Privacy Policy

Google Sign-In

RiftBoston offers optional sign-in with Google so you can link an official locator player profile, customize your player page, and use account features. Google Sign-In is provided through Supabase Auth and Google Identity Services.

Data accessed

When you choose “Continue with Google,” we access the following Google user data:

• Email address — your Google account email, used as your RiftBoston account identifier.
• Google account ID — the OpenID Connect subject identifier (sub) supplied by Google, used only to authenticate your account and associate it with a sign-in session.

We request only the scopes needed for authentication (typically openid, email, and basic profile). We do not read Gmail, Google Calendar, Drive, Contacts, or any other Google product data.

Google may include your name or profile photo in the OAuth response. RiftBoston does not store your Google display name or profile photo. Our database trigger saves your email only and explicitly sets name and avatar fields to null.

How we use Google user data

• Account creation and sign-in — to create your RiftBoston account and keep you signed in across visits.
• Account identification — to show your signed-in status in the site header and on your Settings page.
• Locator profile linking — to associate your account with an optional official locator player profile after you complete the claim verification flow.
• Site administration — designated operator emails may access admin tools; this is separate from Google data and uses our own allowlist.

We do not use Google user data for advertising, selling profiles, automated decision-making, or any purpose unrelated to operating your RiftBoston account.

Storage, sharing, and retention

• Where it is stored — your email and authentication records are stored in our Supabase project (hosted database). Session tokens are stored in your browser as HTTP-only cookies managed by Supabase Auth.
• Sharing — we do not sell, rent, or share Google user data with third parties. Supabase processes data on our behalf as infrastructure; Google processes sign-in on their own systems when you authenticate.
• Retention — we keep your account data while your account exists. You can sign out at any time from the site menu.
• Deletion — to delete your account and associated Google-linked records, email hello@riftboston.com from the Google address you used to sign in. We will remove your account, profile link, and overlay data within a reasonable time.

Other information we collect

Most of RiftBoston works without signing in. Public pages load event, store, and community data from the official Riftbound locator.

• Community submissions — booster box prices, promo posts, store Discord links, and similar forms may collect text you submit plus a hashed fingerprint to limit abuse (not tied to Google unless you are signed in).
• Claim verification — if you link a locator profile, we store claim-session metadata (event id, timestamps, hashed IP) to prevent fraudulent claims.
• Analytics — we use Vercel Analytics and Speed Insights for aggregate page views and performance. These do not receive your Google credentials.

Children and changes

RiftBoston is a community tool for tabletop players. We do not knowingly collect personal information from children under 13.

We may update this policy. Material changes will be reflected on this page with a new “Last updated” date.

Contact

Questions about this policy or your data: hello@riftboston.com.

Learn more about the site on our About page.