ThekaDex

Privacy Policy

Effective Date:

1. Introduction

ThekaDex (“we,” “our,” or “us”) operates a platform that helps indie game developers transform their game jam projects into professional portfolios. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service.

2. Data Controller and Processors

2.1 Data Controller

ThekaDex, Inc. acts as the Data Controller for your personal information. We determine the purposes and means of processing your data. For purposes of applicable data protection laws, the data controller is:

ThekaDex, Inc.

PO Box 97

Powell, TN 37849

United States

Email: privacy@thekadex.com

2.2 Data Processors

We use the following third-party service providers who process data on our behalf as Data Processors. Each processor is bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant data handling:

  • Supabase: Database hosting and authentication services
  • Vercel: Application hosting and edge computing services
  • Upstash (Vercel KV): Caching and rate limiting services

All data processors have been carefully selected to ensure they provide appropriate technical and organizational measures to protect your personal data.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Email address, password (encrypted), and username
  • Profile Information: Display name, bio, tagline, profile picture, social media links, and availability status
  • itch.io Connection: When you connect your itch.io account, we collect your itch.io username, user ID, and access token (encrypted using AES-256-GCM encryption)

3.2 Information We Collect Automatically

  • Game Jam Data: When you sync your itch.io account, we automatically import your game jam entries including game titles, descriptions, cover images, statistics (views, downloads, ratings), rankings, tags, platforms, and jam metadata
  • Usage Analytics: We collect analytics about portfolio views. Viewer types (developer or recruiter) are self-identified by users when they create accounts. Anonymous viewers are not categorized. We anonymize analytics data by truncating IP addresses and aggregating data such that individual users cannot be re-identified.
  • Technical Information: IP address (truncated for analytics), browser type, device information, and access times for security and service improvement purposes

4. How We Use Your Information

We use the collected information for the following purposes:

  • To create and maintain your account
  • To generate and display your public portfolio at thekadex.com/[username]
  • To sync your game jam entries from itch.io
  • To provide analytics about your portfolio views
  • To improve and optimize our service
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

4.1 Communications

We send two types of communications:

Transactional Communications (you cannot opt-out):

  • Account security alerts and password resets
  • Critical service updates and maintenance notifications
  • Responses to your support requests
  • Legal notices and policy updates

Marketing Communications (opt-in/opt-out):

  • New features and product updates
  • Tips and best practices for portfolio optimization
  • Promotional offers (if we introduce paid tiers)

You can opt out of marketing emails at any time via the unsubscribe link in any marketing email or through your account settings.

5. Information Sharing and Disclosure

5.1 Public Information

The following information is publicly accessible on your portfolio page at thekadex.com/[username]:

  • Username, display name, bio, and tagline
  • Profile picture
  • Social media links you choose to display
  • Game jam entries and their associated metadata
  • Availability status (if enabled)

5.2 Third-Party Service Providers

We share information with the following third-party service providers. Each provider has been selected for their strong privacy and security practices:

  • Supabase: Database and authentication services (data stored in secure cloud infrastructure). Privacy Policy
  • itch.io: To sync your game jam entries via their API. Privacy Policy
  • Vercel: Hosting and edge computing services. Privacy Policy
  • Upstash (Vercel KV): Rate limiting and caching services. Privacy Policy

We have Data Processing Agreements (DPAs) in place with our data processors to ensure GDPR-compliant handling of your personal information.

5.3 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of ThekaDex, our users, or the public.

