ThekaDex

Privacy Policy

Effective Date:

1. Introduction

ThekaDex (“we,” “our,” or “us”) operates a platform that helps game developers and creative technologists transform their projects into professional portfolios. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our service, including our free, Pro, and Recruiter subscription tiers.

2. Data Controller and Processors

2.1 Data Controller

Leap of Faith Studios Inc. acts as the Data Controller for your personal information. We determine the purposes and means of processing your data. For purposes of applicable data protection laws, the data controller is:

Leap of Faith Studios Inc.

PO Box 97

Powell, TN 37849

United States

Email: privacy@thekadex.com

2.2 Data Processors

We use the following third-party service providers who process data on our behalf as Data Processors. Each processor is bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant data handling:

  • Supabase: Database hosting and authentication services
  • Vercel: Application hosting and edge computing services
  • Upstash (Vercel KV): Caching and rate limiting services
  • Stripe: Payment processing for Pro and Recruiter subscriptions

All data processors have been carefully selected to ensure they provide appropriate technical and organizational measures to protect your personal data.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Email address, password (encrypted), username, and account type (developer or recruiter)
  • Profile Information: Display name, bio, tagline, profile picture, social media links, and availability status
  • Subscription Information: For Pro and Recruiter tiers, we collect billing information through Stripe (payment method, billing address). We do not store full credit card numbers—Stripe handles payment data securely.
  • Game Projects: When you add games from itch.io, Steam, or GitHub, or create manual entries, we collect project titles, descriptions, images, links, and metadata you provide
  • Portfolio Sections: Custom content, markdown text, and media (images, videos, audio) you upload to showcase your projects
  • Messages: For Pro and Recruiter users, direct messages sent and received through our platform
  • Feedback and Votes: Feature requests, bug reports, and votes you submit through the feedback system
  • Saved Candidates: For Recruiter tier users, lists of developers you save and organize

3.2 Information We Collect Automatically

  • Game Data: When you import games from itch.io or Steam by providing URLs, we scrape publicly available data including game titles, descriptions, cover images, statistics (views, downloads, ratings), rankings, tags, platforms, and metadata. For GitHub projects, we collect repository information you authorize.
  • Usage Analytics: We collect analytics about portfolio views, including viewer types (developer or recruiter, self-identified by account type). Anonymous viewers are not categorized. We anonymize analytics data by truncating IP addresses and aggregating data such that individual users cannot be re-identified.
  • Gamification Data: We track XP (experience points), level progression, achievements earned, and leaderboard standings based on your platform activity
  • Feature Usage: For subscription management, we track usage of features with limits (e.g., AI enhancements, API calls, saved candidates) to enforce tier restrictions
  • Technical Information: IP address (truncated for analytics), browser type, device information, and access times for security and service improvement purposes

4. How We Use Your Information

We use the collected information for the following purposes:

  • To create and maintain your account
  • To generate and display your public portfolio at thekadex.com/[username]
  • To import your projects from itch.io, Steam, and GitHub
  • To provide analytics about your portfolio views and engagement
  • To process payments and manage subscriptions for Pro and Recruiter tiers through Stripe
  • To enable direct messaging between users (Pro and Recruiter tiers)
  • To provide AI-powered content enhancement features (xAI Grok integration) in the form of select text enhancement
  • To moderate uploaded images for safety (Hive AI integration)
  • To track gamification features (XP, achievements, leaderboards)
  • To enable recruiter features (developer search, saved candidates, export lists)
  • To collect and manage user feedback and feature requests
  • To improve and optimize our service
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations

4.1 Communications

We send two types of communications:

Transactional Communications (you cannot opt-out):

  • Account security alerts and password resets
  • Subscription and billing notifications
  • Critical service updates and maintenance notifications
  • Responses to your support requests
  • Legal notices and policy updates

Marketing Communications (opt-in/opt-out):

  • New features and product updates
  • Tips and best practices for portfolio optimization
  • Promotional offers for tier upgrades

You can opt out of marketing emails at any time via the unsubscribe link in any marketing email or through your account settings.

5. Information Sharing and Disclosure

5.1 Public Information

The following information is publicly accessible on your portfolio page at thekadex.com/[username]:

  • Username, display name, bio, and tagline
  • Profile picture
  • Social media links you choose to display
  • Game and project entries with their associated metadata, sections, and media
  • Availability status (if enabled)
  • Subscription tier badge (Free, Pro, or Recruiter)

5.2 Third-Party Service Providers

We share information with the following third-party service providers. Each provider has been selected for their strong privacy and security practices:

  • Supabase: Database and authentication services (data stored in secure cloud infrastructure). Privacy Policy
  • Stripe: Payment processing for Pro and Recruiter subscriptions. We share billing information necessary to process payments. Stripe is PCI DSS Level 1 certified. Privacy Policy
  • xAI (Grok): AI-powered content enhancement. When you use the “Enhance” feature, only the specific text you choose to enhance is sent to xAI. We instruct xAI not to use your content for training their models. Privacy Policy
  • Hive AI: Automated image moderation for platform safety. All uploaded images are scanned for inappropriate content. We instruct Hive AI not to use your images for model training. Privacy Policy
  • Vercel: Hosting and edge computing services. Privacy Policy
  • Upstash (Vercel KV): Rate limiting and caching services. Privacy Policy
  • Sentry: Error tracking and performance monitoring (anonymized data only). Privacy Policy

We have Data Processing Agreements (DPAs) in place with our data processors to ensure GDPR-compliant handling of your personal information.

