Legal

Privacy Policy

How we collect, use, and protect your information across the Mahjic ecosystem.

Effective date: February 6, 2026

Introduction

This Privacy Policy describes how Mahjic ("we," "us," or "our") collects, uses, and protects your personal information when you use:

  • The Mahjic App — our iOS and Android mobile application for American Mahjong club management, event registration, and gameplay
  • mahjic.org — our website providing the open rating system for American Mahjong

Mahjic is part of the Bam Good Time ecosystem. The Mahjic App, mahjic.org, and bamgoodtime.com share a unified database and authentication system. This means your account and data are accessible across all three platforms. This policy covers data handling across all of them.

Information We Collect

Account Information

  • Email address — used for passwordless authentication (magic link / OTP login)
  • Name — displayed on your player profile and leaderboard rankings
  • User ID — automatically generated by our authentication system to identify your account

Gameplay and Rating Data

  • Game scores — submitted by Verified Sources (clubs and leagues) after gameplay sessions
  • Mahjic Rating — your ELO-based skill rating calculated from all submitted games
  • Verified Rating — a separate rating calculated only from games against other verified players
  • Rating history — historical record of your rating changes over time

Event and Club Data

  • Event registrations — records of events you register for, including attendance and check-in status
  • Club membership — which clubs or leagues you are associated with
  • Admin-imported contact information — club administrators may import member contact lists (such as CSV files) to manage their rosters

Identity Verification Data

To become a Verified Player ($20/year subscription), you must complete identity verification. This process involves:

  • Government-issued ID — a photo of your ID document (driver's license, passport, etc.)
  • Selfie — a photo of your face for matching against your ID

Important: Government ID images and selfies are collected and processed entirely by Stripe Identity. We never receive, store, or have access to your government ID images or biometric data. We only receive a pass/fail verification result from Stripe.

Payment Information

Payment processing for verified player subscriptions and paid events is handled entirely by Stripe. We do not collect, store, or have access to your credit card numbers, bank account details, or other payment credentials. Stripe provides us only with transaction confirmation and subscription status.

Device and Technical Information

  • Push notification tokens — Expo push tokens stored when you opt in to push notifications on the Mahjic App, used solely to deliver notifications you have requested
  • Device information — basic device type and platform information necessary for delivering push notifications

Uploaded Content

Club administrators may upload photos and graphics for events (such as event flyers or promotional images). These are stored in our database and used only for the associated events.

How We Use Your Information

We use the information we collect for the following purposes:

  • To authenticate your identity and provide access to your account
  • To calculate and maintain your Mahjic Rating and Verified Rating
  • To display your profile and rankings on public leaderboards (verified players only)
  • To manage event registrations, check-ins, and attendance
  • To generate seating arrangements and table assignments for events
  • To send push notifications you have opted into (event reminders, table assignments, waitlist updates)
  • To process payments for verified player subscriptions and paid events
  • To verify your identity for verified player status through Stripe Identity
  • To send transactional emails (verification confirmations, subscription receipts)
  • To maintain league standings, tournament results, and scoring history

Data Sharing Across the Mahjic Ecosystem

The Mahjic App, mahjic.org, and Bam Good Time (bamgoodtime.com) share a single database and authentication system. This means:

  • Your account credentials work across all three platforms with a single login
  • Game scores submitted through Bam Good Time are used to calculate your Mahjic Rating on mahjic.org
  • Event registrations made in the Mahjic App are visible to club administrators on Bam Good Time
  • Your player profile (name, ratings, verification status) is shared across all platforms

All three platforms are operated by the same team and governed by this privacy policy. We do not sell, rent, or share your personal data with unrelated third parties.

Third-Party Services

We rely on the following trusted third-party services to operate the Mahjic ecosystem:

  • Supabase — provides our database hosting, user authentication, and file storage. Your account data, game records, and uploaded content are stored on Supabase infrastructure. See the Supabase Privacy Policy.
  • Stripe — handles payment processing for verified player subscriptions and paid events, as well as identity verification (government ID and selfie). Stripe operates as an independent data controller for payment and identity data. See the Stripe Privacy Policy.
  • Expo — provides the push notification infrastructure for the Mahjic App. Expo push tokens are transmitted to Expo's servers to deliver notifications. See the Expo Privacy Policy.
  • Resend — delivers transactional emails (verification confirmations, subscription receipts). Your email address is shared with Resend for this purpose.
  • Vercel — hosts the mahjic.org website. See the Vercel Privacy Policy.

No Tracking and No Advertising

We do not use any third-party analytics, tracking pixels, or advertising networks. Specifically:

  • We do not run ads on any of our platforms
  • We do not sell or share your data with advertisers or data brokers
  • We do not use tracking cookies or cross-site tracking technologies
  • We do not build advertising profiles based on your activity

We use only essential cookies to maintain your login session. No tracking or marketing cookies are used.

Data Security

We take the security of your data seriously and implement the following measures:

  • All connections between your device and our servers use SSL/TLS encryption (HTTPS)
  • The mobile app implements SSL certificate pinning for additional connection security
  • Authentication uses secure magic links and one-time passwords rather than stored passwords
  • API keys for Verified Sources are securely generated and transmitted
  • Payment and identity verification data is handled entirely by Stripe and never passes through our servers
  • Database access is protected by row-level security policies

Push Notifications

Push notifications in the Mahjic App are entirely opt-in. You will be prompted to grant notification permissions when you first use the app. If you grant permission, we store an Expo push token associated with your account to deliver notifications such as:

  • Event reminders for events you are registered for
  • Table assignment notifications when seating is generated
  • Waitlist updates when you are promoted from a waitlist to a confirmed spot
  • Score and rating updates after games are finalized

You can disable push notifications at any time through your device's system settings. Disabling notifications will not affect any other functionality of the app.

Data Retention

We retain your data for as long as your account is active or as needed to provide our services:

  • Account data is retained until you request deletion
  • Rating history is retained to maintain the integrity of the rating system and leaderboard rankings
  • Event and game data is retained for historical records and league standings
  • Push notification tokens are removed when you uninstall the app or revoke notification permissions
  • Identity verification results (pass/fail status only) are retained as long as your verified subscription is active. Stripe retains identity documents according to their own retention policy.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information in your profile
  • Delete your account and associated personal data
  • Export your data in a portable format
  • Opt out of push notifications at any time

To exercise any of these rights, please contact us at support@mahjic.org. We will respond to your request within 30 days.

Please note that deleting your account will remove your personal information, but anonymized game records and rating contributions may be retained to preserve the integrity of the rating system for other players.

Children's Privacy

Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@mahjic.org and we will promptly delete such information.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. When we make significant changes, we will update the effective date at the top of this page and, where appropriate, notify you via email or an in-app notification. We encourage you to review this policy periodically.

Contact Us

If you have any questions about this privacy policy or how we handle your data, you can reach us at: