Cluelinked

Privacy Policy

Last updated: June 4, 2026

1. About This Policy

This Privacy Policy explains how Cluelinked collects, uses, stores, and shares information when you visit our website, create an account, join a game, redeem access, buy a kit, submit feedback, or use our digital murder mystery platform.

Cluelinked is operated by Zoltan Aldott, trading as Cluelinked, of Zoltan Aldott / Cluelinked, 124 City Road, London, EC1V 2NX. References to "Cluelinked", "we", "us", and "our" mean Zoltan Aldott, trading as Cluelinked. For privacy questions, rights requests, or legal or business identity questions, contact privacy@cluelinked.com.

During the closed beta, paid checkout may be disabled and access may be provided through beta access keys. Sections about purchases, refunds, Paddle, billing, and tax records apply only where paid checkout is enabled or a paid transaction takes place.

2. Information We Collect

Account and profile information: email address and password/authentication records handled through Supabase Auth, plus display name, account settings, and basic profile preferences. Cluelinked does not keep a separate copy of your account email in the profiles table.

Beta, waitlist, and marketing information: email address, consent status, consent version, source page, kit interest, first-party URL attribution such as UTM parameters, landing path, referrer where provided by the browser, unsubscribe status mirrored from our email provider, account ownership where a subscription is linked to a signed-in account, and related delivery records.

Purchase and entitlement information: internal order IDs, kit entitlements, access-key redemptions, Paddle transaction IDs, Paddle customer IDs where needed for billing portal access, order status, amount, currency, and purchase dates. We do not store full card numbers or card security codes.

Host event information: kit selection, player count, role assignments, invite status, event status, scene progress, reveal status, and host actions needed to run the mystery.

Player and invite information: if you are an invited player, your host may provide assigned seat details or role allocation. We may also collect token-only invite links, player display names, join/decline/claim status, reading progress, goal progress, tutorial progress, and final submission status. Cluelinked no longer stores cast/player email addresses for event invites.

Character adaptation and accusation game state: we may store a selected character variant, character name, and character pronouns so the fictional role can read naturally in the game. Gender selection is a game-specific character adaptation control, not a request for a player's real-world gender and not intended to record personal identity information. Final accusation choices are also game-specific fantasy verdicts about fictional suspects so the host can see vote totals and reveal the solution.

Feedback and support information: feedback text, ratings, page URL, kit or event context, support messages, and any contact details you include when asking for help.

Security and technical information: IP-derived rate limit keys, request headers, browser/session cookies, Turnstile challenge results, error logs, device/browser information where available, and diagnostic details needed to protect and debug the service. Error monitoring and diagnostic events may include sanitised URLs, browser and device metadata, stack traces, release identifiers, and request context needed to diagnose faults. We do not intentionally send full query string values, invite tokens, access keys, auth/session material, or payment secrets in diagnostic events.

Consented analytics and attribution information: where you choose optional analytics or marketing cookies, we may collect manual product funnel events, individual kit page views, demo/tutorial openings, checkout starts, game setup/progress milestones, and related event properties such as internal kit, event, scene, role, order, price, environment, and attribution fields. Attribution fields may include allowlisted UTM parameters, click IDs, landing path, referrer, first touch, last touch, and timestamps. We do not enable PostHog replay, heatmaps, autocapture, generic page tracking, or cookieless fallback tracking, and we do not send invite tokens, access keys, auth/session material, raw payment secrets, or full query string values in analytics events.

Local device storage: your browser may store session recovery, room return links, host/player state caches, demo progress, tutorial progress, readability settings, and realtime client IDs so the game can resume smoothly on the same device.

3. How We Use Information

  • To provide accounts, authentication, purchased kit access, beta access, and redeemed access keys.
  • To configure and run hosted mystery events, player invite links, live game state, clue access, accusations, and solution reveals.
  • To process purchases, confirm entitlements, open Paddle billing support, prevent fraud, and handle refunds or payment disputes.
  • To send transactional emails, account messages, beta access updates, product updates you consented to receive, and support replies. Product-update unsubscribe status does not block transactional account, purchase, access, password/auth, security, or event-operation emails.
  • To protect Cluelinked from abuse, spam, unauthorised access, entitlement bypassing, fraud, and security incidents.
  • To understand product issues, fix bugs, improve kits, improve accessibility, and respond to feedback.
  • To comply with legal, tax, accounting, consumer protection, data protection, and platform obligations.

4. Lawful Bases

We rely on contract where processing is needed to provide accounts, purchased kits, entitlements, event tools, invite links, and support for the services you ask us to provide.

We rely on consent for beta and product update emails where consent is requested. We also rely on consent for optional analytics cookies, marketing attribution cookies, and related optional analytics or marketing processing. You can withdraw email consent by using unsubscribe options or contacting us, and you can withdraw cookie choices through Cookie Settings.

We rely on legitimate interests for security, fraud prevention, service diagnostics, product improvement, feedback review, abuse prevention, and basic business operations, where those interests are not overridden by your rights.

We rely on legal obligation where we need to keep or use records for tax, accounting, consumer, payment, regulatory, or legal compliance.

5. Sharing and Service Providers

We share information only where needed to provide, secure, operate, or improve Cluelinked, or where required by law. Service providers may include:

  • Supabase for authentication, database, storage, and edge functions.
  • Cloudflare, including Workers hosting and Turnstile security checks.
  • PartyKit for realtime event message relay.
  • Sentry for error monitoring and service diagnostics, including grouping crashes, identifying affected releases, and debugging user-facing failures. We do not use Sentry for advertising, non-essential analytics, or profiling.
  • PostHog EU Cloud for consented product analytics, limited to manual funnel events. We do not enable session replay, heatmaps, autocapture, generic page tracking, or cookieless fallback analytics.
  • Paddle for checkout, payment processing, tax, receipts, invoices, billing support, refunds, fraud checks, and customer portal access.
  • Email providers for account, support, beta, product update, and transactional emails.
  • Email provider unsubscribe tools for beta/product-update broadcasts. We mirror marketing unsubscribe status back into Supabase for audit and suppression.
  • OAuth providers if you choose to sign in through a third-party login option we enable.
  • Professional advisers, insurers, payment networks, regulators, or dispute bodies where needed for legal, tax, insurance, or dispute handling.

Paddle acts as Merchant of Record for paid transactions and may process payment and buyer information under its own buyer terms and privacy notices. We do not receive or store full card details.

6. Cookies and Local Storage

We use cookies and similar technologies that are necessary for the service to work, including authentication, security, checkout, game session continuity, and player re-entry. We also use browser local storage and session storage for optional convenience features such as player session recovery, host state caching, demo state, tutorial progress, readability settings, and realtime client IDs.

We use a necessary first-party cookie named cluelinked_cookie_consent to remember your cookie choices for this browser. It stores the consent version, whether analytics and marketing are enabled, and when the choice was saved. It does not store your email address, IP address, attribution details, behavioural data, or a user identifier.

Optional Analytics cookies and storage are used only if you consent. They allow PostHog EU Cloud to receive manual Cluelinked funnel events such as individual kit page views, demo openings, tutorial openings, checkout starts, and game progress milestones. These events may include internal kit, event, scene, role, order, price, environment, and attribution properties where relevant to the event. Generic page tracking, replay, heatmaps, autocapture, and cookieless fallback analytics are not enabled. PostHog stores analytics data for one year.

Optional Marketing cookies are used only if you consent. The first-party cluelinked_attribution cookie stores first-touch and last-touch attribution using allowlisted UTM parameters, click IDs, landing path, referrer, and timestamps. It does not store raw query strings, invite tokens, access keys, account session material, or payment secrets. This cookie lasts up to 90 days.

You can review, accept, reject, or withdraw optional cookies at any time in Cookie Settings. Withdrawing consent stops future optional tracking and storage, clears the attribution cookie, and clears signed-in attribution records we can link to your account where the application can do so. It does not automatically delete analytics events already sent to PostHog; you can contact us for deletion requests where prior analytics data is identifiable.

The first-party cluelinked_cookie_consent cookie lasts up to 183 days so this browser can remember your choices. You can refresh or replace those choices earlier from Cookie Settings.

7. International Transfers

Some providers may process information outside the United Kingdom, including in the EEA and United States. Where this happens, we rely on UK adequacy regulations, approved contractual safeguards, supplier data processing terms, or other lawful transfer mechanisms. You can contact us for more information about the safeguards used for a particular provider.

8. Retention

We keep information only for as long as reasonably needed for the purposes described in this policy. Retention depends on the type of record, whether an account or event remains active, legal and tax obligations, fraud and security needs, support requirements, and whether deletion would affect other participants in a shared event.

Account, purchase, entitlement, refund, and payment dispute records may need to be kept for legal, accounting, tax, and fraud-prevention reasons. Event and player records may be kept while the host account needs access to the event, while support issues are open, or while retention is needed to preserve an accurate hosted game record. Browser storage remains on your device until cleared by you, the browser, or the application.

Optional attribution held in the cluelinked_attribution browser cookie lasts up to 90 days. Optional server-side attribution linked to profiles, interest signups, or orders is eligible for cleanup after 12 months unless we need to keep a specific record for legal, tax, accounting, fraud-prevention, dispute, or security reasons. PostHog analytics data is retained for one year.

9. Your Rights

Depending on your location and the lawful basis for processing, you may have the right to request access to your personal information, correction, deletion, restriction, portability, objection to certain processing, and withdrawal of consent for consent-based processing.

You have the right to object to processing based on legitimate interests, including certain uses for product improvement, feedback review, service diagnostics, and basic business operations. We may continue processing only where the law allows, for example where we have compelling legitimate grounds or need the information for legal claims, security, or abuse prevention.

Some rights may be limited where information is needed for legal obligations, fraud prevention, payment records, dispute handling, security, or shared event records involving other users. To make a request, contact privacy@cluelinked.com.

If you are in the UK, you also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint.

10. Automated Decisions

Cluelinked does not use personal information to make solely automated decisions that have legal or similarly significant effects on users. Some automated checks may be used for security, entitlement access, checkout status, abuse prevention, and game-state operation.

11. Children and Invited Players

Cluelinked is intended for adult hosts and invited social groups. You must be 18 or over to create an account, host a game, buy access, or manage invites. If a host invites a younger player, the host is responsible for making sure the player has appropriate parent or guardian permission and that the mystery is suitable for them. Hosts should not enter unnecessary personal information about younger players.

12. Security

We use technical and organisational measures designed to protect information, including access controls, row-level database controls, trusted request boundaries, input validation, security headers, abuse rate limits, and third-party security tools. No online service can be guaranteed completely secure, so you should keep account credentials and invite links private.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will be posted on this page with an updated date. If a change materially affects how we use personal information, we will take reasonable steps to give notice where appropriate.

Contact Us

If you have any questions about this Privacy Policy, contact privacy@cluelinked.com.