Privacy Policy

Canontrails is built with a privacy-first mindset. We believe your browsing habits should remain your own. We do not sell your personal information, we do not run advertising, and we collect only what is strictly necessary to provide the service.

We never store raw IP addresses. Where click tracking is required for affiliate attribution, we use a one-way SHA-256 hash of your IP combined with the current date. This cannot be reversed to identify you, and it automatically becomes useless after 24 hours as the date changes.

This policy applies to all users of Canontrails regardless of location.

When you browse Canontrails without an account we collect nothing beyond what your browser sends in a standard HTTP request — browser type, operating system, referring URL. This is standard server log data and is not stored persistently.

When you click an affiliate buy link we log: a SHA-256 hashed IP address (non-reversible), an approximate country code derived from Vercel's edge network header, the link ID clicked, and a timestamp. No personally identifiable information is stored.

If you create an account (coming soon via Supabase Auth), we will collect your email address and any data you explicitly choose to save — game lists, ratings, playtime logs. You can delete this data at any time.

We do not collect: your name, phone number, payment information, precise location, or any device identifiers beyond hashed IPs.

Canontrails does not use third-party tracking cookies. We do not use Google Analytics, Meta Pixel, or any other behavioural advertising network.

We may store a small amount of data in your browser's local storage to preserve your preferences (such as the selected play order tab on a series page). This data never leaves your device and is not transmitted to our servers.

If authentication is added in the future, a secure session cookie will be used to keep you logged in. This will be a first-party, HttpOnly cookie and will not be used for tracking.

IGDB (owned by Twitch/Amazon) — we use their API for game metadata, cover art, series groupings, and entry type classification. API calls are made from our servers; your browser does not contact IGDB directly.

HowLongToBeat — we fetch playtime data from their service server-side. Your browser does not contact HowLongToBeat directly.

RAWG — used as a supplementary source for game information and cover images. Server-side only.

Vercel — our hosting and CDN provider. Vercel may log standard request metadata per their privacy policy at vercel.com/legal/privacy-policy.

Supabase — our database and future auth provider, hosted on AWS infrastructure. Supabase's privacy policy applies to data stored in our database.

Affiliate click logs (hashed IP + country + link ID) are retained for 12 months for analytics purposes, then automatically deleted.

Server logs from Vercel are governed by Vercel's own retention policy.

Account data (if applicable) is retained until you request deletion.

We do not retain any data that could be used to identify you beyond the retention periods above.

All traffic is served over HTTPS with TLS 1.2 or higher. Data at rest in Supabase is encrypted using AES-256.

We never log or store raw IP addresses. The SHA-256 hashes used for click attribution are salted with the current date, making them non-reversible and time-limited.

Access to our database is restricted to application credentials only. We do not share database access with third parties.

We keep dependencies up to date and monitor for known vulnerabilities. No system is perfectly secure, but we take it seriously.

You can use Canontrails entirely without creating an account. In that case, we hold no personally identifiable data about you.

If you have an account, you have the right to: access the data we hold about you, correct inaccurate data, request deletion of your account and all associated data, and export your data in a machine-readable format.

EU residents (GDPR) have additional rights including the right to restrict processing and the right to lodge a complaint with a supervisory authority.

California residents (CCPA) have the right to know what personal information we collect, the right to delete it, and the right to opt out of sale (we do not sell data, but this right applies regardless).

To exercise any of these rights, contact us through our support page. We will respond within 30 days.

Canontrails is not directed at children under 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us through our support page and we will delete it promptly.

This policy was last updated on March 27, 2026. If we make material changes that affect how we handle your data, we will update the date at the top of this page.

Continued use of Canontrails after changes are posted constitutes your acceptance of the updated policy. If you disagree with the changes, you should stop using the service and may request deletion of any account data.