Rug'd — Privacy Policy
1. Who we are
Rug'd ("Rug'd," "we," "us," or "our") is a crypto-native trading card game currently in a closed prototype testing phase. This Privacy Policy explains what personal information we collect, why we collect it, how we use and store it, and the rights you have over it.
Rug'd is operated by Michael Cooney, an individual operating Rug'd as a sole proprietor (a limited liability company may be formed in the future, at which point this policy will be updated to name it). The operator is based in the State of Florida, United States. Because our testers may be located anywhere in the world, this policy is written to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), among other applicable laws.
Contact for privacy questions: lotene@playrugd.com
2. The short version
- We collect the minimum we need to run a closed game test: your email and sign-in identity, basic gameplay data, and standard technical logs.
- We do not sell your personal information.
- The in-game currency ($tRUGD) is a test-only token with no monetary value and is not a financial product.
- You can ask us to delete your data at any time.
- We keep test data only through the testing period and delete it when the test concludes, unless you ask us to delete it sooner.
The sections below give the full detail.
3. What we collect and why
3.1 Information you provide directly
| What | Where it's collected | Why |
|---|---|---|
| Email address | Sign-up / sign-in (via Clerk); marketing email capture on our website (via Loops) | To create and secure your account; to send playtest and launch updates if you opt in |
| Display name / handle | In-game, chosen by you | To identify you to other players during matches |
| Feedback text | Game Over feedback box and other in-game prompts | To improve the game; in-game rewards (test-only $tRUGD/XP) may be granted for feedback |
3.2 Information created as you play
As you use Rug'd, we generate gameplay and progression data tied to your account. This is stored in our database (Supabase) and includes:
- Account and access records — your player record and whether your account is approved for the closed playtest.
- Game session data — records of matches played, outcomes, and related gameplay events.
- In-game economy data — your $tRUGD test-currency balance, amounts earned and withdrawn, and related ledger entries. $tRUGD is a test-only in-game token. It has no real-world or monetary value, cannot be purchased, cashed out, or exchanged, and is not a security, investment, or financial product of any kind.
- Progression data — experience points (XP), day and win streak counters, your derived "Degen Score," and related progression metrics.
3.3 Information collected automatically
When you connect to our game server or load our sites, our systems automatically receive standard technical information, including your IP address and browser/device user-agent string. This appears in our server logs (hosted on Railway) and is used for operating the service, diagnosing problems, maintaining security, and preventing abuse.
We have reviewed our server logs and confirmed they do not record authentication tokens, session tokens, secret keys, or email addresses. Operational logs identify players only by ephemeral connection IDs and by the pseudonymous display name (handle) you choose.
3.4 Cookies and similar technologies
Our game app uses only the cookies and local storage strictly necessary to operate the service and keep you signed in (for example, session cookies set by our authentication provider, Clerk).
Our marketing website (playrugd.com) sets no cookies and runs no analytics. The only information it collects is the email address you choose to enter in its sign-up field, which is processed server-side (via Loops) so that we can send you playtest and launch updates.
If we introduce any non-essential cookies or analytics in the future, we will update this section to identify them and, where required by law (such as in the EU/UK), request your consent before setting them.
3.5 AI-generated content feature
Rug'd includes a feature that can generate written reports or summaries from in-game data. When you use it, the relevant game data is sent to a third-party AI provider (Anthropic) to generate the output. This request is made by our own server; your authentication details are not shared with the AI provider, and the feature does not send your email or account identity. We do not use this feature to process special-category personal data.
3.6 Discord (planned, not yet active)
If we later add the option to sign in or link your account with Discord, we will collect your Discord identity (such as your Discord user ID and username) for the purpose of account linking and community features. This policy will be updated before any such feature goes live, and Discord's own privacy policy will also apply.
