Privacy Policy

Last updated: 30 June 2026

This policy explains what personal data Gem TD ("the Game", "we", "us") collects when you play, how and why we use it, and the rights you have. Gem TD is operated by Jose Yebenes, an individual based in Spain, who is the data controller. You can reach us any time at [email protected].

1. Personal data we collect

Account data

• Anonymous device account. When you enable cloud features, we generate a random account identifier so your scores can sync. It is not linked to your real-world identity.
• Sign-in with Google (optional). If you choose to sign in with Google, we receive your Google account identifier and your email address (scope: openid email), used to link and recover your account. We do not receive your password.
• Sign-in with Discord (optional). If you choose to sign in with Discord, we receive only your Discord account identifier (scope: identify). We do not request your Discord email.
• Public handle. Your public presence is a randomly generated in-game handle (e.g. "RadiantOpal4821"), which you can change. We do not publish your real name or email.

Gameplay data

• Your scores, waves reached, difficulty, run metadata, Gemstone Rating, and achievements you unlock.
• This powers the leaderboards, your Armory profile, and the ranking system.

Technical data

• Your IP address is processed transiently for security — rate-limiting and bot/abuse prevention (via Cloudflare and Cloudflare Turnstile). We do not use it for advertising or to track you across sites. Turnstile runs an invisible bot check when you create an account or sign in; our use of it is subject to Cloudflare's Turnstile Privacy Addendum.
• Minimal request/security logs, kept for a short period.

2. Cookies & local storage

Gem TD uses only strictly necessary cookies — no advertising, analytics, or cross-site tracking cookies. Under the EU ePrivacy rules and Spain's LSSI (Ley 34/2002), strictly necessary cookies are exempt from prior consent, so the Game does not show a cookie banner.

• Authentication cookie (gemtd_rt). A secure, HttpOnly cookie that keeps you signed in. It cannot be read by page scripts and is sent only to our authentication endpoints.
• Sign-in state cookie. A short-lived cookie used only during the Google/Discord sign-in flow to protect against cross-site request forgery.
• Local storage. Your in-browser settings, local high scores, and a flag recording whether you opted into cloud features. This stays on your device and is not transmitted to us.

3. Why we use your data, and our legal basis

Under the GDPR (Regulation (EU) 2016/679) and Spain's LOPDGDD (Ley Orgánica 3/2018), we rely on:

• Your consent (Art. 6(1)(a)) — when you choose to enable cloud features or sign in with Google or Discord. You can withdraw consent at any time (see §6).
• Our legitimate interests (Art. 6(1)(f)) — to run accurate, fair leaderboards and to keep the Game secure (detecting cheating, abuse, and automated traffic). We have balanced these against your rights.

There is no automated decision-making that produces legal or similarly significant effects on you. Providing this data is never a statutory or contractual requirement — it is entirely optional and only needed if you want the online features.

4. Who receives your data

We do not sell your personal data and we do not show ads. We share data only with the processors that run the Game:

• Cloudflare, Inc. — hosting, database, content delivery, and abuse prevention (including Turnstile), under Cloudflare's Data Processing Addendum.
• Google and Discord — only if you choose to sign in with them, and only to verify that account link.

Your public leaderboard handle and scores are visible to other players. Your profile is private by default; detailed stats are shown publicly only if you opt in.

5. International transfers

Gem TD runs on Cloudflare's global network, so your data may be processed on servers outside the European Economic Area. Where that happens, the transfer is covered by appropriate safeguards — an adequacy decision or the European Commission's Standard Contractual Clauses, as set out in Cloudflare's Data Processing Addendum.

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected, and have your data erased;
• restrict or object to our processing, and receive your data in a portable format;
• withdraw any consent you have given, at any time, without affecting prior processing.

To exercise any of these, email [email protected]. You can stop cloud features at any time by signing out and disabling cloud sync in the Game. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es) or your local supervisory authority.

7. Data retention

We keep your account and gameplay data until you ask us to delete it, or until your account is removed for a Terms violation. On account deletion we remove your account record and personal identifiers; aggregate or anonymised leaderboard data may be retained. Security logs are kept only for a short period.

8. Children

Gem TD is not directed to children under 13, and you must be at least 13 years old to create an account or use cloud features. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us data, contact us and we will delete it.

9. Security

We protect accounts with HttpOnly authentication cookies, hashed tokens, token rotation with theft detection, and rate-limiting. No system is perfectly secure, but we take reasonable measures to safeguard your data.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by the "Last updated" date above.