Privacy Policy

1. Privacy in the Grail lobby

This Privacy Policy explains how Grail Collective handles information when you visit the site, sign in, test beta features, send feedback, or interact with chests, gems, gold, directives, seasons, vaulted cards, and other product systems.

The short version: we collect the data needed to run the game, protect the community, improve the beta, and keep account activity connected to the right player identity.

2. Account and identity data

  • Account identifiers: user ID, email address, name, avatar, and profile details supplied through authentication.
  • Verification state: signals such as whether an email address or phone number has been verified.
  • Session data: information needed to keep you signed in and route protected app requests through Clerk auth.

Your account is the anchor for Grail activity. Without it, the app cannot reliably attach inventory, gold, feedback, beta access, or fair-play decisions to the right user.

3. Product activity data

When you use Grail, we may collect activity connected to the product experience, including:

  • pages visited, route changes, and feature surfaces opened;
  • profile, dashboard, or account actions;
  • chest, gem, gold, directive, raffle entry, voting, marketplace, or season interactions;
  • beta access state, product flags, participation history, and progression markers;
  • timestamps, request metadata, and basic outcome states such as success, failure, or cancellation.

This information helps Grail understand what happened in the lobby, restore account context, debug broken flows, and keep competitive product mechanics readable.

4. Device, log, and technical data

We may collect technical data that helps operate the web app and protect the service. This can include browser type, device type, operating system, IP-derived region, timestamps, request paths, error logs, performance signals, and security metadata.

Logs are not meant to be a spectator mode for private life. They are operational tools for keeping Grail online, detecting abuse, fixing bugs, and understanding whether a beta feature is playable.

5. Feedback, support, and community data

If you send feedback, report a bug, ask for support, join a community channel, or submit product ideas, we may collect the content you provide and the account details needed to respond.

  • messages, comments, screenshots, names, handles, and contact details you choose to share;
  • support context such as issue type, affected feature, browser details, and account state;
  • moderation or safety signals if a report involves harassment, spam, fraud, or fair-play issues.

6. How we use data

We use collected data to run and improve Grail, including to:

  • authenticate users and keep protected routes tied to the correct account;
  • display account, profile, inventory, gold, and beta participation state;
  • operate chests, gems, directives, season mechanics, access rules, and collector education surfaces;
  • debug app behavior, investigate errors, and monitor service health;
  • detect bots, abuse, duplicate-account patterns, manipulation, and other fair-play risks;
  • answer support requests and incorporate useful product feedback;
  • understand aggregate usage patterns so Grail can become a better collector game.

7. Cookies and local storage

Grail uses cookies and browser storage for practical app reasons: sign-in sessions, protected-route behavior, attribution parameters, interface preferences, beta tooling, and similar product state.

You can block cookies or clear browser storage, but parts of Grail may stop working correctly. A signed-in collector experience needs session storage the same way a game server needs to know which player just entered the match.

8. Third-party providers

Grail relies on trusted providers to run core product infrastructure. Current named providers include:

  • Clerk: authentication, session management, user identity, and account security.
  • Sentry: backend error monitoring and operational debugging, with sensitive values reduced where practical.

Grail may also use providers for hosting, databases, storage, analytics, email, support, moderation, shipping, auctions, payments, or compliance if those systems become part of a feature.

Third-party providers may process data under their own terms and privacy policies. We choose providers to help operate Grail, not to sell the lobby to advertisers.

9. Fair-play and security review

Grail may review account, device, log, and activity data to protect product integrity. This matters for features where timing, access, voting, rewards, giveaways, auctions, marketplace signals, or beta invites need to stay fair.

Security review may include checking for automation, suspicious request patterns, duplicate-account abuse, scripted activity, false submissions, exploit attempts, or behavior that harms other collectors.

10. Sharing and disclosure

We do not sell your personal information. We may share data only when there is a legitimate reason, such as:

  • with infrastructure providers that help Grail operate;
  • with authentication and security providers that protect accounts;
  • with support, fulfillment, auction, shipping, payment, or compliance providers when a feature requires it;
  • to investigate abuse, enforce terms, protect users, or defend Grail systems;
  • when required by law, legal process, or a valid government request;
  • as part of a merger, acquisition, financing, or transfer of product assets.

11. Card outcomes, fulfillment, and future features

Some Grail features may eventually involve physical cards, redemption, shipping, auctions, randomized giveaways, compliance review, or identity checks. If you choose to participate, we may need extra information to complete that specific flow.

That information may include legal name, shipping address, contact details, eligibility confirmations, tax or compliance details, and communications about the relevant outcome. We will request that information only when the feature needs it.

12. No payment data stored directly

Grail does not currently collect or store payment card details directly in the app source described by this policy. If paid features are introduced, payment information should be handled by payment providers rather than stored by Grail directly.

Payment providers may receive transaction details, billing details, fraud-prevention signals, and other information required to process a purchase, refund, auction, or paid product action.

13. Data retention and beta resets

We keep information for as long as needed to operate Grail, maintain account history, investigate abuse, satisfy legal obligations, resolve disputes, and improve the beta.

Beta product data may be changed, corrected, migrated, archived, or deleted as the app evolves. Account deletion requests do not always remove aggregated analytics, security logs, legal records, or backups immediately.

14. Your controls and rights

Depending on where you live, you may have rights to access, correct, delete, export, or object to certain processing of your personal data. Use an available account-support channel to make a request.

We may need to verify your account before acting on a request. Some requests can be limited if data is needed for security, legal obligations, product integrity, dispute handling, or completion of a collector outcome you joined.

15. Children and eligibility

Grail is not intended for children under the age required by applicable law. If you believe a child provided personal information to Grail without appropriate permission, contact us through an available support channel.

Some future features may have additional age, location, identity, or eligibility rules because collector outcomes, giveaways, auctions, shipping, or compliance requirements can vary by region.

16. International processing

Grail and its providers may process information in countries other than the one where you live. Data protection laws may differ by location, but we use the information for the purposes described in this policy.

17. Security

We use reasonable technical and organizational measures to protect Grail data, including authentication, access controls, monitoring, and operational logging. No online service can promise perfect security.

You can help by keeping your account credentials private, using a secure email account, avoiding suspicious links, and reporting anything that looks like account takeover, impersonation, or product manipulation.

18. Changes to this policy

We may update this Privacy Policy as Grail changes. Material updates may be communicated through the website, account messaging, or by updating this page.

Continuing to use Grail after an update means the new policy applies to your use of the Service. If you disagree with the update, stop using Grail and use an available support path for account questions.