Privacy Policy

PAUSO Online · Last revised 2026-05

This page explains what data PAUSO Online collects, why we collect it, how long we keep it, and how you can see, change, or delete it. It's written in plain English on purpose — if something is unclear, email us and we'll fix the wording.

The short version. We collect the bare minimum needed to run the game (your display name, match results, basic activity), we never sell your data, and you can request a full account delete from your profile page. Hard-delete completes within 30 days.

1. Who runs PAUSO Online

PAUSO Online (the "Service") is operated by PAUSO LTD, a private limited company registered in England & Wales. Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. PAUSO LTD is the data controller for the personal data described in this policy.

Contact us at hello@pauso.world with privacy questions, data-access requests, or complaints. Under UK GDPR you also have the right to complain to the Information Commissioner's Office (ICO) .

We are not required to appoint a Data Protection Officer under Article 37 UK GDPR: our processing is not large-scale, does not involve special-category data, and is not based on regular and systematic monitoring of data subjects. For data-protection questions, contact the address above.

2. What we collect

The Service has two account flavours, and the data we hold is different for each.

2.1 Guest accounts (no sign-in)

A randomly generated guest token (a UUID stored in your browser's localStorage). This is the only thing tying multiple play sessions together.
A server-generated display name (a random adjective + colour pair, e.g. "Astute Apricot") shown to opponents during matches.
Match results: scores, mode played, Aura rating, win / loss / tie counts.
Aura ledger — occasional signed entries (e.g. account migration or guest→sign-in reset), not per-match rating changes. Match results store Elo/Aura on your profile and match-history rows instead.
Game-chain session data — for elimination tournaments (Royale and similar), a participants list tying each chain round to your account so the bracket can render across rounds.
Match replays — every finalised PvP match stores a compressed move list with a short public share link (`/r/<id>`). Replays follow the same 365-day retention as match history. You can copy the long-form replay URL from your browser after opening a match; that link is not stored on our servers and can be kept indefinitely offline.
Basic activity timestamps (last seen, sessions started) used to compute aggregate analytics. We don't retain per-session location or IP beyond the request itself (Cloudflare may log requests at their edge per their policy — we don't query those logs).

2.2 Signed-in accounts (Clerk login)

Everything from the guest list above, plus:

Whatever your auth provider (Google / Apple / email) passed to Clerk: typically your email address and your name. We store these inside Clerk; PAUSO Online only reads the opaque "subject" identifier needed to find your account.
Your custom display name if you set one.
Friend graph: a list of (your userId, friend userId) pairs.
Cosmetic entitlements — any unlocked customisations (badges, themes) tied to your account.

2.3 Analytics & advertising

We use Google Analytics 4 (GA4) on the home page, "How to play", "About", and Devlog pages to count visits and understand which screens people use. GA4 is loaded behind Google's Consent Mode v2 — until you accept the consent banner, the GA4 tags run in "no-storage" mode (no cookies, no client identifiers). If you accept, GA4 sets its standard cookies (`_ga`, `_ga_*`) and reports aggregate visit data to Google. You can withdraw consent at any time via the in-page banner; once withdrawn, the cookies are removed on next page load.

Google AdSense / AdMob load on gameplay surfaces with the same Consent Mode v2 gating. With consent: personalised ads + standard targeting cookies. Without consent: contextual ads only, no behavioural profiling.

2.4 What we DON'T collect

No tracking pixels beyond Google Analytics (described above), no cross-site cookies for our own use, no advertising profile sold to third parties.
No precise location data. We use the broad timezone / region of your browser to decide whether to show an EU consent banner — that's it.

3. Why we collect it

Under UK GDPR every piece of data we hold has a "lawful basis". For PAUSO Online those are:

Performance of a contract (Article 6(1)(b)) — account, display name, match results, friend graph. We can't run the game without them.
Legitimate interests (Article 6(1)(f)) — aggregated analytics (DAU / MAU / mode breakdown) used to decide what features to build next. We never combine these with personal identifiers when reporting.
Consent (Article 6(1)(a)) — only for personalised advertising. You can choose "non-personalised" in the consent banner to opt out of behavioural targeting (you'll still see contextual ads based on the page content). Your decision persists in your browser and withdrawal takes effect immediately. Ads themselves are part of how the service is funded and are not optional.

4. How long we keep it

Account profile — kept while your account exists. After deletion request: 30-day soft-delete window, then permanent erasure (see "Your rights" below).
Match history & replays — kept for 365 days from the match end, then deleted uniformly (including short public share links). To keep a replay beyond that window, save the long-form replay URL shown in your browser after opening a match — it encodes the game locally and does not depend on our database.
Aura wallet ledger — kept while the account exists. Deleted in full when you request account erasure (no 365-day retention; the ledger is user-keyed PII and goes during the 30-day grace purge).
Game-chain participation — kept while the chain row exists. On account erasure, your participant entry is anonymised in place ("Deleted player") so other live participants can still resolve the chain history.
Analytics events (which page you opened, which game you started) — kept for 180 days, then deleted.
Live game state (active lobbies, heartbeats) — deleted within 24 hours of the game ending.
Deletion audit log — a non-PII forensic record (hashed user ID + timestamps) is kept indefinitely so we can prove we honoured your deletion request.