6. Data Security

We implement industry-standard security measures to protect your personal information:

  • Passwords are hashed using bcrypt
  • itch.io access tokens are encrypted using AES-256-GCM encryption
  • All data transmissions use HTTPS/TLS encryption
  • Database access is protected by Row Level Security (RLS) policies
  • Regular security audits and updates

7. Data Breach Notification

In the event of a data breach that may affect your personal information, we are committed to transparency and prompt notification:

  • Notification Timing: We will notify you without undue delay, and within 72 hours where required by applicable law (such as GDPR)
  • Notification Method: We will send notification via email to your registered email address
  • Information Provided: Our notification will describe the nature of the breach, the categories of personal data affected, potential consequences, and the measures we have taken or propose to take to mitigate the breach
  • Regulatory Notification: For users in the European Union, we will notify the relevant supervisory authorities as required by GDPR Article 33
  • Your Actions: We will provide guidance on steps you can take to protect yourself, such as changing passwords or monitoring accounts

We maintain an incident response plan and conduct regular security assessments to minimize the risk of data breaches and ensure rapid response if one occurs.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention periods and their justifications include:

  • Account Data: Retained while your account is active and for 30 days after account deletion
    Reason: To allow account recovery in case of accidental deletion and to prevent immediate re-registration abuse
  • Profile Information: Deleted within 30 days of account deletion
    Reason: Grace period for account recovery; permanently removed thereafter
  • Game Jam Data: Deleted within 30 days of account deletion or itch.io disconnection
    Reason: No longer needed once account is deleted or integration is disconnected
  • Access Logs: Retained for up to 90 days
    Reason: Security monitoring, fraud investigation, and abuse prevention
  • Analytics Data: Anonymized analytics may be retained indefinitely
    Reason: Once truly anonymized (cannot identify individuals), data is used for long-term service improvement and does not constitute personal data under GDPR
  • Legal Compliance: Some data may be retained longer where required by law
    Reason: Compliance with legal obligations, tax requirements, or valid legal holds

When you delete your account, we retain your data for 30 days to allow account recovery in case of accidental deletion. During this period, you can contact support@thekadex.com to restore your account. After 30 days, all personal data is permanently deleted and cannot be recovered.

9. Your Rights and Choices

You have the following rights regarding your personal information:

Access Your Data

You can access your profile data through the dashboard settings page at any time.

  1. Log into your dashboard
  2. Navigate to Settings → Privacy & Data
  3. View all your stored personal information

Update Your Information

You can update your profile information at any time in your settings.

  1. Log into your dashboard
  2. Navigate to Settings
  3. Update your profile information, bio, social links, etc.
  4. Changes take effect immediately

Export Your Data

Request a machine-readable copy of all your personal data.

Email privacy@thekadex.com with your username and registered email address. Include "Data Export Request" in the subject line. We will provide a JSON export within 48 hours.

Delete Your Data

You can delete your itch.io connection or your entire account.

  1. Log into your dashboard
  2. Navigate to Settings → Account
  3. Click "Disconnect itch.io" or "Delete Account"
  4. Confirm your choice

Note: Account deletion is permanent after 30 days. During this grace period, you can contact support to restore your account.

Control Visibility

You can control which information is public on your portfolio through your dashboard settings.

Other Requests

For other data-related requests (objection to processing, restriction of processing, etc.), contact us at privacy@thekadex.com with:

  • Your username and registered email
  • Specific request type (access, deletion, objection, etc.)
  • Valid ID verification for security purposes

We will respond within 30 days.

9.1 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

  • Right to be Forgotten: Request complete deletion of your personal data
  • Data Portability: Receive your data in a structured, machine-readable format
  • Object to Processing: Object to processing of your personal data for certain purposes
  • Restrict Processing: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis: We process your data based on (1) your consent when you create an account, (2) contractual necessity to provide our services, and (3) legitimate interests in improving our platform and preventing fraud.

9.2 CCPA Rights (California Users)

If you are a California resident, you have rights under the CCPA:

  • Right to Know: Request information about personal data we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@thekadex.com. We will respond within 45 days.

10. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our service. This section explains what cookies we use, why we use them, and how you can control them.

10.1 Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the service to function and cannot be disabled:

  • Authentication: Maintains your logged-in session (expires after 30 days)
  • Security: CSRF protection tokens (session-based)
  • Preferences: Theme selection (dark/light mode) (persistent)

Analytics Cookies (Optional)

These cookies help us understand how users interact with our service:

  • Portfolio Analytics: Track views, visitor types, and referrers (anonymized)
  • Usage Analytics: Understand feature usage and user flows (anonymized)

Note: We anonymize IP addresses and aggregate data so individual users cannot be identified.

