server-side information including IP addresses, browser type, and request timestamps as part of normal infrastructure operations. We do not use this data to profile or track individual users beyond what is necessary for security and operations.

2.8 Fraud-Prevention & Fair-Play Signals

To detect and deter collusion, multi-accounting, and ban evasion in competitive games, we record a small set of association signals when you join a game:

These signals are derived server-side from standard request headers — we do not run a browser-based fingerprinting script and do not track you across other websites. They are used solely to surface possible links between accounts to our moderation team for human review; they are never used for advertising or profiling beyond fair-play enforcement, and they never automatically penalize an account. A shared network or device signal is treated only as weak, correlational evidence. This processing is carried out under our legitimate interest in keeping ranked play fair (Art. 6(1)(f) GDPR).

3. How We Use Your Information

PurposeLegal Basis (GDPR)
Providing and operating the gamePerformance of a contract (Art. 6(1)(b))
Authenticating your account and maintaining sessionsPerformance of a contract (Art. 6(1)(b))
Delivering in-app, email, and Discord notificationsYour consent (Art. 6(1)(a)) — opt-in only
Calculating and displaying ELO ratings and career statisticsPerformance of a contract / Legitimate interests (Art. 6(1)(f))
Displaying your username and stats on the public leaderboardLegitimate interests (Art. 6(1)(f))
Determining whether to send turn-reminder notifications (engagement events)Legitimate interests (Art. 6(1)(f))
Preventing abuse and enforcing community rulesLegitimate interests (Art. 6(1)(f))
Detecting collusion, multi-accounting, and ban evasion (fraud-prevention signals)Legitimate interests (Art. 6(1)(f))
Diagnosing technical issues and ensuring service reliabilityLegitimate interests (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

We do not sell your personal information. We do not use your data for behavioral advertising or share it with advertising networks.

4. Public Information

The following information is visible to anyone who visits Atlas Diplomacy, including unauthenticated visitors:

If you wish to remove this information from public view, please contact us as described in Section 13.

5. Information Shared with Third Parties

We share personal information only with service providers necessary to operate Atlas Diplomacy, and only to the extent required for their specific function. These providers are contractually prohibited from using your data for their own marketing purposes.

ProviderRoleData Shared
Supabase (US)Database & authenticationAll user accounts, profiles, game data, messages, notifications, and notification preferences
Vercel (US)Application hosting & CDNAll application traffic (including IP addresses processed in transit)
Resend (US)Transactional email deliveryYour notification email address and the content of notification emails
Discord (US)Optional notification & message routingYour Discord User ID and notification / diplomatic cable content — only if you opt in
Upstash / Redis (US)Caching & task schedulingInternal engagement events, Discord routing context, and in-game session mappings
Upstash QStash (US)Background job schedulingGame phase advancement triggers — no personal data

We may also disclose personal information: (a) if required by law or legal process; (b) to protect the rights, property, or safety of Atlas Diplomacy, our users, or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you via the email on your account or a prominent in-app notice.

6. International Data Transfers

Atlas Diplomacy is operated in the United States. All third-party service providers listed in Section 5 are headquartered or process data in the United States. If you access Atlas Diplomacy from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.

We rely on the following transfer mechanisms where required by GDPR:

By using Atlas Diplomacy, you acknowledge that your data will be processed in the United States, where data protection laws may differ from those in your home jurisdiction.

7. Data Retention

CategoryRetention Period
Account and profile dataUntil you delete your account
Game records and outcomesIndefinitely — game history and ELO ratings are a core feature of the service
In-game messagesDuration of the game plus a reasonable archive period
Notification preferences and delivery logsUntil you delete your account or update your settings
Fraud-prevention / fair-play signals (salted IP hash, coarse geolocation, user-agent hash)180 days (auto-purged)
Engagement events (Redis)31 days (auto-purged)
Discord routing context (Redis)72 hours (auto-purged)
Server access logs (Vercel / Supabase)As governed by each provider's standard retention policy

When you delete your account, we will delete or anonymize your personal data within a reasonable period, except where we are required to retain it by law or where it is necessary to maintain the integrity of completed game records for other participants.

8. Security

We implement reasonable technical and organizational measures to protect your personal information, including:

No method of transmission over the internet is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.

9. Cookies and Similar Technologies

We use a single first-party session cookie to keep you logged in:

CookiePurposeDuration
sb-*-auth-tokenSupabase authentication session token — keeps you signed inSession / rolling expiry

We do not use advertising cookies, tracking pixels, third-party analytics (e.g., Google Analytics, Mixpanel), session-replay tools, or client-side fingerprinting scripts. We do not use cookies to track you across other websites. The server-side fraud-prevention signals described in Section 2.8 (a salted IP hash, coarse geolocation, and a user-agent hash) are derived from standard request headers rather than from a browser script, and are used solely for fair-play enforcement.

