Built to protect your team

HuddlePlay is hosted on world-class infrastructure from providers who set the industry standard for security:

• Supabase (Database & Auth)Security docs →
  Hosted on AWS. All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-Level Security (RLS) policies ensure users can only access their own data.
• Vercel (Hosting & Edge)Security docs →
  Global edge network with automatic HTTPS, DDoS protection, and instant rollback. Every deployment is isolated.
• Stripe (Payments)Security docs →
  PCI DSS Level 1 certified — the highest level of payment security. HuddlePlay never sees or stores your full card number. All payment data is handled directly by Stripe.

Hosts (account holders)

When you create a host account via Google OAuth, we store:

• Email address (for authentication)
• Display name and profile picture (from Google, optional)
• Billing information (processed and stored entirely by Stripe)
• Game session history (room codes, player counts, games played)

Players (guests who join rooms)

Players join with a display name only. We collect:

• Display name chosen at join time (not linked to any identity)
• In-game answers (used only for scoring, deleted when the room closes)

No email, no account, no persistent profile. A guest player’s data exists only for the duration of their game session.

• ✓Sell your data to any third party — ever
• ✓Serve advertising or use your data for ad targeting
• ✓Use tracking pixels or cross-site trackers
• ✓Require players to create accounts or provide personal information
• ✓Store payment card numbers — all billing is handled by Stripe
• ✓Transmit sensitive information in URLs or query strings

• HTTPS everywhereHSTS headers enforced with 2-year max-age. All HTTP traffic redirected to HTTPS automatically.
• Row-Level SecurityEvery Supabase table has RLS policies. Players can only read/write their own game data.
• No plaintext passwordsAuthentication via Google OAuth only — we never store or see passwords.
• Session tokensSecure, short-lived session tokens. Sessions invalidated on sign-out.
• Webhook signature verificationAll incoming Stripe webhooks are cryptographically verified before processing.
• Content Security PolicyCSP headers restrict which external resources can load on HuddlePlay pages.
• Input sanitisationAll user input (names, room codes) is validated and sanitised on both client and server.

If you are located in the European Union or California, you have rights over your personal data. See our Privacy Policy for the complete list. In summary:

• Request a copy of the data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Opt out of any data processing beyond what is strictly necessary

To exercise any of these rights, email us at hello@huddleplay.app. We respond within 30 days.

HuddlePlay uses the following third-party services. Each has its own privacy practices:

• Supabase — database, authentication, realtime. Privacy policy →
• Stripe — payment processing. Privacy policy →
• Vercel — hosting and CDN. Privacy policy →
• Google — OAuth authentication only. No data shared beyond login. Privacy policy →
• PostHog — anonymous usage analytics. No PII collected. Privacy policy →
• Open Trivia Database (OTDB) — trivia question API. No user data sent. Website →

If you discover a security vulnerability in HuddlePlay, please report it responsibly. Do not exploit the vulnerability or disclose it publicly before we have had a chance to address it.

Email: security@huddleplay.app

We aim to respond to security reports within 48 hours and will credit reporters who follow responsible disclosure.