Privacy policy.
Last updated: 17 May 2026 Effective from: 17 June 2026
BoardMatey (ABN [32 117 029 184]) (we, us, our) operates BoardMatey, a board game tracking and group play-planning service (the Service). This Privacy Policy explains what personal information we collect, how we use and protect it, and the choices and rights you have.
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). A copy of the APPs is available from the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/.
1. The short version
- We collect only what we need to run BoardMatey.
- We don't sell your personal information.
- We use a small number of trusted service providers (listed in section 6) to host the platform and deliver core features.
- You can export or delete your account at any time from your Settings page.
- If you have a privacy concern, email support@boardmatey.com and we'll respond.
2. What personal information we collect
We collect personal information in three main ways: when you give it to us, automatically when you use the Service, and from third parties (only when you've connected them).
2.1 Information you give us
- Account details — name, email address, password (stored hashed), avatar, country/region, time zone, and any preferences you set.
- Profile information — display name, bio, favourite games, and similar information you choose to share.
- Content you submit — play logs, scores, photos, comments, group details, vote choices, calendar events and other content you create in BoardMatey.
- Communications — messages you send us by email or via in-app forms (including support requests and bug reports).
- Billing details — if you subscribe to a paid plan, our payment processor Polar (which uses Stripe as its underlying payment infrastructure) collects and processes your payment details. We don't store full card numbers; we receive a token, the last four digits, the card brand, your billing country, and the status of each transaction.
2.2 Information we collect automatically
- Device and usage data — IP address, browser type, operating system, language, referring URL, pages visited, features used, timestamps and crash logs.
- Cookies and similar technologies — see our Cookies notice for details. We use a small set of cookies to keep you signed in, remember your preferences, and understand how the Service is used.
- Security logs — sign-in activity, MFA events and rate-limiting signals to detect and prevent abuse.
2.3 Information from third parties (only when you connect them)
- Google sign-in. If you choose to sign in with Google, we receive your name, email address, Google account ID and profile picture. We don't receive your Google password, and we don't access your Gmail, Drive or other Google services.
- BoardGameGeek (BGG). BoardMatey uses BGG's public game catalogue to show game details. If you link your BGG username, we use it to fetch your public collection from BGG. We don't receive your BGG password.
2.4 Sensitive information
We don't ask for sensitive information (as defined in the Privacy Act, e.g. health, racial or ethnic origin, political or religious views). Please don't share sensitive information with us. If you do — for example, in a play log comment — you consent to us holding it for the purpose for which you provided it.
2.5 Children
BoardMatey is intended for people aged 16 and over. We don't knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please email support@boardmatey.com and we'll delete it.
3. Why we collect and use your personal information
We use personal information for the following purposes:
| Purpose | Examples |
|---|---|
| Provide the Service | Authenticate sign-ins, sync your collection, run group voting, record play sessions, award achievements. |
| Personalise your experience | Show your stats, recommend games, surface activity from your groups. |
| Communicate with you | Send transactional emails (account, security, billing, group invites), respond to support requests. |
| Billing | Process subscription payments, manage renewals and cancellations, issue tax invoices. |
| Improve and secure the Service | Diagnose bugs, analyse aggregated usage, prevent abuse, comply with security obligations. |
| Marketing (optional) | Send occasional product updates if you've opted in. You can unsubscribe at any time. |
| Advertising on free plans | If we introduce advertising on the free plan in the future, we may use limited, non-sensitive information (for example, the page you're on or your broad region) to choose which ad to show. Paid plans are ad-free. We don't currently show ads, and we won't share your personal information with advertisers for them to build their own profile of you. |
| Legal obligations | Respond to lawful requests, meet record-keeping requirements, enforce our Terms. |
We only send marketing messages where allowed under the Spam Act 2003 (Cth). Every marketing email includes an unsubscribe link.
We don't make decisions about you using solely automated processing in a way that produces legal or similarly significant effects. From 10 December 2026, the Privacy Act will require us to include extra information in this Policy if we ever start using a computer program to make (or do something substantially related to making) a decision that could significantly affect your rights or interests. If that ever changes, we'll update this Policy first.
4. How we share your information
We never sell your personal information.
