Privacy Policy
This policy explains what personal data Matlu Codex collects, why, and how you can control it. We keep it plain so kids and parents can both understand.
1. Who we are
Matlu Codex is a community hub for the Core Warden game, run by Filip Marzuki. Contact: privacy@corewarden.app. This is the named contact for all data-protection enquiries and the data controller for the purposes of EU GDPR.
2. What we collect and why
| Data | Why | Lawful basis |
|---|---|---|
| Parent / guardian email address | So we can send magic sign-in links and important account notices. | Consent + contract (Art. 6(1)(a)(b)) |
| Account handle (public username) | Displayed on your creator profile page. | Consent (Art. 6(1)(a)) |
| Child's first name or nickname, optional age | So the creator of each creature is credited correctly. No surname, no photo of the child, no school, no location. | Parental consent (Art. 6(1)(a), Art. 8) |
| Creature drawings, descriptions, and answers | To show on the wiki and, with your permission, inspire in-game creatures per the Creature License. | Consent (Art. 6(1)(a)) |
| Form drafts | So you can resume an unfinished submission from any device. | Consent (Art. 6(1)(a)) |
We do not collect analytics, use tracking cookies, or fingerprint devices.
3. Who else sees it
- Supabase — our database and file-storage provider. Data is stored in an EU region (eu-central-1). Supabase Inc. (US) acts as a sub-processor under Standard Contractual Clauses for any unavoidable cross-border transfers.
- Vercel — hosts this website. Pages are served from edge locations globally; no personal data is stored by Vercel beyond standard access logs.
We do not sell, rent, or share your data with any third party for marketing.
4. How long we keep it
- Active accounts — as long as the account is active.
- Unsubmitted drafts — deleted automatically after 90 days.
- Rejected submissions — deleted automatically after 30 days.
- Inactive accounts — if there is no login for 24 months we will email a warning. If there is no response within 30 days the account and all associated data are deleted.
- Approved submissions — kept indefinitely, unless you ask us to delete or anonymise them via Account Settings.
5. Your rights
You can exercise any of these rights via Account Settings or by emailing privacy@corewarden.app.
- Access (Art. 15) — download a JSON of everything we hold.
- Rectification (Art. 16) — edit your handle, kids' names or ages.
- Erasure / right to be forgotten (Art. 17) — delete your account. You choose: full delete (removes everything) or anonymise (creatures stay on the wiki but are unattributed).
- Data portability (Art. 20) — the export JSON is machine-readable.
- Restriction (Art. 18) — pause your account. Your submissions are hidden while paused; no new data is processed.
- Withdraw consent (Art. 7(3)) — same as erasure; withdrawing triggers the deletion flow.
6. Children
This service is not for children to use directly. Only parents or guardians (18+) can create accounts. Children submit creatures via a grown-up's account. We do not knowingly collect personal data directly from children.
7. Cookies
We set one cookie — a session cookie to keep you signed in. No advertising cookies. No tracking cookies. No third-party analytics scripts.
8. Security
- All data is encrypted at rest by Supabase Postgres.
- All connections use HTTPS (enforced by Vercel).
- We use passwordless (magic-link) authentication — no passwords to steal or leak.
- Service-role database keys are never sent to the browser.
9. Changes to this policy
If we update this policy, we will email you and ask you to accept the new version on next sign-in. The version number above will also change.
10. Complaints
If you are unhappy with how we handle your data, you can contact your local data protection authority. For Sweden: Integritetsskyddsmyndigheten (IMY).