TriviaTies Privacy Policy

Draft — Not yet in effect

Privacy Policy

The API Guys LLC d/b/a TriviaTies Last Updated: April 3, 2026

1. Introduction

The API Guys LLC, operating as TriviaTies (“we,” “our,” or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our trivia hosting platform at triviaties.com and app.triviaties.com (the “Service”).

This policy applies to organizations that subscribe to the Service (“Customers”), their designated users who manage trivia events (“Authorized Users”), and individuals who participate in trivia events hosted on the platform (“Players”).

2. Information We Collect

2.1 Account Information (Provided by You)

When you create an account or are invited to join an organization, we collect:

  • Email address and username
  • Profile information: display name, avatar, phone number, bio, website
  • Social media profile URLs (Facebook, Twitter, LinkedIn, Instagram, Snapchat, YouTube, Pinterest) if voluntarily provided

2.2 Organization Information (Provided by Admins)

Organization administrators provide:

  • Organization name, description, timezone, and contact email
  • Billing information: subscription tier, payment method (processed by Stripe — see Section 5)
  • Custom branding settings: colors, logos, custom CSS (if applicable to subscription tier)

2.3 Trivia Content (Provided by Hosts)

Hosts and content managers create:

  • Trivia questions, answers, and answer choices
  • Media content: images, audio files, and video files uploaded to the platform
  • Event configurations: round structures, item settings, scoring rules, team configurations

2.4 Game Play Data (Generated During Use)

When players participate in trivia events, we collect:

  • Team rosters and player associations
  • Answers submitted, scores, and response times
  • Poll votes, wager amounts, and tiebreaker responses
  • Event participation history and performance statistics

2.5 Feedback Data (Voluntarily Submitted)

When you submit a bug report or feature request through our in-app feedback system, we collect:

  • Report title, description, category, and severity
  • Your username, organization name, and subscription tier
  • Automatically captured context: page URL, browser information, and console errors

Important: Feedback reports are submitted to GitHub as issues for tracking and resolution. This means your report details (including username, organization name, and browser information) are shared with GitHub. See Section 5 for details.

2.6 Information Collected Automatically

When you use the Service, we automatically collect:

  • Authentication tokens: When you log in, an access token and a refresh token are stored in your browser’s local storage. The access token is sent with each API request to authenticate your session. The refresh token is used only to obtain a new access token when the current one expires.
  • Cookies: The Service sets a small number of cookies for server-side functionality: a session identifier (sessionid) and a cross-site request forgery protection token (csrftoken). These are used for administrative interfaces and security. See our Cookie Policy for details.
  • Error monitoring data: When errors occur, our error monitoring service (Sentry) captures your user ID, email address, username, IP address, browser information, and the content of the request that triggered the error. This data is used exclusively for diagnosing and fixing technical issues.
  • Analytics data: We use Google Tag Manager (GTM) and Google Analytics 4 (GA4) to collect aggregated analytics data, including pages visited, navigation paths, session duration, referral sources, device and browser type, and geographic region (derived from a truncated IP address, which is not stored in full). This data helps us understand how the platform is used and improve the Service. See our Cookie Policy for details on analytics cookies.
  • Server logs: IP addresses, request timestamps, and HTTP request metadata retained for security and operational purposes.

2.7 Information from Third Parties

If you sign in using a social authentication provider (Discord, Facebook, Google, or Slack), we receive your profile information (name, email address, and profile picture) from that provider. We only request the minimum information needed for authentication.

3. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Host trivia events, manage teams and scoring, deliver real-time game experiences, and generate analytics
  • Manage your account: Process authentication, manage organization memberships, and enforce subscription tier limits
  • Process billing: Manage subscriptions, process payments (via Stripe), send billing-related communications
  • Improve the Service: Monitor performance, diagnose errors (via Sentry), analyze usage patterns and conversion funnels (via Google Analytics 4), identify and fix bugs
  • Communicate with you: Send transactional emails (trial reminders, payment notifications, account verification), respond to support requests
  • Ensure security: Detect and prevent abuse, enforce rate limits, protect against unauthorized access

We do not sell your personal information. We do not use your information for advertising. We do not use your trivia content (questions, answers, media) for any purpose other than providing the Service to your organization.

For users in the United States: We process your information as necessary to perform our contract with you (the Terms of Service), to comply with legal obligations, and based on our legitimate business interests in operating and improving the Service.

For users in the European Economic Area (if applicable): If you are located in the EU/EEA, we process your personal information based on:

  • Contract performance: Processing necessary to provide the Service under our Terms of Service
  • Legitimate interests: Service operation, security, error monitoring, and product improvement
  • Consent: When you voluntarily provide optional profile information or connect social authentication accounts

5. Third-Party Service Providers

We share personal information with third-party service providers that help us operate the Service. Each provider processes data only for the purposes described below and in accordance with their own privacy policies.

