Privacy Policy
Moonstone Companion
Privacy Policy — Moonstone Companion
Effective date: June 9, 2026 Last updated: June 9, 2026
Moonstone Companion ("the App") is a free, unofficial companion application for the Moonstone miniature game by Goblin King Games. It is published by Tinkavu LLC / Extra Turn Games ("we", "us", "our"). This policy explains what data we collect, how we use it, who we share it with, and how you can control or delete your data.
This App is not affiliated with, endorsed by, or sponsored by Goblin King Games. Trademarks and game content referenced in the App belong to their respective owners.
Data We Collect
Data You Give Us Directly
- Account information: your email address, used for sign-in via Google Sign-In or a passwordless magic link.
- Display name you choose.
- Player Finder profile (entirely opt-in):
- Postal code / ZIP code (used to match players in the same area)
- Country code
- A short free-text "contact note" you write (for example, a Discord handle)
- Stores you have marked as favorites
- Whether you have opted in to being discoverable by other players
- Troupes (rosters) you build inside the App — character slugs, intended faction, and optional saved-troupe names.
- League data you participate in as Chamberlain or player — scheduled matches, reported scores, machinations, upgrade choices, and short narrative notes.
- Store submissions — store name, address, website, phone number, and any moderation-flag reasons you provide.
Data Collected Automatically
- Sign-in metadata (timestamps, authentication provider, refresh tokens) managed by Supabase Auth on our behalf.
- Approximate location — only while you are actively using the Store Finder and only after you grant the OS permission. We use it on-device to look up nearby stores. We do not store your location coordinates on our servers. The lookup is performed on your device; only the coordinates of a store you choose to view are retained in that store's record.
Data We Explicitly Do NOT Collect
- Precise GPS location (we request
ACCESS_COARSE_LOCATIONonly; coarse location is used on-device and not stored server-side). - Contacts, calendar, microphone, camera, biometrics, SMS, or photos.
- Browsing history outside the App.
- Advertising identifiers (GAID or IDFA).
- Firebase Analytics, Crashlytics, or any other analytics or crash-reporting data. Moonstone does not include any analytics, crash-reporting, or advertising SDK.
Processor Data Table
The following table summarizes what each processor receives.
| Processor | Purpose | Data received |
|---|---|---|
| Supabase (database + auth) | Cloud storage of your account, troupes, leagues, and store data | Account info, display name, Player Finder profile, troupes, league data, store submissions |
| OpenAI (moderation API) | Automated content review of free-text fields only | The text being checked; no account identifiers |
| LocationIQ (geocoding) | Resolve store addresses to map coordinates | The address string being geocoded; no account data |
| OpenFreeMap / OpenStreetMap (map tiles) | Render the store map | Map tile coordinates only; no account data |
| Google Drive (only when you tap "Export to Drive") | Save a backup of your troupes and leagues to your own Drive | The export file, written to a "Moonstone Companion" folder in your personal Drive |
| Google Sign-In (optional auth) | Authenticate you with your Google account | Standard OAuth identity scopes |
How We Use Your Data
We use your data only to provide and improve the App:
- Authenticate you and keep you signed in across devices.
- Sync your troupes between your device and the cloud.
- Let you participate in leagues (scheduling, match reporting, standings, campaign progression).
- Power the Store Finder and Player Finder only with what you have explicitly opted in to share.
- Run automated content moderation on free-text fields (display names, contact notes, narrative entries, store submissions) to enforce our community standards.
We do not sell your personal data. We do not use your data for advertising targeting. We do not show ads in the App.
Who We Share Data With
We use the following third-party processors to provide the App. Each processor receives only the minimum data needed for its function and is contractually prohibited from using your data for any other purpose.
| Processor | Privacy / DPA reference |
|---|---|
| Supabase, Inc. | supabase.com/privacy · Art. 28 GDPR DPA signed |
| OpenAI, LLC (moderation only) | openai.com/policies/privacy-policy |
| LocationIQ / Unwired Labs (geocoding only) | locationiq.com/privacy |
| OpenFreeMap / OpenStreetMap contributors (map tiles) | openstreetmap.org/privacy |
| Google LLC (Sign-In and user-initiated Drive export) | policies.google.com/privacy |
We do not sell, rent, or broker your personal data to any other party.
