Privacy Policy

The short version

Lucky Lounge (“we”, “us”) is a free, browser-based social casino where all coins are fictional and nothing costs real money. This policy explains, in plain English, what we collect, why, who helps us run the site, how long we keep it, and how you can get it out or have it deleted.

Quick facts: no ads, no ad cookies, no tracking pixels, no selling or sharing your data, no payment info collected, no real money involved anywhere. Lucky Coins are entertainment only — they have no value and can't be cashed out for anything.

For EU/UK/Swiss readers: Lucky Lounge is the “data controller” for the information described below under the GDPR and UK GDPR. You can reach us any time at luckyloungegame@gmail.com. We reply to privacy requests within 30 days (or 45 if a request is unusually complex, and we'll tell you if that happens).

1. What we collect

We only collect what we need to run the game, keep it fair, and keep it safe. Here's the full list:

Your account

• Email address, the username you pick, and an internal ID from our login provider (Clerk).
• Session tokens and basic device info that Clerk uses to keep you signed in. We never see your password.
• Account timestamps — when you signed up, last login, login streak, when you accepted these terms.

Your profile and avatar

• Display name, optional bio, level, XP, total play time.
• Avatar look (body type, colors, face, head shape) and equipped cosmetics.
• Inventory of cosmetic items and consumables, plus any active temporary effects.

Gameplay and wallet

• Your current Lucky Coin balance and a history of every bet, win, reward, and transfer.
• Game results (which game, what you bet, what happened).
• Quest, achievement, and session history.

Chat, trades, and reports

• Messages you send in public chat.
• Trade offers between you and other players, including the items on each side.
• Any abuse reports you file or that are filed about you.

Moderation notes

• Bans and mutes (type, reason, who issued it, when it expires) and any admin notes attached to your account.

Technical stuff

• IP address and user-agent from your HTTP requests, used for rate limiting and abuse prevention.
• Server error and audit logs that automatically redact emails, tokens, IPs, and database URLs before saving.
• Short-lived rate-limit counters.

Anonymous analytics

We use Vercel Web Analytics and Speed Insights to see which pages are slow or broken. They are cookieless, don't track you across sites, and don't build advertising profiles — they just count anonymous page views and performance events.

2. What we never do

• No payment info — there's nothing to buy.
• No ad cookies, retargeting pixels, Google Analytics, or Meta Pixel.
• No real names, phone numbers, home addresses, ID documents, biometrics, precise location, or financial data.
• No device fingerprinting or cross-site tracking.
• No selling or “sharing” your data for advertising (as those terms are defined under the CCPA/CPRA and similar state laws). No data brokers.
• No ads of any kind inside the game.
• We don't use your data to train third-party AI models.
• No fully automated decisions that have a legal or similarly significant effect on you — see Section 10.

3. Why we use it (and the legal basis)

For EU/UK/Swiss readers, we've put the GDPR Article 6 legal basis in brackets next to each purpose.

• Run the game. Sign you in, track your wallet, game outcomes, inventory, and progression. [Art. 6(1)(b) — performing our contract with you.]
• Social features. Deliver chat, presence, trades, and leaderboards to the people who want to use them. [Art. 6(1)(b) and Art. 6(1)(f) — making a multiplayer game work.]
• Keep things safe and fair. Catch cheating, multi-accounting, economy exploits, harassment, and brute-force attacks. Moderate chat. Enforce bans. [Art. 6(1)(f) — our legitimate interest in platform safety, and Art. 6(1)(c)where we're required to hold something for legal reasons.]
• Wallet integrity. Keep a tamper-evident record of coin movements so we can investigate disputes and fix bugs. [Art. 6(1)(b)and Art. 6(1)(f).]
• Support and important notices. Answer your questions and send transactional emails (security alerts, policy changes). We don't send marketing email. [Art. 6(1)(b) and Art. 6(1)(f).]
• Improve the service. Look at anonymous Vercel analytics to find slow or broken pages. [Art. 6(1)(f).]
• Follow the law. Respond to lawful requests, enforce our Terms, and defend against legal claims. [Art. 6(1)(c) and Art. 6(1)(f).]

If we ever rely on your consent for something, you can take it back any time — doing so doesn't affect anything we already did before.

