Privacy Policy

Data controller: Another Cube S.C.P., with tax ID J86922382 and registered address at C/ Infanta Mercedes, 20, bajo, 28020 - Madrid (Madrid). Contact email: dev@jaamdev.com.

This policy explains what personal data we process when you use the website, for what purpose and on what legal basis, how long we keep it, and what rights you have. If you have any question about the processing of your data, you can write to us through the contact page (/contact) or to the privacy email indicated above.

Email address, nickname, encrypted password, and gameplay records (history, stats).

• ·Account data: your email address, your nickname, and your password, which is always stored encrypted (never in plain text).
• ·Gameplay data: stories played, games you take part in, decisions and votes, progress, and aggregated usage statistics.
• ·Payment data: if you subscribe or buy a story, the charge is processed by Stripe. Your card details are entered directly into a secure Stripe form and never pass through our servers, nor do we store them; we only keep a customer identifier, the subscription status, and the billing data needed to issue the invoice and comply with our tax obligations.
• ·Technical data: IP address, browser type and language, as well as the cookies strictly necessary to keep your session.
• ·Support data: if you write to us through the contact form or by email, we process your name, your email address, and the content of your message solely to handle your request.

We process your data to: (1) create and manage your account and provide the service (games, progress, language and theme preferences); (2) handle subscription or purchase charges and issue the corresponding billing; (3) send you the essential transactional emails (account verification, password reset, payment and account notices); (4) keep the platform secure (usage limits, lockout after failed login attempts, activity logs); (5) handle your support requests; and (6) produce aggregated, anonymous statistics on how stories are completed.

We do not use your data for third-party advertising, we do not carry out profiling with legal effects on you, and we do not sell your information. Nor do we perform behavioral analytics for advertising purposes.

Each purpose relies on a legal basis under Article 6 GDPR: performance of the contract (Art. 6(1)(b)) for the account, the service, and payment management; compliance with legal obligations (Art. 6(1)(c)) for billing, taxation, and handling your rights requests; legitimate interest (Art. 6(1)(f)) for platform security and fraud prevention; and your consent (Art. 6(1)(a)) in the specific cases where we expressly ask for it. We do not make automated decisions that produce legal effects on you, nor do we carry out profiling.

You may delete your account at any time. Personal data will be anonymized; statistics may be retained anonymously.

In accordance with the General Data Protection Regulation (GDPR), you may exercise the following rights at any time:

• ·Access: request what personal data of yours we process. We provide a GDPR export function that lets you download your data in a file.
• ·Rectification: correct inaccurate or incomplete data, such as your email or your nickname, from "My account".
• ·Erasure: delete your account; your personal data is anonymized immediately, except for what we must keep by legal obligation (invoices).
• ·Portability: receive your data in a structured, commonly used format through the GDPR export.
• ·Objection and restriction: object to certain processing or request that it be restricted, as well as withdraw your consent when it is the basis for the processing, without affecting the lawfulness of the previous processing. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD).

We keep each piece of data only for as long as needed for the purpose it was collected for:

• ·Account data: for as long as the account exists. When you delete it, the data is anonymized immediately (the nickname is released and the email is unlinked).
• ·Billing data: invoices and payment records are kept for the statutory commercial and tax periods (up to 6 years), even if you delete your account.
• ·Sessions and tokens: sessions expire after at most 30 days and are purged automatically; email verification links expire after 24 hours and password reset links after 1 hour.
• ·Unverified accounts: if you do not verify your email within approximately 30 days, the account is marked for deletion.
• ·Games: when a game ends, only aggregated, anonymous statistics are kept; games inactive for more than 6 months are deleted automatically.
• ·Data exports: the GDPR export file is deleted after it is downloaded or, at the latest, after 48 hours. Internal security logs are kept for a limited and proportionate period.

We do not sell or transfer your data. We only share it with: Cloudflare (infrastructure hosting), Stripe (payment processing), and Resend (transactional email delivery). All of them comply with the GDPR or have EU standard contractual clauses in place.

These providers act as data processors and only process the data according to our instructions and to provide their service to us. Remember that your card details are managed directly by Stripe and never pass through our servers.

Some of our processors (Cloudflare, Stripe, Resend) may process data on servers located outside the European Economic Area. In those cases, the transfers are covered by appropriate safeguards provided for by the GDPR: adequacy decisions of the European Commission — including the EU-US Data Privacy Framework for certified providers — or, failing that, standard contractual clauses. You can request more information about these safeguards through the contact page (/contact).

The service is restricted to people over 18 and is not aimed at minors. We do not knowingly collect data from minors: if we detect that an account belongs to a person under 18, we will close it and delete their personal data. If you believe a minor has created an account, write to the privacy email indicated above.

We apply appropriate technical and organizational measures in line with Article 32 GDPR: passwords are stored with a strong hash (never in plain text), all communication is encrypted via HTTPS, session cookies are inaccessible to page scripts (HttpOnly), we apply usage limits and temporary lockout after failed login attempts, and the two-factor authentication secret is stored encrypted. If a security breach occurs that poses a risk to your rights, we will notify the Spanish Data Protection Agency within 72 hours at most and, if the risk is high, we will also inform you directly without undue delay (Articles 33 and 34 GDPR).

We only use cookies strictly necessary for the website to work (session and language). We do not use advertising or third-party tracking cookies. You have the full details in our cookie policy (/legal/cookies).