Where Your Data Lives & Storage Security
All App data is stored in Supabase's EU-West (Ireland) region on AWS eu-west-1.
- Encryption at rest: AES-256.
- Encryption in transit: TLS 1.2 or higher for all network traffic between the App and our servers and between our servers and processors.
- Key custody: FIPS 140-2 HSMs managed by Supabase.
- Access control: Supabase row-level security (RLS) policies ensure that users can only read and write their own data.
Our relationship with Supabase, Inc. as a data processor is governed by a signed Data Processing Addendum (DPA) under GDPR Article 28. Supabase's Transfer Impact Assessment (TIA) is available on request from privacy@extraturngames.com.
Security & Breach Notification
In addition to the technical measures described above, we:
- Limit access to personal data to personnel and automated systems that need it to operate the service.
- Require all processors to maintain appropriate security measures under contract.
- Periodically review our security practices.
No security system is perfect. If you believe you have discovered a security vulnerability, please report it to privacy@extraturngames.com.
Breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where a breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, as required by GDPR Article 34, using the contact information in your account.
Data Retention
We keep your data only as long as necessary.
| Data type | Retention |
|---|---|
| Account information (email, display name) | Until you delete your account |
| Player Finder profile (postal code, country, contact note, findability status) | Until you delete your account or clear the relevant field |
| Troupes (cloud-synced rosters) | Until you delete your account |
| Active league data (memberships, matches in open leagues) | Until you delete your account |
| Finished-league match records and roster snapshots | Anonymized and retained indefinitely so other players' historical statistics remain intact; no personal identifier is retained after anonymization |
| Store submissions | Retained for service quality; not directly linked to your account after submission |
| Sign-in metadata | Managed by Supabase Auth; cleared on account deletion |
| Google Drive export files | Stored in your own Google Drive account; we have no access and no retention schedule applies to us |
You may request earlier deletion of any data at any time via the in-app deletion flow or by contacting us at privacy@extraturngames.com.
Your Rights & Choices
In-app controls:
- Edit your profile at any time via the Player Finder screen.
- Toggle "Findable" off to immediately hide your profile from in-app search.
- Clear favorite stores from the store detail pages at any time.
- Delete your account from Settings → Delete Account. This removes your profile, active-league memberships, and saved troupes immediately, anonymizes your records in any finished leagues, and signs you out. See our Data Deletion page for full details.
- Revoke Google Drive access at any time via myaccount.google.com/permissions.
Withdrawal of consent: Where we process your data on the basis of consent (for example, your opt-in to the Player Finder), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Response timeframe: We will respond to all data-subject rights requests within 30 days of receipt. In cases of complexity or high volume we may extend by an additional 60 days; if so, we will notify you within the initial 30-day period.
GDPR — EEA & UK Users
This section applies if you are located in the European Economic Area (EEA) or the United Kingdom.
Controller
Tinkavu LLC, TINKAVU LLC, 2865 Apaloosa Trl, Deltona, FL 32738, is the data controller for personal data processed through the App. Contact: privacy@extraturngames.com.
Lawful Bases (GDPR Article 6)
| Processing activity | Lawful basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Troupe and league sync | Performance of a contract (Art. 6(1)(b)) |
| Content moderation of free-text fields | Legitimate interests (Art. 6(1)(f)) — protecting users from harmful content |
| Player Finder (location-adjacent data, findability opt-in) | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Your Data Subject Rights
Under the GDPR and UK GDPR you have the right to:
- Access (Art. 15) — request a copy of your personal data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion of your data (subject to limited exceptions, e.g., anonymized records in finished leagues).
- Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
- Data portability (Art. 20) — receive your data in a machine-readable format.
- Object (Art. 21) — object to processing based on legitimate interests.
- Not to be subject to automated decision-making (Art. 22) — we do not make automated decisions with legal or similarly significant effects on you.
To exercise any of these rights, contact us at privacy@extraturngames.com. We will respond within 30 days (see #rights above).
International Data Transfers
Supabase hosts data in the EU-West (Ireland) region. Some Supabase sub-processors are located in the United States. Those transfers are governed by:
- Standard Contractual Clauses (Module Two — controller to processor) incorporated into the Supabase DPA.
- The EU–U.S. Data Privacy Framework adequacy decision (10 July 2023), where Supabase or its sub-processors are certified participants.