5. Who we share it with

We use a small number of trusted infrastructure providers to run the Service. Each one only sees the data needed for their specific function:

Cloudflare — hosts the static site and proxies all requests. Acts as our edge / CDN.
Convex — runs the realtime backend (game state, accounts, friend graph). Data is stored in Convex's managed infrastructure in the United States (US East).
Clerk — handles authentication (sign-in, password reset, MFA). They see your email and the auth provider you used.
Sentry — collects anonymised error reports when something crashes. Personal identifiers are stripped before send.
Google AdSense / AdMob — if you accept personalised ads, Google receives the standard browser / device signals needed to serve a relevant ad. You can revoke this at any time via the consent banner.
Google Analytics (GA4) — Alphabet Inc. receives aggregate visit data (page paths, anonymised session counts) when you accept the analytics consent banner. With consent withdrawn, GA4 tags run in "no-storage" mode and no identifiers are transmitted.

We DO NOT sell, rent, or share personal data with any other third party, full stop.

6. Your rights

Under UK GDPR you have the following rights. To exercise any of them, email hello@pauso.world or use the in-app controls where available. We'll respond within the statutory window (one month, extendable by up to two more for complex requests).

Right to access — email us and we'll send a copy of the personal data we hold about you.
Right to erasure — request account deletion from your profile page. Your account enters a 30-day grace window during which you can change your mind; after the window, all per-user data is permanently erased — that includes your Convex profile, match history (including saved & shared replays), Aura wallet ledger, friend graph, cosmetic entitlements, ad preferences, and (for signed-in accounts) the underlying Clerk authentication record holding your email / OAuth identity. Games and game-chain rows where you played alongside other users are anonymised rather than deleted, so your opponents' match histories continue to make sense (you appear as "Deleted player").
Right to rectification — update your display name, colour, friend graph yourself in-app. For anything else, email us.
Right to data portability — covered by the access right above.
Right to object to processing based on legitimate interests (we'll review case by case).
Right to withdraw consent for ad personalisation — open the in-app About menu and tap "Manage ads" to bring the consent chooser back at any time and switch between personalised and non-personalised (contextual) ads.
Right to complain to the ICO if you believe we've mishandled your data.

7. Children

PAUSO Online is not directed at children under 13. UK GDPR (via Section 9 of the Data Protection Act 2018) sets 13 as the age at which a child can consent on their own behalf to information-society services like ours. We do not knowingly collect data from anyone under 13; if you believe a child under 13 has signed up, email us and we'll delete the account.

8. Automated decision-making

We do not make solely-automated decisions about you that produce legal or similarly significant effects (UK GDPR Article 22). Matchmaking and skill-rating updates are automated but they affect only your in-game experience.

9. Cookies & local storage

We don't set any tracking cookies. Everything we store in your browser is functional (it keeps your game state, preferences, and login working) and lives in localStorage / sessionStorage on your device — never sent to a third party. The exhaustive list:

pauso_guest_token — random UUID that identifies your guest account across sessions. No PII.
pauso_player_secret_* (sessionStorage) — per-game authentication token issued by our server so guests can submit moves without signing in. Cleared when you close the tab.
pauso_aura_v2 — local copy of your Aura rating + W/L/T counters used to display stats instantly when you reopen the page.
pauso_play_wins, pauso_play_losses, pauso_play_ties, pauso_play_games — lifetime offline-vs-AI win/loss/tie counters. Never uploaded.
pauso_selected_mode — your most recent game-mode pick so it's preselected next time.
pauso_welcome_seen — flag that suppresses the first-run welcome modal on subsequent loads.
pauso_aura_milestone_seen:* — flags that prevent a celebration popup re-firing for an Aura milestone you've already seen.
pauso_ad_consent_v1 — records your "personalised / non-personalised / no ads" choice from the consent banner.

Clerk (sign-in) and Cloudflare (edge) set their own strictly-necessary cookies. No third-party tracking cookies are set until you accept ads via the consent banner.

10. International transfers

Some of our infrastructure providers are based in the United States and process personal data there:

Convex (backend, US East)
Clerk (authentication, US)
Sentry (error monitoring, US)
Google AdSense / AdMob (advertising, US)
Cloudflare (edge CDN; operates a global network, including UK / EU points of presence)

Each of these providers is certified under the EU-US Data Privacy Framework (DPF) and its UK Extension, which the UK government and the European Commission both recognise as providing an adequate level of protection for personal data transferred to the US. Where DPF certification does not apply to a specific transfer, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses.

To verify any provider's current DPF status you can search the public list at dataprivacyframework.gov/list.

11. Security

Server-side state is stored in Convex's managed infrastructure with at-rest encryption. Connections are TLS 1.3 end-to-end. We use signed JWTs for Clerk auth and per-game randomly generated secrets for guest auth. Sensitive operations (account deletion, profile changes) are rate-limited per user. We do not store passwords ourselves — Clerk handles that.

12. Changes to this policy

If we change this policy in a way that materially affects your rights, we'll surface a banner on the home page, update the "last revised" date above, and keep an entry in our public changelog so existing users can see what changed. For non-material changes (typos, clarifications) we'll silently update the page.

13. Contact

Privacy questions, data-access requests, and complaints: hello@pauso.world.