Legal

Privacy policy.

What we collect, why we collect it, and what control you have over it. Written in plain English — the lawyerly bits are in there too, but we kept them short.

Last updated · May 13, 2026

1. Who we are

Huddlebase is operated by Patrik, a sole proprietor based in the United Arab Emirates (the “Operator”, “we”, “us”). The Operator is the data controller for the personal information described in this policy.

Questions, data requests, or anything else policy-related: hello@huddlebase.com.

2. What this policy covers

This policy applies to the Huddlebase marketing site (huddlebase.com) and the Huddlebase web application (huddlebase-app.web.app) — together, the “Service”.

3. Information we collect

3.1 Information you give us

  • Account data — when you sign up: your email address and password (stored as a hash by Firebase Authentication, never visible to us in plain text). Optionally, a display name.
  • Content you create — questions, prompts, themes, game configurations and any media you upload while preparing a session.
  • Session input — the display name you enter when joining a game, your answers, jokers used, buzz timing and other in-game actions.
  • Direct correspondence — anything you send us by email.

3.2 Information collected automatically

  • Technical data — IP address, browser type, device type, language, referring URL and timestamps. Collected by our hosting and database provider (see section 7) to keep the Service running and secure.
  • Authentication metadata — sign-in timestamps and security signals recorded by Firebase Authentication to detect abuse.

We do not use analytics, advertising trackers, or third-party fingerprinting on this site.

4. How we use your information

  • To operate the Service — run live game sessions, store your content, sync state across devices in real time.
  • To authenticate you and protect your account.
  • To diagnose problems, prevent abuse and maintain the security of the Service.
  • To respond to your messages and support requests.
  • To send you transactional emails (password resets, account notices). We do not currently send marketing emails.
  • To comply with legal obligations.

If you are in the European Economic Area, the United Kingdom, or a jurisdiction with similar rules, we rely on the following legal bases under the GDPR (and equivalents):

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, and improve reliability. We balance these interests against your rights.
  • Consent (Art. 6(1)(a)) — where you have given it, e.g. by submitting a join-form.
  • Legal obligation (Art. 6(1)(c)) — where we must process data to comply with the law.

For users in the United Arab Emirates, we process personal data in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”).

6. Cookies and local storage

The Service uses a small number of strictly-necessary browser storage mechanisms:

  • Authentication tokens set by Firebase Authentication so you remain signed in between visits.
  • Session preferences stored in localStorage so the Service remembers display names, sound settings and similar small choices.

We do not use cookies for analytics, advertising or cross-site tracking. Because we only set strictly-necessary storage, no cookie banner is shown.

7. Service providers (sub-processors)

We use a single platform provider to operate the Service:

  • Google LLC / Google Ireland Ltd. — Firebase Authentication, Firestore, Realtime Database, Cloud Storage, Cloud Functions, and Firebase Hosting. Firestore and the Realtime Database are configured to run in the europe-west1 region. Google acts as our data processor under the GDPR. Their privacy commitments are available at firebase.google.com/support/privacy.

If we add another sub-processor (for example an email or analytics provider), we will update this list before that provider begins processing your data.

8. International transfers

Game and account data are stored in Google data centers in the European Union (europe-west1). Some technical operations — for example logging and platform administration by Google — may involve access from outside the EU. Where Google transfers personal data outside the EU/EEA on our behalf, transfers are covered by the European Commission’s Standard Contractual Clauses and Google’s supplementary measures.

9. How long we keep your data

  • Account data — for as long as your account is active. If you delete your account, we delete the account record and associated content within 30 days, except where retention is required by law.
  • Live session state (answers, buzzes, leaderboards in the Realtime Database) — wiped automatically when the session ends, or shortly after.
  • Persistent session records (saved configurations and final results in Firestore) — retained until you delete them.
  • Server logs — retained by our hosting provider for up to 30 days for security and operational diagnostics.

10. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Delete your data (the “right to be forgotten”).
  • Restrict or object to certain processing.
  • Receive a copy of your data in a portable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data protection authority. In the UAE, that is the UAE Data Office.

To exercise any of these rights, email hello@huddlebase.com. We will respond within 30 days. We do not charge a fee for reasonable requests.

11. Children’s privacy

The Service is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

12. Security

We rely on Firebase’s platform security: encryption in transit (HTTPS/TLS), encryption at rest, hashed passwords, and access controls enforced by Firebase security rules. No system is perfectly secure, but we take reasonable steps to protect your data.

If we ever become aware of a personal-data breach affecting you, we will notify you and the relevant authority within the timeframes required by applicable law.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page (and, where appropriate, by email). The “Last updated” date at the top of this page always reflects the current version. Continued use of the Service after a change means you accept the updated policy.

14. Contact us

Questions, requests, or anything else: hello@huddlebase.com.