Effective May 12, 2026
This Privacy Policy explains what information Wilds and Bombs collects, why we collect it, and how we handle it. We try to collect as little as possible.
Account data. When you create an account we store your username, a one-way hashed password (bcrypt — we never store or see the plaintext password), and the date your account was created.
Optional phone verification. If you choose to verify a phone number to reduce abuse, we send a one-time SMS code via Twilio and store the verified phone number on your account. We do not use your phone number for marketing.
Gameplay data. We store the results of matches you play (room code, score, finishing position, number of players, and timestamp) so we can show you stats, run leaderboards, and resume games you were in the middle of.
Lobby data. When you create or join a lobby we store the lobby owner, lobby members, invite tokens, and timestamps so the lobby system can function and so removed players can't rejoin with old invite links.
Authentication tokens. Once you sign in, your device stores a JSON Web Token (JWT) locally so you stay signed in. The token is sent to our API to authenticate your requests.
Server logs. Our servers log standard request metadata (IP address, request path, response status, timestamp, and an anonymous request ID) for security, rate-limiting, and debugging. Logs are kept short-term and rotated.
Error reports. When the app or website crashes, we collect the error message, stack trace, app version, and platform so we can fix bugs. Error reports are forwarded to Sentry for triage. We do not collect the contents of your gameplay or messages in error reports.
We use first-party browser storage (localStorage) to keep you signed in (your auth token), to remember UI preferences (e.g. whether the hype song is muted), and to redirect returning players directly to the game. We do not use third-party advertising cookies.
We use a small number of providers to run the Service:
These providers process data on our behalf, under their own terms and privacy policies, only to the extent needed to deliver their service.
Account, lobby, and gameplay data are kept while your account is active. Server logs and error reports are kept short-term and then rotated. If you delete your account, we delete or anonymize your account record and disassociate your gameplay history within a reasonable period, except where retention is required for security or legal reasons.
You can stop using the Service at any time and clear your local storage by signing out. Depending on where you live, you may have rights to access, correct, or delete the personal data we hold about you. To request account deletion or to exercise these rights, contact us through the in-app support channel and include your username so we can verify the request.
The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, contact us and we will delete it.
We use HTTPS in transit, hash passwords with bcrypt, rate-limit sensitive endpoints, and apply standard security headers. No system is perfectly secure — please use a strong, unique password and tell us if you suspect your account has been compromised.
We may update this Policy from time to time. If we make material changes, we will update the effective date above and, where appropriate, give notice in the app.
Questions about this Privacy Policy? Reach us through the in-app support channel.