Privacy Policy

Effective Date: June 1, 2026 · Last Updated: June 1, 2026

This Privacy Policy explains how Simple Web Games, operated by ThoMetrics AI LLC (“we”, “us”, or “our”), collects, uses, and protects information when you use our website and games (the “Service”). We've tried to write this in plain English. If anything is unclear, email us at support@simplewebgames.com.

Who we are

Simple Web Games is operated by ThoMetrics AI LLC, a small game platform operated from Kentucky, United States. We provide daily word and trivia games, with optional accounts, leaderboards, a token economy, and an optional premium subscription.

What we collect

We collect only what we need to run the Service. Here's the full list.

When you create an account

• Email address (required for sign-in)
• Username (auto-generated from your email, or chosen by you)
• An optional avatar
• A stable identifier from Google or Apple if you sign in with one of those services (we don't receive your Google or Apple password)
• Account creation and last login timestamps

When you play

• Your game results (score, attempts, time, whether you solved it, when you finished)
• The specific guesses or answers you submitted (used to generate shareable result text)
• Your leaderboard entries
• Your streak data (current streak, longest streak, milestone history)
• Every token earned, spent, or purchased
• Cosmetic items you own and have equipped
• A record of when you share a result and which platform you shared to
• How many ads you've watched today (we cap this at 5)

For authentication and security

• Single-use, hashed magic-link tokens we send to your email
• Hashed refresh tokens that keep you logged in across visits (stored in a secure, http-only cookie scoped to our auth endpoints)
• Your IP address, briefly, to enforce rate limits (e.g., to prevent someone from using your email to spam magic links)

When you make a purchase

• A Stripe customer ID and, if you subscribe, a Stripe subscription ID
• Your subscription status and billing period dates
• Identifiers for individual purchases and webhook events (used to make sure we never double-charge or double-credit)

We do not store your card number, CVV, or other payment credentials. Those go directly to Stripe.

Technical information

• Standard server logs that include your IP address and browser information (User-Agent), used for security and debugging
• If you use our mobile app, basic device information from the operating system (such as OS version)

What we don't collect

• We do not collect location data
• We do not use advertising IDs or tracking pixels outside of the ad network described below
• We do not use third-party analytics services (no Google Analytics, no Mixpanel, etc.)
• We do not build behavioral profiles of you beyond the features the Service provides
• We do not access your microphone, camera, contacts, or other device data not listed above
• We do not record your keystrokes or your sessions

How we use what we collect

We use your information to:

• Run the Service — sign you in, save your scores, run leaderboards and streaks, run the token economy, process your purchases, generate the share text when you share a result.
• Keep the Service secure — rate-limit magic-link requests, cap rewarded ads at 5 per day, prevent token-economy abuse, prevent cheating, prevent double-charging on payments.
• Communicate with you— send you the magic link you requested. That's it. We do not send marketing email at this time. If we ever do, we will update this policy and provide a way to opt out.
• Improve the Service — review the database and our own engineering observations to understand which games are popular, which features work, and what needs fixing. We do not use third-party analytics or behavioral profiling to do this.
• Comply with the law — retain certain records (like transaction records) as required by tax and accounting law, and respond to lawful requests if we receive them.

Who we share with

We share your information only with the service providers we need to run the Service. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

• Amazon Web Services (AWS) — hosts our servers, database, and cache. Your data is stored on AWS infrastructure in the United States.
• Stripe — processes all payments. When you make a purchase or subscribe, Stripe receives the information needed to process your payment (such as your email, billing address, and payment method). We never see your card number or CVV.
• Google — if you sign in with Google, Google receives the fact that you are signing into Simple Web Games. We receive your email, a stable identifier (your Google subject ID), and a flag confirming your email is verified.
• Apple— if you sign in with Apple, the same as above. If you use Apple's “Hide My Email” feature, the email we receive is a private relay address managed by Apple — that's fine; the Service works the same.
• Amazon Simple Email Service (SES) — delivers transactional emails (currently, the magic-link sign-in email).
• Google Ads— we show optional rewarded ads served by Google's ad network. When you watch an ad, Google may set cookies and collect device identifiers and ad interaction data for purposes including ad personalization, frequency capping, and fraud detection. Google is the data controller for this data and uses it under its own privacy policy. Users in the EEA, UK, and certain US states (including California) will be asked for consent or have their privacy signals honored before ad personalization occurs.
• Legal requirements — if we receive a legally valid subpoena, court order, or similar request, we may need to disclose information to comply.

