Privacy Policy

Last updated: April 16, 2026

This policy is a good-faith draft and has not yet been reviewed by legal counsel. It will be updated once that review is complete.

Who we are

ENDGAME: Only Kings Remain ("ENDGAME", "we", "us", "the service") is a chess variant game operated by Mythic Flux Foundry at endgamekings.com. This policy describes what personal data we collect, why, and how it is handled.

Information we collect

When you create an account and use the service, we collect the following:

Account information

When you sign in with Google via our authentication provider (Clerk), we receive your Google user ID, email address, and profile display name. We do not receive or store your Google password.
You choose a unique username during onboarding. This username is publicly visible to other players. You may change it at any time through your account settings; the change propagates to new interactions automatically.
Clerk issues and manages authentication tokens (JWTs) on our behalf. Clerk's own data handling is governed by Clerk's privacy policy.

Game data

Every online and ranked AI match is recorded: the full move sequence, result type, winner, game duration, timestamps, and both players' account IDs.
A Glicko-2 rating, rating deviation, and volatility value are calculated from your game results and stored on your account. Per-match rating snapshots (before and after) are stored on the match record.
Seasonal leaderboard entries track your rating at the start of each monthly season, your current rating, and the number of games played that season. Top-3 finishers' ranks are recorded when a season closes.

Puzzle data

When you attempt or solve a daily puzzle, we record whether you solved it, how many hints you used, and the number of moves you played. We also track your current puzzle streak, total puzzles solved, and the date you last solved a puzzle.

Social graph

When you send or accept a friend request, we store a friendship record containing your account ID, the other player's account ID, the state (pending, accepted, or blocked), and timestamps.
Blocks are stored in the same records. Your block list is visible only to you; we do not disclose to a blocked user that they have been blocked.

In-app inbox

When someone sends you a friend request, accepts one, or challenges you to a game, we create a notification record with the sender's account ID, the notification type, timestamps, read/dismissed state, optional expiry, and any type-specific payload (for example, a challenge's ephemeral room ID). Notifications are visible only to you.
When you send a game challenge to another player, we record the challenge's ephemeral room ID, both players' account IDs, the ranked/unranked flag, and a 10-minute expiry. Expired or declined challenges are cleared automatically.

Reports

If you report another player, we store the report reason, optional free-text note, reporter ID, reported player ID, and the room where the incident occurred (if applicable). Reports are visible only to us for moderation review.
To reduce false-flag abuse we limit each reporter to roughly 46 reports per day and automatically ignore duplicate submissions against the same player within 24 hours while an earlier report is still unreviewed.

Network information

We record the IP address of each player in every online match for abuse prevention (detecting multi-account play from the same network). A flag is set when both players in a match share the same IP address.

Local device storage

We use localStorage to store a room ID when you have an active online game, enabling reconnection if you refresh or briefly lose connectivity. This data stays on your device and is cleared when the game ends.
We use sessionStorage to hold a pending invite code when you arrive via another player's invite link, so we can surface the inviter's name and a friend-request prompt after you sign in. This data is scoped to the current tab and cleared on close.
A service worker caches the app shell and static assets on your device for faster loading and basic offline capability. This cache can be cleared via your browser settings.

How we use your information

To authenticate you and maintain your session across visits.
To let you play online matches and track your rating history.
To compute and display Glicko-2 ratings, match history, leaderboards, and seasonal rankings.
To serve daily puzzles and track your solve streaks.
To let you add friends, send and receive friend requests, block abusive users, and challenge other players to ranked or unranked matches.
To deliver in-app notifications for friend requests, game challenges, and their outcomes, and to keep those notifications in sync across your open tabs and devices.
To enforce block relationships during matchmaking so blocked users are never paired against each other.
To investigate reports of cheating, abuse, or other rule violations.
To detect coordinated abuse (same-IP flagging, multi-account detection).
To reconnect you to an active game after a page refresh or brief disconnection.
To operate and secure the service (rate limiting, authentication verification).

What is publicly visible

The following information is visible to other signed-in players:

Your username and current Glicko-2 rating.
Your rating deviation and total games played.
Your match history (opponent name, result, rating change, date).
Your position on the seasonal leaderboard (if you qualify).
Season award ranks (if earned).

Your email address, IP address, Google user ID, puzzle data, friends list, block list, inbox notifications, pending or past reports, and sent/received challenges are never shown to other players.

Third-party services

We rely on the following providers to operate ENDGAME. Each has its own privacy policy:

Clerk (authentication, session management) — clerk.com/legal/privacy
Google (OAuth sign-in provider) — policies.google.com/privacy
Cloudflare (hosting, CDN, edge database, real-time game server infrastructure) — cloudflare.com/privacypolicy
Stripe (payment processing, only if you choose to use the tip jar) — stripe.com/privacy. We do not receive or store your payment card details; Stripe handles the entire transaction via a hosted Payment Link.

What we do not do

We do not sell, rent, or trade your personal information to anyone.
We do not run third-party advertising.
We do not use analytics trackers, tracking pixels, or fingerprinting scripts.
We do not share your data with anyone outside the service providers listed above, except as required by law.

Cookies and local storage

We use cookies only for authentication sessions, managed by Clerk. We do not use analytics cookies, advertising cookies, or any form of cross-site tracking.

We use browser localStorage for active game reconnection (as described above). This data does not leave your device.

Data retention

Account data: retained for as long as your account exists so that ratings, history, and seasonal records remain consistent.
Match data: retained permanently (including the move sequence, result, and per-match rating snapshots). This is necessary for match history and rating integrity.
IP addresses: currently stored on match records for the life of the record. We intend to implement automated anonymization (replacing stored IPs with a hash after 90 days) but this is not yet in place. We will update this policy when it is.
Puzzle data: retained for the life of your account.
Social graph: friendship, pending-request, and block records are retained until you change them or your account is deleted.
Inbox notifications: retained until you dismiss them, until they expire (in the case of game challenges, after 10 minutes), or until one party's account is deleted.
Challenge metadata: room IDs and ranked flags for direct challenges are retained until the challenge expires or the game it creates concludes.
Reports: retained for moderation review and historical reference.

You may delete your account and all associated data at any time. See how to delete your account for the in-app steps, what is removed, what is retained (and why), and how to delete specific categories of data without closing your account.

International data transfers

ENDGAME is hosted on Cloudflare's global edge network. Your data may be processed in any country where Cloudflare operates infrastructure. Clerk processes authentication data in the United States. By using the service, you consent to these transfers.

Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion: request deletion of your account and associated data. Certain match records may be anonymized rather than deleted to preserve the integrity of other players' history.
Portability: request your data in a structured, machine-readable format.
Objection: object to specific processing of your data where we rely on legitimate interest as the legal basis.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California residents: under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. To make a request, contact us at the email above.

Security

We take reasonable measures to protect your data, including: server-side JWT verification on every authenticated request, HTTPS-only transport, rate limiting on sensitive endpoints, and Cloudflare's built-in DDoS and bot protection. No system is perfectly secure; if you discover a vulnerability, please report it to [email protected].

Children

ENDGAME is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. Material changes will be announced via a notice in the app and reflected in the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the revised policy.

Contact

Mythic Flux Foundry
[email protected]