4. Who helps us run Lucky Lounge

We use a small number of well-known infrastructure providers. Each one has its own privacy terms and a data-processing agreement with us.

• Clerk — login and authentication. Handles your email, password hash, session tokens, and device info. SOC 2 Type II. Privacy policy
• Neon — our managed PostgreSQL database. Stores game, profile, wallet, and moderation data. Encrypted in transit and at rest. SOC 2 Type II. Privacy policy
• Upstash — Redis cache, rate limiting, presence, and moderation state. Compliance and security
• Ably— real-time messaging for chat, presence, and multiplayer events. Messages pass through Ably but aren't retained beyond its operational window. Privacy policy
• Vercel— hosting, edge network, cookieless Web Analytics, and Speed Insights. Briefly holds server logs (IP, user-agent) per Vercel's own policy. Privacy policy
• Cloudflare R2 — object storage for avatar sprites and static game assets. No identifying user data is stored there. Privacy policy

We don't use ad networks, social-media trackers, data-enrichment services, or data brokers. Ever.

5. How we keep it safe

We take reasonable technical and organizational steps to protect your data:

• TLS 1.2+ encryption on every connection, and at-rest encryption through our database and storage providers.
• Passwords are hashed by Clerk — we never see them.
• Per-user and per-IP rate limiting on every action.
• Strict Content Security Policy plus HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy headers.
• Every server action validates its input with Zod before doing anything.
• Game outcomes and wallet changes happen on the server using cryptographic randomness — the client can't forge results.
• Our structured logger automatically strips emails, tokens, IPs, and database URLs before anything gets saved.
• Admin access is limited and requires authenticated sign-in.

No system is ever 100% secure, but we try hard.

If there's a breach: if a security incident is likely to put your rights at risk, we'll tell affected users as soon as we reasonably can, and we'll notify the relevant supervisory authority within 72 hours where required — this follows GDPR Article 33 and equivalent US state breach-notification laws.

6. How long we keep it

• Profile, avatar, and inventory — as long as your account is active.
• Chat messages — up to 30 days, and immediately wiped when you delete your account.
• Session records — up to 30 days.
• Wallet transactions and game results — up to 90 days for fairness auditing, anomaly detection, and dispute handling, then automatically purged.
• Moderation records (bans, mutes, reports, admin notes) — we may keep these longer under legitimate interest, to keep the platform safe.
• Server request logs — kept briefly by our hosting providers under their own retention policies, not linked to your account identity.
• Cache data — expires in minutes to hours.

Backups: automated database backups may hold deleted data for a short additional window before they're overwritten or destroyed on our provider's rotation schedule.

7. Deleting your account

You can delete your account any time from your profile settings, or by emailing us under your GDPR right to erasure.

When you do, we immediately:

• Scrub every identifying field from your user row — email, username, and the Clerk ID.
• Hard-delete your profile, avatar, inventory, chat messages, session history, achievement progress, quest progress, and any pending trades.
• Revoke all your active login sessions and clear related cache entries.

An anonymized placeholder row stays behind temporarily. It contains no personal data — it only exists so that the short-window audit records (wallet transactions and game history) can finish their 90-day retention period without breaking. That placeholder row is automatically hard-deleted once it's at least 730 days old, at which point every trace of the account is gone from our active databases. Moderation records linked to the deleted account may be kept longer under legitimate interest, to stop people from evading bans by signing up again.

8. Your rights

No matter where you live, you can ask us to do any of the following:

• Access — get a copy of what we have about you.
• Correct — fix anything inaccurate or incomplete (you can do most of this yourself in your profile).
• Delete — remove your account and personal info.
• Export — download your data in machine-readable JSON from your profile settings.
• Restrict or object — ask us to pause or stop processing based on legitimate interest.
• Withdraw consent where we were relying on it.
• No retaliation— using any of these rights won't affect your standing as a player.

To do any of these, use the tools in your profile settings or email luckyloungegame@gmail.com. We verify your identity through the email address on your account before handling sensitive requests. You can also have an authorized agent submit a request on your behalf.

If you're in the EU, UK, or Switzerland, you specifically have the rights in Articles 15–22 of the GDPR and UK GDPR: access (Art. 15), rectification (Art. 16), erasure / “right to be forgotten” (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (Art. 22). You can also lodge a complaint with your local data-protection authority — for the EU, see edpb.europa.eu; for the UK, ico.org.uk; for Switzerland, the FDPIC. We'd appreciate the chance to fix things first, though, so please email us before you go that route.

If you're a California resident, the CCPA/CPRA gives you the right to know, delete, correct, opt out of “sale” or “sharing” (which we don't do anyway), limit use of sensitive personal info (again, not something we do), and not be discriminated against for exercising any of these. The categories we've collected in the past 12 months are: identifiers (email, username, Clerk ID), customer records (profile fields), internet activity (anonymous and cookieless), inferences from gameplay (level, XP, progression), and “commercial information” limited to in-game virtual items. We disclose these to the providers listed in Section 4 for the purposes in Section 3. We do not sell or share personal information for cross-context behavioral advertising.

If you're in another US state with a comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and others), you have substantially the same rights as above, including opt-outs for “targeted advertising,” “sale,” and certain profiling. Because we don't do any of those, an opt-out request is confirmed but doesn't change anything. If your state grants appeal rights (Virginia, Colorado, Connecticut, others), you can appeal a denial by replying to our response email, and we'll review it within the time your state law requires.

9. International data transfers

Lucky Lounge is operated from the United States, and your data may be processed in the US or wherever our providers run their infrastructure. Laws in those places may be different from the ones where you live.

When we transfer personal data out of the European Economic Area, UK, or Switzerland to somewhere that doesn't have an “adequacy” decision, we use appropriate safeguards — the European Commission's Standard Contractual Clauses (Commission Decision (EU) 2021/914) and the UK International Data Transfer Addendum — built into our data-processing agreements with each provider. You can ask for a copy of the safeguards covering a specific transfer by emailing luckyloungegame@gmail.com.

10. Automated decisions

We don't make decisions that have a legal or similarly significant effect on you based purely on automated processing. Automated systems help us spot things like impossible wallet flows or attempts to evade bans, but any real enforcement — suspensions, terminations — gets human review before or shortly after it happens. You can always contest an automated detection using the appeal process in Section 8 of the Terms of Service.

11. Cookies and local storage

Here's everything Lucky Lounge puts in your browser:

• A Clerk session cookie(strictly necessary) — an HTTP-only cookie that keeps you signed in. JavaScript can't read it.
• Local storage preferences (strictly necessary / functional) — sound, theme, acknowledgment flags, onboarding state. Stored on your device only.

That's it. No advertising cookies, no analytics cookies, no third-party cookies. Vercel Web Analytics and Speed Insights (Section 1) are cookieless. Because we only use strictly necessary cookies and local storage, no cookie banner is required under the ePrivacy Directive. You can always block cookies or clear local storage in your browser — just note that blocking the session cookie will stop you from being able to sign in.

12. Kids

Lucky Lounge is strictly 18+ for everyone, everywhere — we apply a single global minimum age and don't make exceptions for regions with lower age-of-majority rules. We don't knowingly collect personal info from anyone under 18, and if we find out a user is underage we'll close the account and delete the data right away.

Under the US Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) we don't knowingly collect anything from children under 13. Under the UK Age-Appropriate Design Code (the “Children's Code”) we don't direct the service to anyone under 18 and don't profile minors. If you're a parent or guardian and think a minor has made an account, email us at luckyloungegame@gmail.com and we'll delete it.

13. Changes to this policy

When we update this policy:

• We update the “Last updated” date at the top of the page.
• Material changes get an in-app notice.
• If a change meaningfully expands what we do with your data or narrows your rights, we give at least 30 days advance notice and, where the law requires, ask for your affirmative acceptance.
• If you don't like the new version, you can delete your account before it takes effect.

14. Contact

For privacy questions, data requests, or complaints:

• Privacy / data requests — luckyloungegame@gmail.com (subject: “Privacy Request”)
• General support — luckyloungegame@gmail.com
• For self-service account management, data export, and account deletion, visit your profile settings.

We aim to reply to all privacy inquiries within 30 days (up to 45 for unusually complex ones, and we'll let you know if that happens).