Cookies and similar technologies

We use the minimum amount of client-side storage needed to run the Service.

Cookies we set today

• A secure, http-only authentication cookie that keeps you logged in. This cookie is required for the Service to work — blocking it will prevent you from signing in.

Other client-side storage we use

• localStoragefor: your light/dark theme preference, your audio mute and volume preferences, and your in-progress word game guesses (so a refresh doesn't wipe your progress).
• A short-lived authentication token held in your browser's memory while a tab is open. This token is cleared when you close the tab.

Cookies we do not set

• No analytics cookies
• No social media tracking pixels

Google's ad network sets its own cookies for ad personalization, frequency capping, and fraud detection when you watch an ad. These are controlled by Google, not by us, and are governed by Google's privacy policy.

Do Not Track (DNT)— there is no industry consensus on how to respond to “Do Not Track” browser signals, so we do not respond to them.

Global Privacy Control (GPC) — we honor GPC signals, treating them as an opt-out of ad personalization for that user.

Browser controls — you can configure your browser to block or delete cookies. Doing so may prevent you from signing in to the Service.

Your rights

We offer the following rights to all users, regardless of where you live.

• Access— you can ask us what data we hold about you, and we'll send it to you in a usable form.
• Correction — you can ask us to correct inaccurate data.
• Deletion — you can ask us to delete your account and personal data.
• Portability — you can ask us to send you your data in a machine-readable format.
• Withdraw consent — where we process data on the basis of your consent (such as ad personalization), you can withdraw it.
• Opt out of “sale” or “sharing”— we do not sell your data. You may opt out of ad personalization, which some laws (such as the CCPA) treat as opting out of “sharing.”
• Non-discrimination — we will not penalize you for exercising any of these rights.
• Complain to a regulator — if you are in a jurisdiction with a data protection authority, you have the right to lodge a complaint with it.

To exercise any of these rights, email us at support@simplewebgames.com. We will respond within 30 days. If your request is complex, we may extend this period and will tell you why.

If you are in the European Union, United Kingdom, or another jurisdiction with data protection law, nothing in this policy limits any non-waivable rights you may have under your local law.

How long we keep your data

While your account is active, we retain your data for as long as your account exists, because the Service needs it to function.

A few categories have shorter natural lifespans:

• Magic-link tokens are single-use and expire 15 minutes after they're issued.
• Refresh tokens expire after 7 days and rotate on every use.
• Practice mode game state is held in our cache for 30 minutes and never written to the database.
• Rate-limit records and short-term caches expire automatically after their window.

When you delete your account, we hard-delete your personal information (email, username, avatar, OAuth identifiers, authentication tokens, login history). We anonymize your historical gameplay records — sessions, leaderboard entries, transactions, streaks, shares, subscriptions, cosmetics — by detaching them from your identity. This means historical leaderboards stay accurate, but your name is no longer attached to those entries.

Tax and accounting law requires us to retain transaction records for a period of years after a purchase, as required by law, even if you delete your account. We retain these records with personal identifiers removed where possible.

Legal hold— if there's an active legal matter that requires us to preserve data, that overrides a deletion request. This is rare and standard.

Inactive accounts — we do not automatically delete inactive accounts at this time.

Children's privacy

Simple Web Games is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please email us at support@simplewebgames.com and we will delete the account and associated data.

Our App Store and Google Play age rating is 13+.

International users

We operate the Service from the United States, and your data is processed and stored in the United States. By using the Service, you understand that your data will be processed in the United States, which may have different data protection laws than your country of residence.

Changes to this policy

We may update this policy from time to time. The “Last Updated” date at the top of this page always reflects the most recent version.

For material changes — meaning changes to what data we collect, how we use it, who we share it with, your rights, or our handling of children's data — we will:

• Update the “Last Updated” date
• Provide an in-app notice to logged-in users the next time they visit
• Give at least 30 days' advance notice before the change takes effect

For non-material changes — such as typo fixes, clarifying language, or contact-info updates — we will update the page and bump the “Last Updated” date.

Your continued use of the Service after a material change takes effect constitutes your acceptance of the updated policy.

Contact us

For any privacy-related question, request, or concern, email us at support@simplewebgames.com. We respond within 30 days.

For general questions, see our Contact page.

Governing law

This Privacy Policy is governed by the laws of the Commonwealth of Kentucky, United States, without regard to its conflict of laws principles. Any disputes arising from this policy or the Service will be resolved in the state or federal courts located in Boyle County, Kentucky.

Nothing in this section limits any non-waivable rights you may have under your local law.