Security & Privacy

Google OAuth via Supabase Auth. No passwords are stored. Session tokens are managed as HTTP-only cookies and automatically refreshed by Supabase.

Account access requires admin approval. After signup, you cannot access the platform until your status is set to 'approved' by an admin.

PostgreSQL on Supabase with Row Level Security (RLS) policies enabled. Every table has RLS enforced:

• —Profiles — viewable by everyone, only you can update yours
• —Games — public games viewable by all, create/edit/delete restricted to owner
• —Feedback — only visible to the reviewer and the game owner
• —Storage — authenticated users can upload, only delete their own files

All database queries use Supabase client library's parameterized queries, which prevent SQL injection. No raw SQL strings are constructed in application code.

Data stored: Google profile info (name, avatar URL), Supercell email, cohort selection, game builds/cover images (Supabase Storage), feedback responses, review points.

Game files and cover images are stored in a public Supabase Storage bucket. Upload requires authentication, but anyone with the URL can download them.

• —No end-to-end encryption — data is encrypted at rest by Supabase infrastructure, but not E2E encrypted
• —No rate limiting — API rate limiting is not implemented (relies on Supabase defaults)
• —No penetration testing — has not been professionally security audited
• —Storage bucket is public — uploaded files are accessible if you know the URL