10.2 Third-Party Cookies

Our hosting provider (Vercel) may set cookies for performance optimization and edge caching. These cookies do not contain personal information.

10.3 Cookie Control

You have several options to control cookies:

  • Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies will prevent you from using core features like signing in.
  • Analytics Opt-Out: You can opt out of analytics tracking in your account settings (feature coming soon).

Browser Cookie Management:

11. Children's Privacy

ThekaDex is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Age Verification: When you create an account, you affirm that you are at least 13 years of age. For users in the European Union between ages 13-16, we may require parental consent in accordance with GDPR Article 8.

Parent or Guardian Notice: If you are a parent or guardian and believe we have collected information from a child under 13, please contact us immediately at privacy@thekadex.com. We will delete such information within 48 hours of verification.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country.

12.1 Countries Where Data Is Processed

Your data may be transferred to and processed in the following countries:

  • United States: Supabase (database), Vercel (hosting), Upstash (caching)
  • Your Location: Edge servers may cache content closer to your location for performance

12.2 Safeguards for International Transfers

We ensure appropriate safeguards are in place to protect your information during international transfers:

  • Standard Contractual Clauses (SCCs): For transfers from the EU to the United States, we rely on Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision 2021/914)
  • Data Processing Agreements: All third-party processors have signed DPAs that include SCCs where required
  • Technical Safeguards: Encryption in transit (TLS) and at rest, access controls, and regular security audits
  • Processor Compliance: Our service providers comply with GDPR requirements and maintain ISO 27001 or SOC 2 certifications

You can request a copy of the safeguards we have in place by contacting privacy@thekadex.com.

13. Do Not Sell My Personal Information

We do not sell your personal information. ThekaDex has never sold personal information and we have no plans to do so in the future.

Under the California Consumer Privacy Act (CCPA), California residents have the right to opt-out of the sale of their personal information. Since we do not sell personal information, there is no need to opt-out. However, if our practices change in the future, we will update this Privacy Policy and provide California residents with a clear way to opt-out before any such sale occurs.

If you have questions about our data practices, please contact us at privacy@thekadex.com.

14. Privacy by Design

We implement privacy considerations throughout our development process and service architecture:

  • Data Minimization: We only collect information that is necessary to provide our service. We do not collect unnecessary personal data or track users beyond what is needed for functionality and basic analytics.
  • Encryption by Default: Sensitive data is encrypted at rest (AES-256-GCM for tokens, bcrypt for passwords) and in transit (TLS 1.3). All connections to our service use HTTPS.
  • Access Controls: Strict limits on who can access user data internally. Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data.
  • Security Audits: Regular security assessments, dependency updates, and vulnerability scanning to identify and fix potential issues before they can be exploited.
  • Privacy Impact Assessments: New features that process personal data undergo privacy reviews to ensure compliance with data protection principles.
  • Transparency: Clear communication about what data we collect, how we use it, and who we share it with. No hidden data collection or tracking.
  • User Control: You have control over your data with easy-to-use tools to view, update, export, and delete your information.

Privacy is not an afterthought – it's built into every aspect of our service from the ground up.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last Updated” date above.

Notification of Material Changes: For significant changes that affect your rights or how we process your data, we will:

  • Send an email notification to your registered email address
  • Display a prominent notice on the service
  • Provide at least 30 days notice before the changes take effect

Your continued use of the service after such changes constitutes your acceptance of the new Privacy Policy. If you do not agree to the changes, you may delete your account.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

ThekaDex, Inc.

PO Box 97

Powell, TN 37849

United States

Email: privacy@thekadex.com

Response Time:

  • General inquiries: 30 days
  • GDPR requests (EU users): 30 days
  • CCPA requests (California users): 45 days (extendable to 90 days for complex requests, with notice)

Data Protection Officer: All privacy-related requests, including GDPR inquiries from EU users, should be sent to the email address above. We handle all data protection matters internally and will designate an EU representative if legally required as our user base grows.

Last updated: