Home

Privacy Policy

Last updated: May 26, 2026

1. Information We Collect

We collect information needed to run TactiVal, which may include:

  • Account information from your sign-in provider (such as email, display name, profile image, and provider account ID)
  • Authentication and session data (such as session identifiers and sign-in timestamps)
  • Content you create in the app (for example, saved strategies, share links, and related metadata)
  • Invite-code or access-status records when applicable
  • Automatically collected technical data — our infrastructure providers (such as Cloudflare) automatically collect standard request logs, including IP address, approximate geographic region, browser type, device type, operating system, and request timing. This data is used for security, abuse prevention, and service reliability.

2. How We Use Information

  • Authenticate users and maintain account access
  • Save, sync, and serve your content
  • Provide sharing functionality when you enable it
  • Secure the service, prevent abuse, and troubleshoot issues

We do not sell personal information.

We do not use your data for third-party behavioral advertising.

We do not use your data to train generalized artificial intelligence or machine learning models.

We are not a data broker and do not derive revenue from your personal data.

3. Storage and Processing

Data may be processed and stored by our infrastructure and service providers. Your data may be transferred to and stored in regions where our providers operate, including Singapore (database) and globally distributed edge locations (content delivery and caching).

Some draft or temporary board data may be stored locally in your browser (using browser storage such as IndexedDB or localStorage) and may remain on your device unless you clear it.

4. Third-Party Services

We rely on the following third-party providers for core functionality:

  • Cloudflare — application hosting and content delivery
  • Supabase — database infrastructure and authentication storage
  • Google — sign-in via Google OAuth (see Section 5)
  • Discord — sign-in via Discord OAuth
  • Polar — payment processing and subscription management for paid features. Polar acts as our merchant of record for payments. When you subscribe, your billing details (such as name, email, billing address, and payment method) are collected and stored by Polar, not by TactiVal. You can review Polar's privacy policy at polar.sh/legal/privacy.

Your use of third-party sign-in is also subject to that provider's own terms and privacy policy. You can review each provider's privacy policy on their respective websites.

We may add or change providers as the service evolves and will update this section accordingly.

5. Google API Services User Data Policy

TactiVal's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data accessed. When you sign in with Google, we receive your email address, name, profile image, and Google account ID. We do not request additional Google scopes.

How we use it. This data is used solely to create and maintain your TactiVal account and to authenticate you on return visits.

Data sharing. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features (for example, account storage with our database provider), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.

Data protection. Google user data is transmitted over TLS and stored by our database provider with access limited to authorized personnel.

No advertising use. We do not use Google user data for serving advertisements, including retargeting or interest-based advertising.

No human access. We do not allow humans to read Google user data unless we have your explicit consent, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data has been aggregated and anonymized.

No AI training. We do not use Google user data to develop, improve, or train generalized AI or machine learning models.

Retention and deletion. Google user data is retained for the lifetime of your account. When you delete your account, associated Google user data is deleted from our active systems immediately and removed from backups in accordance with our standard retention practices.

6. Data Retention

We retain your account data and content for as long as your account is active.

When you delete your account, your data is hard-deleted from our active database immediately. This includes your profile, saved strategies, share links, and session records. Routine database backups maintained by our provider for disaster recovery are purged on their standard rotation. Standard server logs and security telemetry are retained by our infrastructure providers in accordance with their own retention policies, for a limited operational period as defined by each provider.

Subscription cancellation and billing records. If you have an active paid subscription when you delete your account, we initiate cancellation with Polar before removing your account data. Limited billing records (such as invoices and payment history) are retained by Polar in accordance with their retention policy and applicable financial recordkeeping laws, even after your TactiVal account is deleted. You can access those records using the email-based customer portal linked in any Polar transactional email you have received (receipts, renewal notices, payment alerts), and you can submit deletion or access requests for Polar-held data directly to Polar.

We may retain limited records where required by law, to resolve disputes, or to enforce agreements.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your personal data (you can also delete your account at any time from the in-app account settings)
  • Export (portability) your data in a machine-readable format
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent

You can exercise these rights by contacting admin@tactival.app. We aim to respond within 30 days, or sooner where required by law.

If you are in the European Economic Area, the United Kingdom, or Switzerland (GDPR / UK GDPR): We process your data on the following legal bases:

  • Performance of a contract — to provide the service you signed up for (account, save/sync, sharing)
  • Legitimate interests — to keep the service secure and prevent abuse
  • Consent — where you explicitly opt in (for example, enabling a share link)
  • Legal obligation — where required by applicable law

You also have the right to lodge a complaint with your local data protection authority.

If you are a California resident (CCPA / CPRA): You have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under California law. We do not discriminate against users who exercise their privacy rights.

Do Not Track: Some browsers transmit a "Do Not Track" signal. Because there is no industry-standard interpretation of this signal, we do not currently respond to it.

8. Cookies and Similar Technologies

We use only strictly necessary cookies required to operate and secure the service, primarily authentication and session cookies.

Our providers may also set security or performance-related cookies as part of infrastructure delivery (for example, Cloudflare bot detection).

We do not use analytics, advertising, or cross-site tracking cookies.

9. Security

We protect your data using industry-standard practices:

  • All traffic between your browser and TactiVal is encrypted with TLS
  • Authentication sessions are stored as opaque, hashed tokens
  • Database access is restricted to the application backend
  • Our infrastructure providers (Cloudflare, Supabase) maintain their own security certifications

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your data, we will notify affected users where required by law.

10. Children

TactiVal is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

If you believe a child has provided personal information, contact admin@tactival.app so we can investigate and take appropriate action.

11. Links to Other Websites

TactiVal may contain links to third-party websites (including OAuth providers and shared content). We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policy of any third-party site you visit.

12. Policy Changes

We may update this Privacy Policy from time to time.

If we make material changes, we will update the "Last updated" date and, when appropriate, provide additional notice.

13. Contact

For privacy questions or requests, contact admin@tactival.app.

Data controller

TactiVal (operated by Gabriel Joaquin Gamo)
Philippines
Email: admin@tactival.app

TactiVal

We use a single strictly necessary cookie to keep you signed in. No tracking, no analytics cookies.