OpenAI (moderation API) and Google (Sign-In, Drive) are also based in the United States. Transfers to these processors are governed by Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework.
Article 27 EU Representative
Tinkavu LLC is established in the United States. We rely on the small-scale-processing exemption in GDPR Article 27(2)(a): the App does not process special-category data (Art. 9), does not process criminal-offence data (Art. 10), involves no large-scale systematic monitoring, and currently serves a limited number of EU users on an occasional basis. On this basis we have not designated a formal EU representative. We will designate a representative under Art. 27 if any of the triggers in Art. 27(2) are no longer satisfied (for example, if EU user volume grows substantially or if we add any special-category processing).
DPO
We are not required to designate a Data Protection Officer under Art. 37 GDPR given our processing activities. Privacy queries should be directed to privacy@extraturngames.com.
Supervisory Authority
If you are in the EEA, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. UK users may contact the ICO at ico.org.uk.
CCPA / CPRA — California Residents
This section applies to residents of California and supplements the rest of this policy. It is provided under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
Categories of Personal Information Collected
In the preceding 12 months we have collected the following CCPA categories of personal information:
| Category | Examples collected by the App | Collected? |
|---|---|---|
| Identifiers | Email address, user ID, display name | Yes |
| Personal information (Cal. Civ. Code §1798.80) | Email address | Yes |
| Geolocation data | Approximate location (used on-device only; not stored server-side) | On-device only |
| Internet or other electronic network activity | Sign-in timestamps, session metadata | Yes |
| Inferences | None — we draw no inferences or profiles about you | No |
| Sensitive personal information | Precise geolocation, racial/ethnic origin, health, financial, or biometric data | No |
| Commercial information | None | No |
| Audio, electronic, visual, or similar information | None | No |
Do Not Sell or Share My Personal Information
We do not sell your personal information as defined under CCPA. We do not share your personal information for cross-context behavioral advertising. You therefore do not need to opt out of a sale or share; however, you may contact us at privacy@extraturngames.com if you have questions.
Your California Rights
California residents have the right to:
- Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared.
- Delete — request deletion of personal information we have collected, subject to limited exceptions (for example, completing a transaction, detecting security incidents, or complying with legal obligations).
- Correct — request correction of inaccurate personal information.
- Limit Use of Sensitive Personal Information — we do not process sensitive personal information for purposes beyond those permitted without this right, so no opt-out is required.
- Non-Discrimination — we will not discriminate against you for exercising any of these rights. We will not deny you the App, charge different prices, or provide a different level of service because you exercised a CCPA right.
Authorized Agent
You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide written proof of authorization signed by you, and we may verify your identity directly with you as permitted by law.
How to Submit a Request
Email privacy@extraturngames.com with the subject line "California Privacy Request." We will respond within 45 days (extendable by a further 45 days with notice if reasonably necessary).
LGPD — Brazilian Users
This section applies to residents of Brazil and supplements the rest of this policy. It is provided under Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD — Law 13,709/2018).
Legal Bases (LGPD Article 7)
We process your personal data under the following LGPD legal bases:
- Performance of a contract (Art. 7, VII) — to provide the App's core functions (account, troupes, leagues).
- Legitimate interest (Art. 7, IX) — content moderation on free-text fields.
- Consent (Art. 7, I) — Player Finder opt-in features.
- Compliance with a legal obligation (Art. 7, II) — where required by law.
Your LGPD Rights
Under the LGPD you have the right to: confirm the existence of processing; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary data; request portability; request information about third parties with whom we share data; object to processing; and withdraw consent at any time.
To exercise these rights, contact privacy@extraturngames.com. We will respond within 15 business days.
Encarregado (DPO)
We have not formally designated an Encarregado under the LGPD given the small scale and nature of our processing. Privacy requests should be directed to privacy@extraturngames.com.
Supervisory Authority
You may also file a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
PIPEDA — Canadian Users
This section applies to residents of Canada and supplements the rest of this policy. It is provided under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
Accountability
Tinkavu LLC is responsible for personal information under its control. Privacy questions and rights requests should be directed to privacy@extraturngames.com.
Consent
We collect, use, and disclose your personal information only with your knowledge and consent (express for sensitive data; implied for routine service data), except where otherwise permitted or required by law. You may withdraw consent at any time by contacting us or using the in-app deletion flow, subject to legal and contractual restrictions and reasonable notice.