For a complete list of our subprocessors, see our Subprocessor List.

Key disclosures:

  • Stripe processes payment and subscription data. We do not store credit card numbers — Stripe handles all payment card processing. See Stripe’s Privacy Policy.
  • Sentry receives error monitoring data including user identifiers, IP addresses, and request context when application errors occur. This data is used exclusively for technical issue resolution. See Sentry’s Privacy Policy.
  • GitHub receives feedback reports (bug reports and feature requests) including reporter username, organization name, and browser context. See GitHub’s Privacy Statement.
  • Amazon Web Services hosts all platform infrastructure and stores uploaded media files. All data is encrypted at rest and in transit. See AWS’s Privacy Notice.
  • Google LLC (Google Tag Manager / Google Analytics 4) collects aggregated analytics data from your browser, including pages visited, session information, device type, and truncated IP address. No personally identifiable information (name, email, user ID) is transmitted to Google via our analytics implementation. See Google’s Privacy Policy.
  • Social authentication providers (Discord, Facebook, Google, Slack) share your profile information with us when you choose to sign in through their services. We do not share your TriviaTies data back to these providers.

6. Cookies, Local Storage, and Similar Technologies

The Service uses browser local storage to maintain your authenticated session. An access token and a refresh token are stored in your browser’s local storage. The access token is sent in an HTTP header with each API request; the refresh token is sent only when requesting a new access token.

The Service also sets a small number of cookies for server-side functionality:

  • sessionid: Server-side session identifier (HttpOnly)
  • csrftoken: Cross-site request forgery protection (HttpOnly)
  • Sentry browser SDK: Minimal diagnostic data for error tracking

The Service uses Google Tag Manager (GTM) and Google Analytics 4 (GA4) for analytics purposes. GA4 sets cookies on your device (including _ga and _gid) to distinguish unique users and measure session activity. These analytics cookies are non-essential and are set only after you provide consent where required by applicable law (e.g., for users in the EU/EEA/UK). We do not use advertising cookies, social media tracking cookies, or fingerprinting technologies.

For a full list of cookies used, see our Cookie Policy.

7. Data Retention

  • Active accounts: We retain your data for as long as your account or organization is active on the Service.
  • Deleted records: When data is deleted within the Service (e.g., removing a question or team), it is soft-deleted and retained in a deactivated state. Soft-deleted records are not visible in the application but may persist in our database until manually purged.
  • After termination: When a subscription ends, your organization transitions to the Free (Starter) tier and your data is preserved on the free tier indefinitely. If you request account deletion, we will permanently delete your data within a reasonable timeframe. To request a data export or account deletion, contact support@triviaties.com.
  • Error monitoring data: Retained per Sentry’s standard retention policy (typically 90 days).
  • Server logs: Retained for up to 18 months for security and operational purposes.

8. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers uses TLS (HTTPS)
  • Encryption at rest: Database and file storage are encrypted using AWS-managed encryption
  • Access controls: Role-based access control (RBAC) scoped to your organization; data from one organization is never accessible to another
  • Security headers: HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and other protective headers
  • Rate limiting: API and authentication rate limits to prevent abuse
  • Session security: HttpOnly flags on server-side cookies; authentication tokens transmitted exclusively over HTTPS

No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

9. Your Privacy Rights

9.1 General Rights

All users may:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your account and associated personal data
  • Export your data (available as a self-service feature on eligible subscription tiers, or by contacting support@triviaties.com)
  • Opt out of non-essential communications

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it
  • Delete your personal information (subject to certain exceptions)
  • Opt out of the sale of personal information — we do not sell personal information
  • Non-discrimination — we will not discriminate against you for exercising your rights
  • Correct inaccurate personal information

9.3 EU/EEA Residents

If you are located in the European Economic Area, you may also have the right to:

  • Data portability — receive your data in a structured, machine-readable format
  • Restriction of processing — request that we limit how we use your data
  • Object to processing — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

9.4 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@triviaties.com. We will respond within 30 days. We may need to verify your identity before processing your request.

10. International Data Transfers

All data is processed and stored in the United States (AWS us-west-2 region). If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States.

11. Children’s Privacy

The Service is designed for businesses and organizations. It is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16.

Note: Trivia players may include minors (e.g., in educational or family-friendly events). The organization hosting the event is responsible for obtaining any necessary parental consents for participants under the age of 16.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a notice on the Service at least 30 days before the changes take effect.

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Privacy Inquiries: privacy@triviaties.com General Support: support@triviaties.com

The API Guys LLC Massachusetts, United States