PRIVACY POLICY

Dartboard Maths is operated by African Dart Group (Pty) Ltd. We're the data controller for any personal information collected through the app. We're a single-developer educational game centred around dart-themed equations for students aged 9 to 18. Contact us about anything on this page at support@africandartgroup.com.

You can use Dartboard Maths without creating an account. Anonymous play stores game progress only on your own device.

If you choose to create an account, we collect:

• Your email address (used as your login).
• A nickname (shown to other players).
• An avatar selection (one of nine cartoon characters).
• Optional profile fields: age, gender,country, school, and house.
• Your password, stored as a salted PBKDF2 hash. We can't see it and we can't recover it.
• Game results: when you finish a round, the score, the operation, the deck, and the timestamp.
• Match results: in remote multiplayer rooms, the result of each match (your score, the opponent's score, and whether you won).
• IP address + user-agent on each Better Auth session (the auth library records these to detect session hijacking — they're only retained for the lifetime of the session, ~30 days of sliding inactivity).
• Parental consent record: if you're under 13, the parent email you provide + a timestamp showing when the parent confirmed consent. See "Children" below.

For EU / UK users we rely on the following lawful bases under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)) — we need your email + password to give you an account and remember your scores.
• Legitimate interest (Art. 6(1)(f)) — for the IP / user-agent fields used to protect your session from hijacking. You can object via support@africandartgroup.com.
• Consent (Art. 6(1)(a) + Art. 8) — for any account created on behalf of a child under 13 (or under the local digital-consent age in your EU member state, where it differs). We collect the consent through the parental- consent flow at signup.

We retain your account row and game-result history for as long as you keep the account. When you delete your account from the Me screen (Profile → DELETE ACCOUNT), the server removes the rows immediately via foreign-key cascade (auth, sessions, profile, game results, parental consents).

Backups: a nightly snapshot of the database is held as a GitHub Actions artifact for 90 days and then pruned. A deleted account can therefore reappear in a backup during that window if we ever need to restore from one. After 90 days the backups are gone and the deletion is permanent.

Anonymous play (no account) stores nothing on our servers — game progress lives only on your device and you control it through your browser / OS storage settings.

We don't use third-party analytics, advertising trackers, or session replay tools. We don't fingerprint your device. We don't sell or share your data with anyone. We don't use cookies for tracking — only the auth cookie that keeps you signed in, which is HttpOnly + Secure + SameSite=Lax.

Your account and game-result rows sit in a Cloudflare D1 (SQLite) database, hosted in the Cloudflare network. Static assets and the app shell are served from Cloudflare Pages. Real-time multiplayer state lives temporarily in a Cloudflare Durable Object while a match is in progress, and is discarded when the match ends. We don't copy your data to any other provider.

We use:

• A single auth session cookie (set by Better Auth) while you're signed in. HttpOnly, Secure, SameSite=Lax. Cleared on sign out.
• Local storage under the dartboardmaths:namespace for your in-progress best scores, accessibility settings, and a tiny "authed" hint to prevent the welcome screen from flickering.
• A service worker cache (when installed as a PWA) holding the app shell and static assets so the menu loads offline. No personal data sits in the cache.

Dartboard Maths is designed for ages 9 to 18 with parent / teacher oversight. Anyone of any age can play anonymously without creating an account.

If you're under 13 (or under the local digital-consent age in your country — 16 in much of the EU under Article 8 of the GDPR), the signup flow asks for a parent or guardian's email. We email them a one-time confirmation link; the account is not active and we collect no personal data until they click it. This is the "verifiable parental consent" mechanism required under COPPA in the United States and GDPR-K in the EU. The parent can withdraw consent at any time by emailing support@africandartgroup.com — we'll delete the account within 30 days.

We don't serve behavioural advertising, run third-party tracking SDKs, or sell data to data brokers. The app therefore meets Google Play's "Designed for Families" bar (no ad-network SDKs, no behavioural ad signals, no tracking IDs).

If you believe a child under 13 has signed up without parental consent, email support@africandartgroup.com and we'll delete the account.

You can:

• Sign out — clears the local cache; your D1 rows are preserved.
• Reset your local profile from the Me screen — wipes your local cache.
• Delete your account from the Me screen (Profile → DELETE ACCOUNT). The server wipes your auth row, profile, and game-result history immediately. There's no undo. You can also email support@africandartgroup.com if you can't access the app.
• Export your data — same email. We'll send you a JSON dump within 30 days.
• Withdraw consent — if your account was created through the parental consent flow, the parent can revoke at any time via the contact email; the account is deleted within 30 days.

If you live in the EU / UK and you think we've mishandled your data, you have the right to lodge a complaint with your local data-protection supervisory authority. Examples:

• UK — Information Commissioner's Office (ico.org.uk).
• Germany — your state's data-protection commissioner.
• Ireland — Data Protection Commission (dataprotection.ie).

South African users have an equivalent right under POPIA (Information Regulator — inforegulator.org.za).

Passwords are hashed with PBKDF2-HMAC-SHA-256 (100 000 iterations). Cookies are HttpOnly + Secure + SameSite=Lax. All API responses sit behind a same-origin CSRF check (requiring Content-Type: application/json on mutating requests). User identifiers on public endpoints are wrapped in opaque AES-GCM-encrypted tokens so the raw user table can't be enumerated.

If you find a security issue, please email support@africandartgroup.com with the details before disclosing publicly.

If we change what we collect or how it's stored, we'll update the "Last updated" date at the top and post a note on the main menu. Material changes will prompt a re-consent on next sign-in.