We share personal information only:
- With other users you choose to share with — for example, members of a group you join can see your display name, avatar, votes, play logs in shared sessions and comments. You control what you post.
- With our service providers (see section 6) — strictly to help us deliver the Service.
- When required or authorised by law — for example, in response to a subpoena, court order or lawful request from a regulator.
- In a business transfer — if we restructure, merge, sell or transfer part of our business, personal information may be part of that transfer. We'll let you know if this happens and your rights under this Policy will continue to apply.
- To prevent harm — to investigate suspected fraud, security incidents, or threats to a person's life or safety.
5. International data transfers
We're based in Australia, but some of our service providers store or process data overseas (for example, in the United States or the European Union). When personal information leaves Australia, we take reasonable steps under APP 8 to ensure it's handled in line with this Policy.
By using the Service, you consent to your personal information being transferred to and stored in the locations described in section 6. Please note that, in line with APP 8.2, if you consent to an overseas disclosure we may not be required to take steps to ensure the overseas recipient handles your information in accordance with the APPs.
6. Service providers we use
We share personal information with the following providers, only to the extent needed to deliver the Service:
| Provider | What they do for us | Where data is processed |
|---|---|---|
| Supabase | Database, authentication and file storage | United States and other Supabase regions |
| Vercel | Web application hosting and CDN | Global edge network (primary region: configurable) |
| Polar (using Stripe) | Payment processing for paid plans | United States and other Stripe regions |
| Google (sign-in only) | Optional Google sign-in (OAuth) | United States and global Google regions |
| BoardGameGeek | Public game catalogue and (if you link it) your public BGG collection | United States |
| Resend | Sending transactional and (if you opt in) marketing email | United States and EU regions |
We review our service providers and update this list as it changes.
7. How long we keep your information
We keep personal information only as long as we need it for the purposes described in this Policy, or as required by law.
- Active accounts — we keep your information while your account is active.
- Deleted accounts — when you delete your account, we delete or de-identify your personal information within 30 days, except where we need to retain it (for example, financial records under the Income Tax Assessment Act and other tax/financial laws are kept for at least 7 years, and security logs may be kept for up to 12 months to investigate fraud or abuse).
- Backups — copies in our backup systems are overwritten on a rolling basis (typically within 35 days).
8. How we keep your information secure
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These steps include:
- encryption in transit (HTTPS/TLS) and at rest;
- hashed passwords (we never store your password in plain text);
- multi-factor authentication for staff and (optionally) for you;
- least-privilege access controls and audit logging;
- secure software development practices and dependency monitoring; and
- regular review of our service providers' security posture.
No system is perfectly secure. If we become aware of a data breach that's likely to result in serious harm, we'll notify you and the OAIC as required by the Notifiable Data Breaches scheme.
9. Your rights and choices
You have the following rights and choices:
- Access — ask for a copy of the personal information we hold about you.
- Correction — ask us to correct information that's inaccurate, out of date, incomplete, irrelevant or misleading.
- Export — download your data from your Settings page.
- Deletion — delete your account at any time from your Settings page. You can also email us to request deletion.
- Opt out of marketing — use the unsubscribe link in any marketing email, or change your preferences in Settings → Notifications.
- Withdraw consent — where we rely on your consent (for example, optional integrations), you can withdraw it at any time. Withdrawing consent doesn't affect processing already done.
- Cookies — manage cookies in your browser settings. See our Cookies notice for details.
To exercise any of these rights, email support@boardmatey.com. We'll usually respond within 30 days. We will not charge you a fee for making a request to access or correct your personal information. If giving you access requires us to do something that's reasonably costly (for example, providing a copy in a particular form), we'll tell you about any reasonable charge before we go ahead, and the charge won't be excessive. We may need to verify your identity before acting on a request.
If we refuse a request, we'll explain why in writing and tell you how to complain.
10. Complaints
If you think we've handled your personal information in a way that breaches the Privacy Act or the APPs, please email support@boardmatey.com with the details. We'll acknowledge your complaint promptly and aim to give you a substantive response within 30 days.
If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: https://www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
11. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top of this page tells you when we last changed it. If we make a material change, we'll let you know by email or through an in-app notice before it takes effect.
12. How to contact us
For privacy questions, complaints or requests:
- Email: support@boardmatey.com
We're happy to hear from you.