← Back to 40 Carrot
PRIVACY POLICY
Last updated: July 1, 2026
This Privacy Policy describes how Charlie Calotta Vocal LLC ("we," "us," or "our") collects, uses, and protects information when you use 40 Carrot (the "App"), available at 40-carrot.app. We've tried to write this in plain language. If anything is unclear, email privacy@40-carrot.app and we'll explain it.
Who we are
40 Carrot is operated by Charlie Calotta Vocal LLC, a limited liability company organized in the State of New York, United States. You can reach us at:
Charlie Calotta Vocal LLC
165 E 66th St
New York, NY 10065
United States
privacy@40-carrot.app
What we collect
We collect only what's needed to sign you in, keep your account working, and — if you purchase Full Access — manage your entitlement. Specifically:
- Account identifiers. You can create an account with an email address and password, or sign in with Google. Authentication is provided by Supabase. If you use Google sign-in, we receive only your basic profile — your Google user ID, email address, and display name — through the standard OpenID Connect (openid, email, profile) scopes. We do not request YouTube or any other extended Google scopes.
- Purchase and entitlement records. Payments are processed by Polar.sh, our merchant of record — we never see or store your card details. Polar tells us whether your account has an active subscription or a lifetime purchase, and we store that entitlement (plan, status, expiry, and Polar customer reference) in our database so the App knows which features to unlock.
- Session information. Your Supabase session token is stored in your browser's local storage so you stay signed in between visits, and it is sent with API requests as a bearer token. We do not use tracking cookies.
- Basic analytics. We use Vercel Analytics and Vercel Speed Insights to understand aggregate traffic (page views, load times, device type). These tools do not track you across other websites and do not use advertising cookies.
What we don't collect
- We don't store your boards, armies, terrain setups, or snapshots on our servers unless you use cloud saves (a Full Access feature that stores the saves you choose in our database so they sync between your devices). Otherwise, all of that game state lives locally in your browser's storage and never leaves your device unless you export it yourself.
- We don't sell data to anyone, ever. There is no advertising network, no data broker, no affiliate tracking.
- We don't collect payment card numbers or billing addresses — those go directly to Polar.sh, our payment processor.
- We don't access your YouTube data, Google contacts, calendar, drive, or any other Google service.
How we use what we collect
We use the data above only to:
- Sign you in and keep you signed in.
- Determine whether your account has Full Access — via an active subscription, a lifetime purchase, or a complimentary grant — so we can unlock the right features.
- Understand how the App is being used in aggregate, so we can fix bugs and improve performance.
How long we keep your data
We keep your account identifier and entitlement record for as long as your account exists. Lifetime purchases in particular mean we retain enough information to recognize you the next time you sign in, even years later. You can ask us to delete your account at any time (see below).
Sessions expire on their own schedule and are renewed automatically when you sign in again.
Who we share data with
We share data only with the service providers needed to run the App:
- Supabase Inc. — provides authentication and hosts our database (account identifiers, entitlement records, and cloud saves).
- Polar Software Inc. (Polar.sh) — processes payments as our merchant of record and handles checkout, receipts, invoices, and subscription management under its own privacy policy.
- Google LLC — provides the optional "Sign in with Google" flow.
- Vercel Inc. — hosts the App, its APIs, and the analytics described above.
We do not share your data with anyone else. We do not sell it. We do not use it for advertising.
Your rights
You have the right to:
- Ask what personal information we hold about you.
- Request that we correct or delete your information.
- If you used Google sign-in, revoke the App's access to your Google account at any time through your Google Account permissions page.
- Withdraw consent at any time, which you can do by signing out (and, for Google sign-in, revoking access as above).
To exercise any of these rights, email privacy@40-carrot.app. We'll respond within 30 days.
Google API Services User Data Policy
If you sign in with Google, 40 Carrot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We receive only your basic profile (Google user ID, email address, and display name) for authentication, use it for no other purpose, do not transfer it to third parties except as necessary to provide the App, do not allow humans to read it except with your explicit consent or as required by law, and do not use it for serving advertisements.
Children
40 Carrot is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us information, email privacy@40-carrot.app and we will delete it.
Changes to this policy
If we make material changes to this policy, we'll update the "Last updated" date at the top of this page and, where appropriate, notify signed-in users the next time they open the App.
Contact
Questions about this policy, or about how we handle your data, can be sent to privacy@40-carrot.app or by mail to the address listed above.