Privacy Policy

Last updated: June 11, 2026

The short version

Gauntle asks for a username and a password. We don't ask for your email or any other identifying information. We don't sell your data, share it with advertisers, or use it to train AI models. The rest of this page is the long version.

What we collect

Your account:

  • Username (used to sign in; lowercased internally)
  • Display name (what shows on the leaderboard)
  • A salted, peppered argon2id hash of your password (never the password itself)
  • Salted, peppered hashes of your recovery codes (so we can verify them when you reset a password)
  • The date your account was created and the date you last changed your display name
  • Your settings (theme, accessibility, sound, gameplay preferences)

Your runs:

  • The date of each run and your total time
  • Per-game results (time per game, score deltas, skips, flawless flag)
  • Streak (current and longest)
  • In-progress run state, so you can resume a run if you reload the page

If you write us through the contact form:

  • The message you send, plus whatever optional contact info you choose to include (email, Discord handle, etc.)
  • A copy is also delivered to us through Netlify Forms (see "Third parties" below). Contact form submissions pass through Netlify (US) before reaching us.

How we use it

We use this data to run Gauntle:

  • Authenticating you when you log in
  • Displaying leaderboards and your score history
  • Tracking your streak
  • Remembering your preferences between sessions
  • Replying to messages you send us through the contact form

We do not sell your data, share it with third parties for advertising, or use it to train AI models. There are no ad networks on the site. The only third-party script we load is a privacy-preserving analytics counter (see "Third parties" below).

Depending on where you live, you may have additional rights under local law (e.g. GDPR in the EU/UK, the Privacy Act in Australia, CCPA in California) including the right to access, correct, or delete your data, and to lodge a complaint with your local data protection authority. Contact us through the contact form to exercise these rights.

If you're in the EU/UK, we process your data on the basis of contract (running the account you signed up for) and legitimate interests (security, anti-cheat, basic analytics).

Cookies

We use one cookie, gauntle_session: a signed token that keeps you logged in. It's marked HttpOnly (browser JavaScript can't read it), SameSite=Lax (it isn't sent on cross-site requests), and Secure on the live site (so it's only sent over HTTPS). It expires 30 days after issue, and we refresh it once it's more than 7 days old so an active player stays signed in.

Because we don't use tracking or advertising cookies, Gauntle doesn't show a cookie consent banner.

For anonymous visitors, we may also write a few low-risk preferences (like the chosen theme and settings) to your browser's localStorage. That data never leaves your device.

Third parties

Gauntle runs on a small number of services. Each one only sees the data it needs to do its job:

  • Netlify hosts the site and serves requests. Like most web hosts, Netlify's edge logs include IP addresses and basic request metadata; we don't access those logs to identify individual players. See Netlify's privacy policy for their own retention practices.
  • Netlify Forms receives a copy of contact-form submissions so we get notified of them. The same content is also stored in our database.
  • Turso hosts our database (your account, scores, and contact submissions).
  • Umami counts page visits so we can tell which parts of the site get used and which devices and browsers we should prioritise when optimising performance. It doesn't set cookies, doesn't track you across other sites, and doesn't collect your IP address, mouse movements, or anything that identifies you personally. Each visit is recorded as an anonymous event with the page URL, referrer, browser, OS, device type, and country (derived from your IP and stored; the IP itself is discarded immediately). Your username, account, and game history are never sent to Umami. It has no idea who you are or whether you're signed in.

Our database and host are based in the United States. By using Gauntle, you understand your data may be processed in countries other than your own.

Data retention

  • Account, scores, streaks, settings: kept while your account exists. Deleted permanently when you delete your account.
  • Contact form submissions: kept while we need them to answer you or action changes. They are typically deleted within 12 months of the conversation being resolved.
  • Rate-limit counters: when you fail a login, signup, or recovery, we briefly store your IP and a count of failed attempts to slow down brute-force attacks. These entries expire after 15 minutes and are deleted as soon as you succeed.
  • Server-side error reports (if any): kept only long enough to debug.

Your rights

From the settings page, signed in, you can:

  • See your username and current display name
  • Change your display name (with a 30-day cooldown between changes)
  • Change your password
  • Regenerate your recovery codes (this invalidates the old ones)
  • Adjust your appearance and gameplay preferences
  • Delete your account, which permanently removes your scores, streaks, settings, and recovery codes

Children's privacy

Gauntle isn't directed at children under 13. We don't knowingly collect data from anyone under 13. Users under 18 should have parental consent (see Terms of Service). If you believe we've inadvertently collected such data, contact us and we'll delete it.

Changes

We may update this policy or the terms of service at any time. Material changes will be announced on the About page changelog.

Contact

Use the contact form on the About page or contact@gauntle.com to reach us.