4. Third-party services that process your data
We rely on a small set of reputable service providers ("processors") to run Rug'd. Each processes data on our behalf for the purposes described above:
| Provider | Role | What it handles |
|---|---|---|
| Clerk | Authentication | Email, sign-in identity, session management |
| Supabase | Database & file storage | Account, gameplay, economy, progression data; uploaded game assets |
| Railway | Server hosting | Runs the game server; processes IP/user-agent in operational logs |
| Vercel | Site/app hosting | Serves the game app and website; standard request logs |
| Loops | Sends playtest and launch emails to addresses on our list | |
| Anthropic | AI processing | Generates report content from in-game data on request (see §3.5) |
Each provider maintains its own security and privacy practices. We do not sell your data to any of these providers or to anyone else.
5. Legal basis for processing (GDPR / UK GDPR)
If you are in the EU or UK, we process your personal data on the following bases:
- Performance of a contract / to provide the service — to create your account, run matches, and operate the game you've asked to test.
- Legitimate interests — to secure the service, prevent abuse, diagnose technical problems, and improve the game during testing. We balance these interests against your rights and limit collection to what is necessary.
- Consent — for optional marketing emails. You may withdraw consent at any time.
6. Your rights
Depending on where you live, you have some or all of the following rights over your personal data:
- Access — request a copy of the data we hold about you.
- Correction — ask us to correct inaccurate data.
- Deletion — ask us to delete your data ("right to be forgotten").
- Restriction / objection — ask us to limit or stop certain processing.
- Portability — request your data in a portable format.
- Withdraw consent — opt out of marketing or non-essential processing at any time.
For California residents (CCPA)
You have the right to know what personal information we collect and how we use it, the right to request deletion, and the right not to be discriminated against for exercising your rights. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
To exercise any right, email us at lotene@playrugd.com. We will respond within the timeframe required by applicable law. We may need to verify your identity before acting on a request.
7. How long we keep your data
Because Rug'd is in a closed testing phase, we keep your personal data for the duration of the playtest and delete or anonymize it when the testing program concludes, unless:
- you ask us to delete it sooner (we will honor deletion requests promptly), or
- we are required to retain certain records longer to meet a legal obligation.
Marketing email subscriptions are kept until you unsubscribe.
Operational logs are separate from your stored account data and are kept only briefly: server logs on Railway are retained for approximately 7 days, and runtime logs on Vercel for approximately 1 day, before being rotated out. These logs are operational telemetry (such as connection events and request diagnostics), not the store of your account or gameplay data — that data lives in our database (Supabase) and is governed by the retention rule above.
8. How we protect your data
We take reasonable technical and organizational measures to protect your information, in proportion to its sensitivity and our prototype scale, including:
- Encrypted connections (HTTPS/TLS) for all traffic to our sites and game server, with hardened security headers in place.
- Dedicated authentication handled by a specialist provider (Clerk). Access to the closed playtest is gated by an approved-tester allowlist, enforced server-side.
- Database access controls. Every table in our database has row-level security enabled, and all sensitive reads and writes are mediated by our server after verifying your identity. The browser application has no privileged write access to player data.
- Privileged credentials held server-side only. Secret keys and privileged database credentials live on our server and are never exposed to the browser.
- Pre-testing hardening. Security headers, server-log hygiene, and an application-security review were completed as part of preparing for the playtest.
No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect your data appropriately for a prototype of this scale.
9. International data transfers
We operate from the United States and use service providers that may store or process data in various regions. Our primary database (Supabase) is hosted in the United States (the us-west-2 region). Where data is transferred out of the EU/UK, we rely on appropriate safeguards (such as our providers' standard contractual clauses or equivalent mechanisms) to protect it.
10. Children's privacy
Rug'd is not directed to children. You must be at least 18 years old (or the age of majority in your jurisdiction) to create an account and participate in the playtest. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it.
11. Changes to this policy
We may update this Privacy Policy as the project evolves (for example, when new features such as Discord linking go live, or when the operating entity changes). We will post the updated version with a new "Last updated" date, and where changes are significant we will take reasonable steps to notify testers.
12. Contact
Questions, requests, or concerns about your privacy or this policy:
lotene@playrugd.com