5.3 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of ThekaDex, our users, or the public.

6. Data Security

We implement industry-standard security measures to protect your personal information:

  • Passwords are hashed using bcrypt
  • Sensitive data is encrypted using AES-256-GCM encryption where applicable
  • Payment information is handled exclusively by Stripe (PCI DSS Level 1 certified) and never stored on our servers
  • All data transmissions use HTTPS/TLS encryption
  • Database access is protected by Row Level Security (RLS) policies
  • API endpoints are protected with rate limiting to prevent abuse
  • Uploaded images are scanned for malicious content and inappropriate material
  • Regular security audits and updates

7. Data Breach Notification

In the event of a data breach that may affect your personal information, we are committed to transparency and prompt notification:

  • Notification Timing: We will notify you without undue delay, and within 72 hours where required by applicable law (such as GDPR)
  • Notification Method: We will send notification via email to your registered email address
  • Information Provided: Our notification will describe the nature of the breach, the categories of personal data affected, potential consequences, and the measures we have taken or propose to take to mitigate the breach
  • Regulatory Notification: For users in the European Union, we will notify the relevant supervisory authorities as required by GDPR Article 33
  • Your Actions: We will provide guidance on steps you can take to protect yourself, such as changing passwords or monitoring accounts

We maintain an incident response plan and conduct regular security assessments to minimize the risk of data breaches and ensure rapid response if one occurs.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention periods and their justifications include:

  • Account Data: Retained while your account is active and for 30 days after account deletion
    Reason: To allow account recovery in case of accidental deletion and to prevent immediate re-registration abuse
  • Profile Information: Deleted within 30 days of account deletion
    Reason: Grace period for account recovery; permanently removed thereafter
  • Project Data: Deleted within 30 days of account deletion or platform disconnection
    Reason: No longer needed once account is deleted or integration is disconnected
  • Messages: Retained for 90 days after account deletion to maintain conversation history for other users
    Reason: Preserves message threads for recipients; your identifying information is anonymized after 30 days
  • Billing Records: Retained for 7 years for accounting and tax compliance
    Reason: Legal requirement for financial record keeping
  • Access Logs: Retained for up to 90 days
    Reason: Security monitoring, fraud investigation, and abuse prevention
  • Analytics Data: Anonymized analytics may be retained indefinitely
    Reason: Once truly anonymized (cannot identify individuals), data is used for long-term service improvement and does not constitute personal data under GDPR
  • Legal Compliance: Some data may be retained longer where required by law
    Reason: Compliance with legal obligations, tax requirements, or valid legal holds

When you delete your account, we retain your data for 30 days to allow account recovery in case of accidental deletion. During this period, you can contact support@thekadex.com to restore your account. After 30 days, all personal data is permanently deleted and cannot be recovered.

9. Your Rights and Choices

You have the following rights regarding your personal information:

Access Your Data

You can access your profile data through the dashboard settings page at any time.

  1. Log into your dashboard
  2. Navigate to Settings → Privacy & Data
  3. View all your stored personal information

Update Your Information

You can update your profile information at any time in your settings.

  1. Log into your dashboard
  2. Navigate to Settings
  3. Update your profile information, bio, social links, etc.
  4. Changes take effect immediately

Export Your Data

Request a machine-readable copy of all your personal data.

Email privacy@thekadex.com with your username and registered email address. Include "Data Export Request" in the subject line. We will provide a JSON export within 48 hours.

Delete Your Data

You can delete your platform connections or your entire account.

  1. Log into your dashboard
  2. Navigate to Settings → Account
  3. Click "Disconnect itch.io", "Disconnect Steam", "Disconnect GitHub", or "Delete Account"
  4. Confirm your choice

Note: Account deletion is permanent after 30 days. During this grace period, you can contact support to restore your account.

Subscription Cancellation: To cancel a paid subscription, visit Dashboard → Subscription and click "Manage Subscription" to access the Stripe billing portal. Canceling your subscription downgrades you to the Free tier but does not delete your account.

Control Visibility

You can control which information is public on your portfolio through your dashboard settings.

Other Requests

For other data-related requests (objection to processing, restriction of processing, etc.), contact us at privacy@thekadex.com with:

  • Your username and registered email
  • Specific request type (access, deletion, objection, etc.)
  • Valid ID verification for security purposes

We will respond within 30 days.

9.1 GDPR Rights (EU Users)

If you are located in the European Union, you have additional rights under GDPR:

  • Right to be Forgotten: Request complete deletion of your personal data
  • Data Portability: Receive your data in a structured, machine-readable format
  • Object to Processing: Object to processing of your personal data for certain purposes
  • Restrict Processing: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis: We process your data based on (1) your consent when you create an account, (2) contractual necessity to provide our services, and (3) legitimate interests in improving our platform and preventing fraud.

9.2 CCPA Rights (California Users)

If you are a California resident, you have rights under the CCPA:

  • Right to Know: Request information about personal data we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell your personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@thekadex.com. We will respond within 45 days.

10. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our service. This section explains what cookies we use, why we use them, and how you can control them.

10.1 Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the service to function and cannot be disabled:

  • Authentication: Maintains your logged-in session (expires after 30 days)
  • Security: CSRF protection tokens (session-based)
  • Preferences: Theme selection (dark/light mode) (persistent)

Analytics Cookies (Optional)

These cookies help us understand how users interact with our service:

  • Portfolio Analytics: Track views, visitor types, and referrers (anonymized)
  • Usage Analytics: Understand feature usage and user flows (anonymized)

Note: We anonymize IP addresses and aggregate data so individual users cannot be identified.

10.2 Third-Party Cookies

Our hosting provider (Vercel) may set cookies for performance optimization and edge caching. These cookies do not contain personal information.

10.3 Cookie Control

You have several options to control cookies:

  • Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies will prevent you from using core features like signing in.
  • Analytics Opt-Out: You can opt out of analytics tracking in your account settings (feature coming soon).

Browser Cookie Management:

11. Children's Privacy

ThekaDex is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Age Verification: When you create an account, you affirm that you are at least 13 years of age. For users in the European Union between ages 13-16, we may require parental consent in accordance with GDPR Article 8.

Parent or Guardian Notice: If you are a parent or guardian and believe we have collected information from a child under 13, please contact us immediately at privacy@thekadex.com. We will delete such information within 48 hours of verification.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country.

12.1 Countries Where Data Is Processed

Your data may be transferred to and processed in the following countries:

  • United States: Supabase (database), Vercel (hosting), Upstash (caching), Stripe (payments), xAI (AI features), Hive AI (content moderation), Sentry (error tracking)
  • Your Location: Edge servers may cache content closer to your location for performance

12.2 Safeguards for International Transfers

We ensure appropriate safeguards are in place to protect your information during international transfers:

  • Standard Contractual Clauses (SCCs): For transfers from the EU to the United States, we rely on Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision 2021/914)
  • Data Processing Agreements: All third-party processors have signed DPAs that include SCCs where required
  • Technical Safeguards: Encryption in transit (TLS) and at rest, access controls, and regular security audits
  • Processor Compliance: Our service providers comply with GDPR requirements and maintain ISO 27001 or SOC 2 certifications

You can request a copy of the safeguards we have in place by contacting privacy@thekadex.com.

13. Do Not Sell My Personal Information

We do not sell your personal information. ThekaDex has never sold personal information and we have no plans to do so in the future.

Under the California Consumer Privacy Act (CCPA), California residents have the right to opt-out of the sale of their personal information. Since we do not sell personal information, there is no need to opt-out. However, if our practices change in the future, we will update this Privacy Policy and provide California residents with a clear way to opt-out before any such sale occurs.

If you have questions about our data practices, please contact us at privacy@thekadex.com.

14. Privacy by Design

We implement privacy considerations throughout our development process and service architecture:

  • Data Minimization: We only collect information that is necessary to provide our service. We do not collect unnecessary personal data or track users beyond what is needed for functionality and basic analytics.
  • Encryption by Default: Sensitive data is encrypted at rest (AES-256-GCM for tokens, bcrypt for passwords) and in transit (TLS 1.3). All connections to our service use HTTPS.
  • Access Controls: Strict limits on who can access user data internally. Database access is protected by Row Level Security (RLS) policies ensuring users can only access their own data.
  • Security Audits: Regular security assessments, dependency updates, and vulnerability scanning to identify and fix potential issues before they can be exploited.
  • Privacy Impact Assessments: New features that process personal data undergo privacy reviews to ensure compliance with data protection principles.
  • Transparency: Clear communication about what data we collect, how we use it, and who we share it with. No hidden data collection or tracking.
  • User Control: You have control over your data with easy-to-use tools to view, update, export, and delete your information.

Privacy is not an afterthought – it's built into every aspect of our service from the ground up.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last Updated” date above.

Notification of Material Changes: For significant changes that affect your rights or how we process your data, we will:

  • Send an email notification to your registered email address
  • Display a prominent notice on the service
  • Provide at least 30 days notice before the changes take effect

Your continued use of the service after such changes constitutes your acceptance of the new Privacy Policy. If you do not agree to the changes, you may delete your account.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Leap of Faith Studios Inc.

PO Box 97

Powell, TN 37849

United States

Email: privacy@thekadex.com

Response Time:

  • General inquiries: 30 days
  • GDPR requests (EU users): 30 days
  • CCPA requests (California users): 45 days (extendable to 90 days for complex requests, with notice)

Data Protection Officer: All privacy-related requests, including GDPR inquiries from EU users, should be sent to the email address above. We handle all data protection matters internally and will designate an EU representative if legally required as our user base grows.

Last updated: