Privacy Policy

Last updated: February 2026

What We Collect and Why

When you sign in with Google or Discord, we receive your display name, email address, and avatar. This information is stored securely in Supabase Auth and is used solely for login and displaying your profile. We don't sell or share your personal data with anyone.

Your Content

Combos, comments, and likes you create are stored in our database (Supabase PostgreSQL). This is user-generated content that you control — you can edit or delete it at any time through your profile.

Card Data

Card images and game data come from the TakaOtaku GitHub repository as static JSON files fetched directly by your browser. ComboForge does not send any user data to TakaOtaku — no API keys, no tracking, no personal information is transmitted.

Analytics

We use two Vercel products to understand how ComboForge is used:

Vercel Web Analytics — tracks page views, referrers, and visitor counts so we know which pages are popular
Vercel Speed Insights — measures performance metrics like page load times (Core Web Vitals) so we can keep the app fast

Both are anonymous, aggregated, and completely cookie-free. No personal data is collected, no tracking cookies are set, and they're fully compliant with GDPR without requiring consent.

Cookies and Local Storage

ComboForge does not use tracking cookies. We use localStorage for preferences like your cookie consent state and cached card data. Supabase Auth uses secure httpOnly cookies for session management — these are essential for keeping you logged in.

Third-Party Services

We rely on a small number of trusted services:

Supabase (database, authentication) — processes your account and content data
Vercel (hosting, analytics, performance monitoring) — serves the app, collects anonymous analytics, and measures performance
TakaOtaku GitHub (card data) — static data fetched by your browser, no user data sent

Your Rights (GDPR)

You have full control over your data. Here's what you can do:

Access: View all your data through your profile
Deletion: Delete your combos and comments anytime; account deletion is available on request
Portability: Contact us for a full data export

We process your data under legitimate interest (account management) and consent (when you choose to sign in via OAuth).

Data Retention

Active accounts: Your data is retained while your account exists
Deleted content: Soft-deleted (marked as removed) and permanently purged periodically
Account deletion: All associated data is removed

Contact

Questions about your data? Reach us at privacy@comboforge.app.

Changes

We may update this policy as ComboForge evolves. Any changes will be reflected in the “Last updated” date at the top of this page.

Analytics

We use two Vercel products to understand how ComboForge is used:

Vercel Web Analytics — tracks page views, referrers, and visitor counts so we know which pages are popular

Vercel Speed Insights — measures performance metrics like page load times (Core Web Vitals) so we can keep the app fast

Both are anonymous, aggregated, and completely cookie-free. No personal data is collected, no tracking cookies are set, and they're fully compliant with GDPR without requiring consent.

Third-Party Services

We rely on a small number of trusted services:

Supabase (database, authentication) — processes your account and content data

Vercel (hosting, analytics, performance monitoring) — serves the app, collects anonymous analytics, and measures performance

TakaOtaku GitHub (card data) — static data fetched by your browser, no user data sent

Your Rights (GDPR)

You have full control over your data. Here's what you can do:

Access: View all your data through your profile

Deletion: Delete your combos and comments anytime; account deletion is available on request

Portability: Contact us for a full data export

We process your data under legitimate interest (account management) and consent (when you choose to sign in via OAuth).