Privacy Policy

1. INTRODUCTION

Floor Judge ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website at floorjudge.com, our Discord bot, and related services (collectively, the "Service").

We are based in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are located in the European Economic Area (EEA), we also comply with the EU GDPR.

We will never sell your personal data to third parties. We only collect what we need to provide the Service.

2. DATA WE COLLECT

We collect the following categories of personal data:

DATA	HOW WE COLLECT IT	WHY WE COLLECT IT
Email address	When you create an account	Account identification and communication
Password (hashed)	When you create an account	Account security — we never store plain text passwords
Discord user ID	When you link your Discord account	To sync your tier between Discord and the website
Discord server ID	When you register a server	To apply your paid tier to the correct server
Conversation history	When you use the chat (paid tiers only)	To provide follow-up context for rulings
Usage data	When you ask questions	To enforce daily limits and monitor for abuse
Payment information	When you subscribe	Processed by Stripe — we only store your Stripe customer ID
IP address and browser data	Automatically when you visit the website	Security, fraud prevention, and service improvement

3. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

To create and manage your account
To provide the rules advisory service
To process subscription payments and manage billing
To sync your tier across the website and Discord
To enforce usage limits per your subscription tier
To respond to support requests
To detect and prevent fraud and abuse
To comply with legal obligations

We do not use your data for advertising, profiling, or any purpose beyond operating the Service.

4. LEGAL BASIS FOR PROCESSING (UK/EU GDPR)

We process your personal data on the following legal bases:

Contract — processing necessary to provide the Service you have signed up for
Legitimate interests — security monitoring, fraud prevention, and service improvement
Legal obligation — where we are required to process data to comply with applicable law
Consent — where you have explicitly consented, such as optional features

5. DATA SHARING AND THIRD PARTIES

We share your data with the following third parties only as necessary to provide the Service:

THIRD PARTY	PURPOSE	DATA SHARED
Anthropic (Claude AI)	AI rules engine	Your questions and conversation history
Stripe	Payment processing	Email address and payment details
Railway	Backend hosting and database	All data stored in our database
Netlify	Website hosting	IP address and browser data
Scryfall	Card data lookup	Card names mentioned in your questions
Discord	Bot platform	Discord user ID and server ID

We do not sell, rent, or trade your personal data with any other third parties.

6. DATA RETENTION

We retain your personal data for the following periods:

Account data — retained while your account is active and for 30 days after deletion
Conversation history — retained while your account is active; deleted when you clear history or delete your account
Usage data — retained for 90 days for security and abuse monitoring
Payment records — retained for 7 years to comply with UK tax and financial regulations

7. YOUR RIGHTS

Under UK GDPR you have the following rights regarding your personal data:

Right of access — you can request a copy of all personal data we hold about you
Right to rectification — you can update or correct your data through your account settings
Right to erasure — you can delete your account and all associated data at any time
Right to restrict processing — you can ask us to limit how we use your data
Right to data portability — you can request your data in a machine-readable format
Right to object — you can object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. DATA SECURITY

We take reasonable technical and organisational measures to protect your personal data, including:

All passwords are hashed using bcrypt — we never store plain text passwords
All data is transmitted over HTTPS/TLS encryption
Access to our database is restricted and authenticated
Payment data is handled entirely by Stripe and never stored on our servers
JWT tokens are used for session management with expiry periods

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, please contact us immediately.

9. COOKIES

Our website uses localStorage (a browser storage mechanism similar to cookies) to store your login token and account preferences locally on your device. This data is not transmitted to third parties and is used solely to keep you signed in between sessions.

We do not use tracking cookies or advertising cookies. We do not use Google Analytics or any third-party analytics services.

10. CHILDREN'S PRIVACY

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. INTERNATIONAL DATA TRANSFERS

Your data may be processed outside the UK by our third-party service providers (including Anthropic and Railway, which are based in the United States). Where we transfer data outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR, including standard contractual clauses where applicable.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.