Privacy Policy

Account & sign-in

You sign in with your existing Kick or Twitch account through OAuth. We do not ask for your password, email address, phone number, or payment information.

When you sign in, we store:

• Platform (Kick or Twitch) and platform user ID
• Username, display name, and avatar URL from your platform profile
• Encrypted OAuth tokens (access, refresh, token type, expiry, and scope) so we can keep you logged in and refresh your session
• When your account was created and when tokens were last updated

Game data you create

When you use the site, we store the drafts, bingo games, picks, and cards you create or submit, including:

• Draft and bingo instance titles, settings, lock state, and official results
• Your draft pick order and captain assignments
• Your bingo card layouts
• Delegated admin relationships for instances you own or manage

This data is tied to your account so you can return, edit submissions where allowed, and manage instances you create.

Public information

Some information is visible to anyone who visits the site, without signing in:

• Profile and stats pages showing your username, platform, display name, avatar, and participation history
• Community draft boards showing submitter usernames, platforms, picks, and captain assignments
• Shared draft and bingo instance pages you or others link to

By participating in a public game instance, your username and submissions may appear on those pages.

Cookies & sessions

We use a small number of functional cookies. We do not use analytics, advertising, or tracking cookies.

• Session cookie (dmm_session) — keeps you logged in for up to 31 days
• OAuth cookie (dmm_kick_oauth) — temporary cookie used only during Kick or Twitch sign-in (about 10 minutes), then cleared

Session cookies are HttpOnly, Secure, and SameSite=Lax. We do not use browser local storage or session storage.

When a session is created, we store a SHA-256 hash of your browser's User-Agent string alongside the session record. We do not store your full User-Agent or IP address.

Third-party services

Sign-in and profile data come from the platform you choose:

• Kick — OAuth and public profile API (Kick privacy policy)
• Twitch — OAuth and Helix user API (Twitch privacy notice)

Avatar images are loaded from Kick or Twitch CDN URLs. Your use of those platforms is also governed by their own terms and policies.

What we do not collect

• Email addresses, phone numbers, or mailing addresses
• Payment or billing information
• Analytics, advertising, or third-party tracking identifiers
• IP addresses

Storage & security

Data is stored in a SQLite database on the server running this site. OAuth tokens are encrypted at rest using AES-256-GCM. Session cookies are signed with a server secret.

Server logs may include usernames or error details during normal operation. We do not sell your data.

Deleting your account

You can permanently delete your account from Account Settings. Deletion removes your user record, sessions, draft and bingo submissions, instances you own, and related data. This action cannot be undone.