Because we use only a strictly necessary authentication cookie, no cookie consent banner is required under the ePrivacy Directive for the session cookie itself. If you disable cookies in your browser, you will not be able to stay logged in.

10. Rights for EEA, UK & Swiss Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or applicable national data protection law:

Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Art. 16)

You have the right to ask us to correct inaccurate or incomplete personal data.

Right to Erasure / “Right to be Forgotten” (Art. 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent (and there is no other legal basis), or where you object and we have no overriding legitimate interest. Note that anonymized game records (e.g., aggregate statistics with your username removed) may be retained to preserve the integrity of completed game history for other participants.

Right to Restriction of Processing (Art. 18)

You have the right to ask us to restrict processing of your personal data in certain circumstances, for example while we verify a correction request.

Right to Data Portability (Art. 20)

You have the right to receive a copy of the personal data you provided to us in a structured, machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to Object (Art. 21)

You have the right to object to processing based on our legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or processing is necessary for the establishment, exercise, or defence of legal claims.

Rights Related to Automated Decision-Making (Art. 22)

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. ELO ratings are calculated algorithmically but do not produce legal effects — they are informational game statistics.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent (email and Discord notifications), you may withdraw that consent at any time in your account settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with your national data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, please contact us as described in Section 13. We will respond within 30 days (extendable by two further months for complex requests, with notice).

11. Rights for California Users (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.

Categories of Personal Information Collected

In the preceding 12 months we have collected the following categories of personal information as defined by the CCPA:

CategoryExamplesCollected?
IdentifiersEmail address, username, IP address (server logs), salted IP hash and user-agent hash (fraud prevention)Yes
Personal information (Cal. Civ. Code §1798.80(e))Name (username), email addressYes
Protected classification characteristicsNoneNo
Commercial informationNoneNo
Biometric informationNoneNo
Internet or network activityEngagement events (orders submitted, game views, notification opens)Yes
Geolocation dataCoarse country/region/city derived at game join for fraud prevention (no precise/GPS location)Yes
Sensory dataProfile avatar image (if uploaded)Yes (optional)
Professional or employment informationNoneNo
Non-public education informationNoneNo
Inferences drawn from personal informationNone — ELO ratings are game statistics derived from game results you participated in, not profiling inferencesNo
Sensitive personal informationAccount log-in credentials (hashed); Discord User ID (if opted in)Yes

Sources of Personal Information

Business Purposes for Collection

We collect personal information for the purposes described in Section 3 above, including:

Sale or Sharing of Personal Information

We do not sell your personal information and have not done so in the preceding 12 months. We do not share personal information with third parties for cross-context behavioral advertising. Accordingly, we do not offer an opt-out of sale or sharing because no such sale or sharing occurs.

Disclosure of Sensitive Personal Information

We use sensitive personal information only as necessary to provide the service, and do not use or disclose it for any purpose not permitted under Cal. Civ. Code § 1798.121. We do not offer a “Limit the Use of My Sensitive Personal Information” opt-out because our use is already restricted to permitted service-provision purposes.

Your California Rights

Submitting a Request

To submit a verifiable consumer request, contact us at the address in Section 13. We will verify your identity before fulfilling your request (typically by confirming access to the email address on your account). We will respond within 45 days; we may extend this by an additional 45 days with prior notice.

You may designate an authorized agent to submit a request on your behalf by providing written authorization or power of attorney. We may require the agent to verify their identity and your authorization before processing the request.

Notice at Collection

This Privacy Policy constitutes our notice at collection. Personal information is collected at the point of account registration, profile update, game participation, and notification opt-in, as described in Section 2.

12. Children

Atlas Diplomacy is not directed at children under 13 (or under 16 for users in the EEA where applicable law requires a higher age for consent to data processing). We do not knowingly collect personal information from children below the applicable minimum age. If you believe a child has created an account, please contact us and we will delete it promptly.

13. Contact

For questions about this Privacy Policy, to exercise your rights, or to report a concern, please contact us at:

Atlas Diplomacy

Email: privacy@atlasdiplomacy.com

We will acknowledge your request within 5 business days and respond fully within the timeframes specified in the relevant sections above.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post a notice within the Atlas Diplomacy application and update the effective date at the top of this page. For significant changes affecting how we use your personal information, we will also notify you by email where we hold a valid email address for your account.

Continued use of Atlas Diplomacy after the revised policy takes effect constitutes your acknowledgment of the changes. If you do not agree to the revised policy, please discontinue use of the service and contact us to delete your account.

Last reviewed: June 3, 2026 — Atlas Diplomacy