Privacy Policy

Last Updated: June 21, 2026

At ScoreKit, we believe in complete transparency. We know that as developers, you care deeply about how your data—and your players' data—is handled. This Privacy Policy explains how ScoreKit ("we", "us", or "our") collects, uses, and protects information when you use our website, APIs, and Unity SDK (collectively, the "Service").

Because ScoreKit operates as a Backend-as-a-Service (BaaS), we handle two distinct categories of data: Developer Data (your information) and Player Data (information generated by players playing your games).

1. Information We Collect from You (Developer Data)

When you register for ScoreKit, join our waitlist, or contact support, we collect information directly from you to maintain your account and provide our services.

  • Account Information: When you sign up, we collect your email address, full name, and studio/company name. If you use OAuth (e.g., Discord), we receive your authenticated email address from that provider.
  • Billing Information: If you subscribe to our paid tiers, your payment details are collected and processed directly by our secure third-party payment processor, Stripe. ScoreKit does not store your credit card numbers; we only store a customer reference ID to manage your subscription access.
  • Communication Data: If you submit a form via our Contact page or Report Issue dashboard, we collect the contents of that message and your email address to reply.

2. Information We Process for You (Player Data)

When you integrate the ScoreKit SDK into your game, your game client sends telemetry to our backend. For Player Data, the Developer is the "Data Controller," and ScoreKit acts strictly as the "Data Processor." We only process this data to provide leaderboard and achievement functionality for your game. The data we process includes:

  • Player Identifiers: Hardware or platform-generated Device IDs and chosen display names.
  • Game Telemetry: Numerical scores, achievement unlock events, timestamps, and metric metadata.
  • Moderation Flags: Automated anomaly severity flags (e.g., velocity flags for anti-cheat) and manual shadowban statuses applied by you.

Developer Responsibility: You must provide your own Privacy Policy within your game that informs your players that you collect this data and transmit it to third-party processors like ScoreKit.

3. How We Use the Information

We use the data we collect solely to operate, secure, and improve the ScoreKit Service. Specifically, we use it to:

  • Authenticate your access to the developer dashboard and API.
  • Process your subscription payments and enforce rate limits.
  • Send transactional emails (e.g., password resets, daily cron reports, and season export data).
  • Detect, investigate, and prevent fraudulent activity, unauthorized API access, or server abuse.

4. How We Share Information

We will never sell your personal information or your players' data. We only share information with trusted third-party infrastructure partners necessary to run ScoreKit:

  • Database & Auth Hosting: Supabase (manages our PostgreSQL database and user authentication).
  • Payment Processing: Stripe (handles subscription billing and invoicing).
  • Edge Infrastructure: Vercel & Upstash Redis (handles API hosting, edge-caching, and rate limiting).
  • Email Delivery: Mailtrap (dispatches transactional and automated system emails).

We may also disclose information if required by law, subpoena, or other legal processes, or to protect the security and integrity of our infrastructure.

5. Data Retention and Deletion

  • Developer Data: We retain your account information for as long as your account is active. You can delete your projects and your account at any time via the ScoreKit dashboard.
  • Player Data: You have full control over your players' data. Using the ScoreKit dashboard, you can manually delete individual scores, purge entire leaderboards, or utilize our automated Season Rollover tools to archive and wipe data on a schedule.

6. Security

We take security seriously. ScoreKit utilizes secure architectural practices, including encrypted Row-Level Security (RLS) policies via Supabase, Redis edge-caching to prevent database locking, and HMAC-SHA256 cryptographic signatures to validate client-side payloads. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

Depending on your location (such as under the GDPR in Europe or CCPA in California), you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your personal data.
  • Opt-out of non-essential communications (which can be toggled in your Account Settings).

To exercise any of these rights, please contact us using the details below.

8. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle data, please reach out to us via our Contact Page.