Your Rights
You have the right to: access your personal information held by us; challenge the accuracy and completeness of your information and request correction; and withdraw consent to certain uses or disclosures.
To exercise these rights, contact privacy@extraturngames.com. We will respond within 30 days.
Supervisory Authority
You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
APPI — Japanese Users
This section applies to residents of Japan and supplements the rest of this policy. It is provided under Japan's Act on the Protection of Personal Information (APPI), as amended effective April 2022.
Third-Party Provision and Cross-Border Transfers
Where we transfer your personal information to processors located outside Japan (for example, Supabase in Ireland/EU, OpenAI in the United States, or Google in the United States), we take the following measures in accordance with APPI Article 24:
- We enter into contracts with each overseas processor that require them to implement personal information protection measures equivalent to those required by APPI.
- The relevant receiving countries include Ireland (EU, subject to GDPR), and the United States (governed by Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework).
Your APPI Rights
You have the right to request disclosure of retained personal information, correction, addition, or deletion where the data is inaccurate, and suspension of use or third-party provision in certain circumstances. To exercise these rights, contact privacy@extraturngames.com.
Supervisory Authority
You may direct inquiries to Japan's Personal Information Protection Commission (PPC) at ppc.go.jp.
Australia — Australian Users
This section applies to residents of Australia and supplements the rest of this policy. It is provided under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Tinkavu LLC is subject to the Privacy Act to the extent its acts or practices have an Australian link. Given our current scale, we may qualify for the small-business operator exemption (annual turnover below AUD 3 million); however, we voluntarily apply the Australian Privacy Principles as good practice.
We collect, hold, use, and disclose personal information only for the purposes described in this policy. We take reasonable steps to secure personal information against misuse, interference, loss, and unauthorized access.
You have the right to access your personal information and to request correction of inaccurate information. To exercise these rights, contact privacy@extraturngames.com. We will respond within 30 days.
If you believe we have breached the APPs, you may first contact us to resolve the matter. If unresolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Children
The App is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13. The App is not directed at children under 13, and we do not target content or advertising at children.
If you believe a child under 13 has provided us with personal information, please contact us at privacy@extraturngames.com and we will promptly delete that information from our systems.
For users between 13 and the age of majority in their jurisdiction, we encourage parental or guardian involvement in their use of the App.
This App is not designed to comply with the Children's Online Privacy Protection Act (COPPA) requirements for child-directed services, because it is not child-directed.
Cookies, Identifiers & Advertising
No advertising: The App contains no advertisements. We do not use advertising networks or sell advertising space.
No advertising identifiers: We do not collect or process Google Advertising IDs (GAID), Apple Advertising Identifiers (IDFA), or any other advertising identifier.
App Tracking Transparency (ATT): Because we do not use advertising identifiers or cross-app tracking, we do not present an ATT prompt on iOS.
Session tokens: Supabase Auth uses standard session tokens stored in device secure storage to keep you signed in. These are not advertising cookies and are not shared with third parties.
Moonstone does not integrate Firebase Analytics, Crashlytics, or any other third-party analytics or crash-reporting SDK. If this ever changes, this section will be updated to disclose the SDK, the data it collects, and how to opt out.
Changes to This Policy
We may update this policy from time to time. If we make a material change — one that meaningfully expands the data we collect, the purposes for which we use it, or the parties we share it with — we will:
- Update the "Last updated" date at the top of this policy.
- Post a notice within the App on the first launch after the change takes effect.
- Where required by applicable law, obtain fresh consent before processing your data under the new terms.
Continued use of the App after a material change is not your only means of acceptance; we will give you adequate notice and opportunity to review changes before they take effect where required by law.
Contact
For privacy questions, data rights requests, data export requests not covered by the in-app flow, or to report a security issue:
Publisher: Tinkavu LLC / Extra Turn Games Email: privacy@extraturngames.com Mailing address: TINKAVU LLC, 2865 Apaloosa Trl, Deltona, FL 32738
Effective date: June 9, 2026 Last updated: June 9, 2026
Moonstone is a trademark of Goblin King Games. This App is fan-made and unofficial and is not affiliated with, endorsed by, or sponsored by Goblin King Games.