Privacy Policy

1. Introduction

Mahjong Hand (mahjonghand.com) is a mahjong hand and storyboard image generator for teachers and creators. This Privacy Policy explains what personal data we collect, why we collect it, and how you can contact us about your data.

You can use many features (Create, Learn, export PNG) without signing in. When you create an account or sign in with Google, the practices below apply.

2. Information we collect

Account information: email address and display name when you register with email and password, or when you sign in with Google OAuth (openid, email, profile scopes).
Google profile data: if you use Google sign-in, we receive your Google account ID, email, name, and profile picture URL from Google. We do not receive your Google password.
User content: hand drafts, favorites, and library items you choose to save while signed in.
AI usage: when you use AI features while signed in, we log usage for quota enforcement and service operation (not for training third-party models with your content).
Feedback: messages you submit via feedback, optionally linked to your account.
Usage and technical data: pages visited, feature interactions, browser type, device type, and IP address (via analytics and server logs).

3. How we use your information

Create and manage your account and authentication sessions
Store and sync drafts, favorites, and library items across devices
Enforce AI usage limits and prevent abuse
Respond to support requests and feedback
Improve reliability, security, and product experience
Comply with legal obligations

4. Legal bases (EEA/UK users)

Where applicable, we process personal data based on: performance of our service (account and saved content), legitimate interests (security, analytics, product improvement), and consent where required (for example, non-essential cookies or analytics where local law requires consent).

5. Third-party services

We use trusted providers to operate the service. They process data only as needed:

Google — OAuth sign-in (see Google Privacy Policy)
Supabase — PostgreSQL database hosting for accounts, drafts, favorites, and operational logs
AI API providers — processing prompts you submit for AI hand generation or interpretation (when you use those features)
Google Analytics — aggregated usage statistics when enabled on the site
Hosting provider — serving the website and storing application logs

We do not sell your personal information.

6. Data retention

We keep account and library data while your account is active. You may request deletion by contacting us. Server and security logs are retained for a limited period. Aggregated analytics may be kept longer in de-identified form.

7. Security

We use HTTPS, hashed passwords (for email accounts), signed session tokens, and access controls on our database. No method of transmission or storage is 100% secure; please use a strong, unique password if you register with email.

8. Your rights

Depending on your location, you may have the right to:

Access, correct, or delete your personal data
Restrict or object to certain processing
Export your data in a portable format
Withdraw consent where processing is consent-based
Lodge a complaint with your local data protection authority

To exercise these rights, email [email protected].

9. Children

The service is not directed at children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal data from children.

10. International transfers

Your data may be processed in countries other than your own, including where our hosting and database providers operate. We rely on appropriate safeguards where required by law.

11. Changes

We may update this policy from time to time. The "Last updated" date at the top will change when we do. Continued use after changes means you accept the updated policy.

12. Contact

Questions about this Privacy Policy: [email protected]