Privacy Policy

Last updated: April 2026

This policy explains how Gama Alternative Management SRL (“we”, “us”) collects and uses personal data when you use The Second Past (secondpast.com). We are the data controller under GDPR.

1. What we collect

• Account data — email address, display name, and profile picture provided via Clerk (Google OAuth or email sign-up).
• Gameplay data — your in-game actions, inventory, chronicle, run history, and credit balance.
• Payment data — purchase amounts, timestamps, and Stripe payment identifiers. Card details are handled entirely by Stripe and never reach our servers.
• Usage data — anonymised page views via Vercel Analytics (no cross-site tracking, no advertising profiles). Error events via Sentry (stack traces, may include gameplay context).
• Social submissions — if you submit a TikTok/Twitter URL for free credits, we store the URL and any note you provide.

2. Legal basis for processing (GDPR)

• Contract — processing your gameplay data and credit balance to deliver the service you purchased.
• Legitimate interests — error tracking, abuse prevention, product analytics.
• Legal obligation — retaining payment records as required by Romanian and EU tax law.

3. How we use it

• To run gameplay, track your run history, and maintain your credit balance
• To process payments and deliver credits
• To display public leaderboards and share pages (death cards, profiles)
• To send transactional emails (purchase confirmations, account notices) via Resend
• To diagnose bugs and improve the service

We do not sell your data or use it for advertising.

4. Sub-processors

We share data with the following third-party services to operate the platform:

• Clerk — authentication and identity; stores your email and profile (clerk.com)
• Stripe — payment processing; receives your payment details and billing country (stripe.com)
• Anthropic — AI narrative generation; your in-game actions are sent to their API (anthropic.com)
• OpenAI — image generation; scene context is sent to their API (openai.com)
• Cloudflare R2 — image storage (cloudflare.com)
• Railway — API hosting and PostgreSQL database (railway.app)
• Vercel — frontend hosting and anonymised analytics (vercel.com)
• Sentry — error tracking; may capture gameplay context in stack traces (sentry.io)
• Resend — transactional email delivery (resend.com)

Each provider acts as a data processor under a data processing agreement and has their own privacy policy.

5. Cookies

We use:

• Authentication cookies — set by Clerk to maintain your session. Strictly necessary; no consent required.
• Analytics — Vercel Analytics uses anonymised, cookieless measurement. No tracking cookies.
• Stripe — Stripe may set cookies during the checkout flow on their hosted page for fraud prevention.

We do not use advertising or cross-site tracking cookies.

6. Public content

Death cards, profile pages, and run share pages are publicly accessible by default. If you want content removed from public view, contact us at privacy@secondpast.com.

7. Data retention

• Account and gameplay data — retained while your account is active. Deleted within 30 days of account deletion.
• Payment records — retained for 5 years as required by Romanian tax law.
• Anonymised analytics — may be retained indefinitely for product improvement.

8. Your rights (GDPR)

If you are in the EU or UK, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and personal data
• Restriction — ask us to limit processing in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

To exercise these rights, use the “Delete my account” option in profile settings, or contact us at privacy@secondpast.com. You also have the right to lodge a complaint with your national data protection authority.

9. International transfers

Some sub-processors (Anthropic, OpenAI, Vercel, Sentry, Railway) are based in the United States. Transfers are covered by Standard Contractual Clauses or equivalent safeguards under GDPR Article 46.

10. Changes

We may update this policy. Material changes will be notified via email or a notice on the site. Continued use after a change constitutes acceptance.

11. Contact

Data protection queries, access requests, or deletion requests: privacy@secondpast.com