Privacy Policy | BlastRoom

Recent changes:updated database and authentication provider names (Neon and Better Auth), disclosed AWS Rekognition image moderation, expanded the description of Cloudflare's role, and added a disclosure for regional/international processing of live game state.

1. Introduction

BlastRoom ("we", "our", "us") is an educational game platform designed for classroom use. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

2. Data We Collect

We collect the following categories of personal data:

Account data: Email address, display name, full name (optional)
Profile data: School/institution name (optional), country (optional)
Authentication data: Login method (email/password or social login provider), avatar URL from social providers
Content data: Question sets, questions, and answers you create
Usage data: Likes, favorites, folder organization, play counts
Technical data: Session cookies for authentication

We also collect the following information automatically when you sign up or use the service:

Network metadata at signup: IP address, browser user-agent string, approximate country (derived from IP), and network operator (ASN)
Activity timestamps: Last sign-in time
Account-state metadata: Whether your email address has been verified, automated risk scores, and any moderation actions applied to your account

This information is used to prevent fraud and automated abuse, secure your account, comply with legal obligations, and maintain the integrity of the platform.

3. How We Use Your Data

We use your personal data solely to provide and improve the BlastRoom service:

To create and manage your account
To display your display name (not email) on public question sets
To enable content sharing and discovery between teachers
To maintain your preferences, favorites, and folders
To authenticate you securely
To detect and prevent spam, fake accounts, and other forms of automated abuse
To investigate violations of our Terms & Conditions and respond to reports of abuse
To analyze usage patterns and improve the service (via Google Analytics)
To display relevant advertisements (via Google AdSense)

4. What We Do NOT Do

We do not sell your personal data to third parties
We do not share your personal data with third parties for their own marketing purposes
We do not display your email address publicly. Only your chosen display name is visible to other users

5. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Neon, which provides encryption at rest and in transit. Authentication is handled by Better Auth, which follows industry security standards. We use secure HTTP-only cookies for session management. No personally identifiable information is stored in browser localStorage.

International transfers:To minimize latency for classroom gameplay, live game state is processed in regional data centers operated by our infrastructure provider (Fly.io) and may be located in the United States, the European Union, or Asia depending on the region closest to the host teacher. Persistent account data and content remain in our primary Neon database. Transfers outside your region are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses where applicable.

6. Third-Party Services

We use the following third-party services to operate BlastRoom:

Neon: PostgreSQL database hosting
Fly.io: Application hosting and live game state (Redis)
Google, Microsoft, Facebook: Social login providers (only if you choose to sign in with them)
Cloudflare Turnstile: Bot-protection challenge on signup, login, and password-reset forms. Turnstile may set a short-lived cookie and process limited browser metadata to distinguish humans from automated scripts. See Cloudflare's privacy policy.
Google Analytics: Usage analytics to help us understand how the platform is used and improve the service
Google AdSense: Contextual advertising displayed on teacher-facing pages
Sentry: Error monitoring to help us identify and fix technical issues
Cloudflare: Reverse proxy, content delivery network, security/WAF, and image storage (R2). Cloudflare processes request metadata (IP address, user agent) as a network intermediary.
Amazon Web Services (AWS Rekognition): Automated content moderation of uploaded images to detect unsafe or inappropriate material before publication
Resend: Transactional email delivery (account notifications, policy updates)

When you use social login, the respective provider may share your name, email, and profile picture with us according to their own privacy policies. We only store the minimum data needed for your account.

Google Analytics and Google AdSense may use cookies and similar technologies to collect information about your use of the service. These are only activated for registered users who have accepted our cookie consent. For more details, see Section 10 (Cookies) below.

7. Lawful Basis for Processing (GDPR Article 6)

Under the GDPR, we process your personal data on the following lawful bases:

Performance of a contract (Article 6(1)(b)): Account creation, authentication, content storage, and core service delivery
Legitimate interest (Article 6(1)(f)): Fraud prevention, abuse detection, network security, and platform integrity. We balance these interests against your rights and freedoms and limit the data processed to what is necessary for the purpose.
Consent (Article 6(1)(a)): Analytics and advertising cookies, marketing emails, and any optional features you choose to enable
Legal obligation (Article 6(1)(c)): Responding to lawful requests from authorities and complying with applicable laws

8. Automated Decision-Making (GDPR Article 22)

We use automated systems to score account activity for signs of abuse, including but not limited to: spam, fake accounts, link farms, and content scraping. Signals may include your signup network metadata, the volume and nature of content you create, and patterns consistent with automated tools.

Accounts scoring above an internal threshold are flagged for human review. No account is suspended, restricted, or deleted on the basis of an automated score alone. A human always reviews and makes the final decision.

If you believe your account has been incorrectly flagged, suspended, or removed, you have the right to request human review and to contest the decision. Contact us at [email protected] with your account email and a brief explanation.

9. Your Rights (GDPR)

Under the GDPR and applicable privacy laws, you have the following rights:

Right to access: You can view all your data in your account settings
Right to data portability: You can download all your data as a JSON file from your settings page
Right to rectification: You can update your profile information at any time
Right to erasure: You can permanently delete your account and all associated data from your settings page. A limited moderation audit record may be retained where necessary for legal compliance or to defend against legal claims (see Section 10)
Right to withdraw consent: You can delete your account at any time
Right to object: You can object to processing based on legitimate interest by contacting [email protected]
Right to human review (Article 22): You can request human review of any automated decision affecting you (see Section 8)
Right to lodge a complaint: You can file a complaint with your local data protection authority if you believe your rights have been violated

10. Data Retention

We retain different categories of data for different periods:

Active accounts: Data retained for as long as your account is active
Self-deleted accounts: All personal data, content, likes, favorites, and folders are permanently and irreversibly removed within 30 days
Suspended accounts: Retained for up to 90 days while suspended, after which they may be permanently deleted unless under legal hold or active appeal
Moderation audit log: A record of any moderation action (suspension, takedown, deletion) is retained for legal and audit purposes, with personal data minimized to a denormalized email address and the action taken

11. Cookies

We use the following types of cookies:

Essential cookies: Session cookies to keep you logged in and short-lived Cloudflare Turnstile cookies used to verify you are not an automated script. These are strictly necessary for the service to function and do not require consent.
Analytics cookies: Google Analytics cookies to help us understand how the platform is used and improve the service. These collect pseudonymized usage data such as pages visited, session duration, and approximate location.
Advertising cookies: Google AdSense cookies to display relevant advertisements on teacher-facing pages. These may be used to show ads based on your interests and browsing activity.

Analytics and advertising cookies are only activated for registered users who have accepted our cookie consent during account setup. Visitors browsing the site without an account are not tracked and are not shown advertisements.

12. Children's Privacy

BlastRoom is designed for teachers to create and manage educational content. Teacher accounts require an email address and are intended for adults. Students interact with the platform through teacher-led sessions and do not need to create accounts.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page, and existing users will be asked to re-confirm their consent on next sign-in. We may also notify you by email when changes materially affect how your data is processed. We encourage you to review this page periodically.

14. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or wish to contest an automated decision, please contact us at [email protected].