Squire Privacy Policy

1. Who we are

Squire is a tabletop wargaming army-list builder and community platform. The Service is operated by Sonder Digital Pty Ltd, based in Melbourne, Australia.

For any privacy questions or to exercise your rights, contact us at [email protected].

If you are in the European Economic Area (EEA) or United Kingdom, Sonder Digital Pty Ltd is the controller of your personal data for the purposes of the GDPR and UK GDPR. If you are in Australia, we handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2. Selling your data, and advertising

We want to be clear about this up front, because it matters to our community:

• We do not sell or rent your personal information, and we do not hand your personal information to advertisers or other third parties for their own purposes.
• We may show advertising or sponsored content within Squire. When we do, we choose what to show using our own first-party information about how you use Squire. The ad is served by us — your personal information is not disclosed to advertisers, and we do not let third-party ad networks track you across other websites or apps.

In short: advertising on Squire is run in-house using first-party data. We don’t plug you into third-party ad networks that follow you around the web. See Section 7 for detail.

3. Information we collect

3.1 Information you give us

• Account information. When you create a Squire account, we collect your email address, a username or display name, and a password (which we store only as a salted hash — we never see or store your password in plain text).
• Profile information. Any optional details you choose to add to your profile.
• Content you create. Army lists, rosters, collections, notes, game/battle tracking data, unit personalisation, and other content you create or save in the Service (“User Content”).
• Files you upload. Files you import, including BattleScribe .ros / .rosz rosters and similar data files. We process these to bring your data into Squire.
• Communications. If you contact us for support or feedback, we keep that correspondence and the information in it.

3.2 Information we collect automatically

• Usage data. Basic information about how you interact with the Service — pages or features accessed, actions taken, and timestamps — used to operate, secure, improve, and (as described in Section 7) show relevant advertising within the Service.
• Device and connection data. Information such as IP address, browser type, and device/OS, primarily for security, abuse prevention, and diagnostics.
• Analytics. We use PostHog to understand how the Service is used so we can improve it. PostHog records product events (such as features used, pages viewed, and actions taken), associated with your account or a device identifier, and uses first-party cookies or similar local storage. We use it for our own product analytics — not for advertising and not to track you across other websites.

3.3 Payment information (tournament organisers, vendors, and commerce only)

Players do not pay to use Squire. Payment information is only relevant if you transact through the Service as a tournament organiser, vendor, event participant paying an entry fee, or similar.

Where payments occur, they are processed by our payment provider, Airwallex, and (where relevant) the organiser or vendor receiving the payment. We do not collect or store full payment card numbers. Card and bank details are handled directly by the payment provider under its own terms and security standards. We receive limited transaction information — such as confirmation of payment, amounts, and the last digits or type of instrument — to operate and reconcile payments.

3.4 API usage

If you use the Squire API, you do so through a Squire account. We log API requests associated with your account (such as endpoints called and timestamps) to operate the API, enforce limits, and prevent abuse.

We do not knowingly collect special categories of data (such as health, biometric, or political data), and we ask that you not provide them.

4. How we use information

We use information to:

• create and manage your account, and authenticate you;
• provide the core features of the Service — building, saving, importing, sharing, and tracking lists and games;
• operate the API and enforce usage limits;
• process and reconcile payments where you transact as an organiser, vendor, or participant;
• show and measure advertising and sponsored content within the Service, using first-party data (see Section 7);
• communicate with you about the Service, including service notices and support;
• maintain security, prevent fraud and abuse, and debug problems;
• understand aggregate usage so we can improve the Service; and
• comply with legal obligations and enforce our terms.

Legal bases (EEA / UK users)

Where the GDPR or UK GDPR applies, we rely on:

• Contract — to provide the Service you’ve signed up for (e.g. your account, lists, and API access).
• Legitimate interests — to secure the Service, prevent abuse, improve features, and show relevant first-party advertising, balanced against your rights. You can object to processing for direct marketing at any time (see Section 12).
• Legal obligation — to comply with applicable law (e.g. financial record-keeping for payments).
• Consent — where we ask for it (e.g. optional communications); you can withdraw consent at any time.

5. How we share information

We share personal information only in these circumstances:

• Service providers (sub-processors). We use a small number of infrastructure and service providers who process data on our behalf, under contract, only to provide their service to us. These currently include:
  • Cloudflare — hosting, storage (R2), content delivery, and security.
  • Neon — managed database hosting.
  • Airwallex — payment processing (where payments occur).
  • PostHog — product analytics.
• At your direction. When you choose to share or publish User Content (see Section 6).
• Legal and safety. Where required by law, legal process, or to protect the rights, safety, and security of Squire, our users, or the public.
• Business transfers. If Squire is involved in a merger, acquisition, or sale of assets, information may transfer as part of that transaction; we’ll notify you of any change in control of your personal information.

We do not sell your personal information, and we do not disclose it to advertisers (see Sections 2 and 7).

6. Public content and sharing

Some features let you share or publish User Content — for example, sharing an army list via a link or making content visible to the community. Anything you choose to make public or share can be seen, copied, and used by others, and may be cached or indexed outside our control. Please be thoughtful about what you include in content you share. You can change or remove sharing for content you control through the Service.

7. Advertising

We may show advertising and sponsored content within the Service. Our advertising is first-party, which means:

• We choose which ads to show using our own information about how you use Squire (for example, the game systems or pages you engage with). We do this in-house.
• We serve the ads ourselves. We do not disclose your personal information to advertisers or sponsors. An advertiser can ask us to show their ad to a relevant audience, but they do not receive data identifying you.
• We do not use third-party ad networks, exchanges, or cross-site tracking to follow you across other websites and apps, and we do not share your personal information for cross-context behavioural advertising.

You can object to personalised advertising at any time by contacting us at [email protected], and through any advertising controls we provide in the Service. If we ever change this approach — for example, by introducing third-party advertising — we will update this policy and provide the opt-out choices required by law before doing so.

8. Cookies and similar technologies

We use cookies and similar local storage sparingly:

• Essential cookies — required to keep you signed in and to keep the Service secure and functioning. These can’t be switched off without breaking core functionality.
• Preference storage — to remember settings such as display preferences.
• Analytics cookies — first-party cookies or similar storage used by PostHog to recognise you across sessions and understand how the Service is used (see Section 3.2).
• First-party advertising cookies — to measure and manage the ads we show (for example, to avoid showing you the same ad repeatedly). These are first-party only.

We do not use third-party advertising cookies or cross-site tracking technologies. If this changes in future, we will update this policy and, where required, ask for your consent.

9. Data retention

We keep personal information for as long as your account is active and as needed to provide the Service. After that:

• Account and User Content — retained until you delete the content or your account; on account deletion we delete or anonymise your personal information within a reasonable period, except where we must retain it (see below).
• Payment records — retained as required for financial, tax, and legal record-keeping.
• Logs and security data — retained for a limited period for security and diagnostics.

We may retain limited information where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.

10. Data security

We take reasonable technical and organisational measures to protect personal information, including encryption in transit, hashed password storage, access controls, and reliance on reputable infrastructure providers. No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect your information and to respond appropriately if something goes wrong.

11. International data transfers

We are based in Australia and our providers may process data in other countries, including the United States and within the EEA (for example, our product analytics provider PostHog processes data on its US cloud). Where we transfer personal data internationally from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses or transfers to jurisdictions recognised as providing adequate protection. By using the Service, you understand your information may be processed in countries other than where you live.

12. Your rights

Depending on where you live, you may have some or all of the following rights:

• Access a copy of the personal information we hold about you.
• Correct information that is inaccurate or out of date.
• Delete your information (“right to erasure”).
• Export / portability — receive your information in a portable format. (You can also export much of your own content directly through the Service.)
• Object to or restrict certain processing, including the right to object to direct marketing and personalised advertising at any time.
• Withdraw consent where we rely on it.

EEA / UK users: You may exercise the rights above under the GDPR / UK GDPR and have the right to lodge a complaint with your local supervisory authority.

California users: Under the CCPA/CPRA you have rights to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined — our advertising is first-party and we do not disclose your personal information to third parties for their own purposes — and we do not discriminate against you for exercising your rights.

Australian users: You may request access to and correction of your personal information under the Australian Privacy Principles, and may complain to us and then to the Office of the Australian Information Commissioner (OAIC) if you’re not satisfied with our response.

To exercise any right, contact [email protected]. We will verify your request and respond within the timeframe required by applicable law.

13. Children’s privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If you are under the age of digital consent in your country, please do not create an account or provide personal information without the involvement of a parent or guardian. If we learn we have collected personal information from a child without appropriate consent, we will delete it. If you believe a child has provided us personal information, contact us at [email protected].

14. Third-party links and services

The Service may link to third-party sites or services (for example, vendor or publisher pages). We are not responsible for their privacy practices. Review their privacy policies before providing them information.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we’ll update the “Last updated” date and, where appropriate, notify you through the Service or by email. Your continued use of the Service after changes take effect means you accept the updated policy.

16. Contact us

Questions, requests, or complaints about privacy: