Privacy Policy

1. Who we are

The Extra Turn desktop application and the extraturn.ggwebsite (together, the “Service”) are operated by 3-102-938708 SRL(“we”, “us”, or “our”), a sociedad de responsabilidad limitada organised under the laws of Costa Rica, with registered office at Costa Rica (registered office on file with the Registro Nacional). For questions about this policy you may reach our privacy contact at privacy@extraturn.gg.

2. Scope and definitions

This Privacy Policy describes how the Service collects, uses, discloses, and protects information from individuals located anywhere in the world (“you”, “user”). It applies to the desktop app (Windows today, additional platforms as released), the marketing website, the user account portal, and any related emails or in-app notices.

“Personal information” means any information that identifies or could reasonably be used to identify you. “Process” covers any operation performed on personal information (collection, storage, use, disclosure, deletion). Where local law (such as the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, the Costa Rica Ley de Protección de la Persona frente al Tratamiento de sus Datos Personales No. 8968, or similar regimes) grants you stronger rights, those rights apply on top of what is described here.

3. Information we collect

3.1 Information you provide

• Account identifiers. When you create a paid account we collect the email address you sign up with, a securely hashed password (or magic-link / OAuth token, depending on the sign-in method you choose), and your billing country.
• Subscription & payment data. Billing is handled by our payment processor. They share with us a customer identifier, your subscription state (active, trial, past-due, cancelled), the last four digits of your card and the card brand, and your invoice history. We never receive or store your full payment-card number, CVC, or bank credentials.
• In-app username. You may enter your in-game username inside Settings so the app can attribute log lines to you. It is stored locally in your %APPDATA%\ExtraTurn\tracker_config.json file and is not transmitted to us.
• Support communications. If you write to us, we keep your message, our reply, and metadata about the conversation (timestamps, your email address).
• Voluntary content.Anything you post in our community channels (e.g. Discord, GitHub Issues) is subject to those platforms' own privacy policies.

3.2 Information collected automatically

• Game client log file contents.The app reads the game client's log files on your computer (for example, mtgo.log and Match_GameLog_*.dat) to compute your decklist, remaining cards, draft picks, and match outcomes. This data is processed locally and is not transmitted to us unless you opt in to anonymous telemetry described below.
• Crash reports. If the app crashes, an error report is sent to Sentry. The report contains a stack trace, the app version, your operating-system version, a random anonymous installation identifier, and at most the non-content metadata needed to reproduce the bug. Crash reports do not include your username, card data, decklists, or any in-game chat. You can turn crash reporting off in Settings.
• Opt-in usage telemetry.If — and only if — you enable telemetry in Settings, the app sends us anonymous events describing how features are used (for example, “match tracker opened”, “draft completed for set X”, “deck builder closed”), aggregate performance metrics (startup time, log parse rate), and the app version + OS. These events are tied only to a random installation ID generated on your device; we do not collect identifying card-by-card data, in- game usernames, opponent names, or chat through this channel.
• Website analytics. extraturn.gg uses Plausible Analytics, a privacy-focused analytics product that does not use cookies and does not collect personal information. It records aggregate page views, referrer, browser family, and country derived from your IP address. The IP is not stored.
• Server logs. Routine server logs of API requests (timestamp, endpoint, status code, request ID) are retained for security and debugging. Logs are deleted after 30 days.
• Device technical attributes for licensing. Paid accounts are activated against a small number of devices. The app generates a one-way hash from non-PII technical attributes (such as machine SID, CPU class, and OS install ID) and sends the hash — not the raw values — to our license service. You may deactivate a device at any time from your account portal.

3.3 Information from third parties

We may receive information from:

• our payment processor — limited billing information described in section 3.1.
• Single sign-on providers (if you choose to sign in with Google, Discord or similar) — only the email address and, where applicable, profile name returned by their OAuth scopes.
• Fraud-prevention providers embedded in the checkout flow of our payment processor — risk scores and verification outcomes, only when an order is flagged.

3.4 Information we do not collect

• Your game-account password (we never see it).
• Opponent usernames or in-game chat (not parsed, not stored).
• Screen captures, keystrokes, microphone, camera, or clipboard contents.
• Files outside the specific log files the app is configured to read.
• Precise geolocation. We infer country from your IP for analytics and tax calculation only.
• Special-category personal data (health, biometrics, political views, etc.) — we have no use for it.

4. How we use information

We process your information for the following purposes:

• Provide the Service. Run the desktop app, manage your account, render decklists and match summaries, deliver features you have paid for.
• Process payments. Charge your subscription, issue invoices, prevent fraud, comply with anti-money-laundering and tax obligations.
• Communicate with you. Send service emails (receipts, password resets, security notices), respond to support requests, and — if you opted in — occasional product news.
• Improve the Service. Fix bugs from crash reports, prioritise features from opt-in telemetry, run aggregate performance analysis.
• Security and abuse prevention. Detect license abuse, rate-limit API endpoints, investigate suspected fraud or violations of our Terms of Service.
• Comply with law. Maintain accounting records for the period required by tax authorities, respond to lawful requests from public authorities.

5. Legal bases (EEA, UK, Switzerland)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR / Swiss FADP:

• Performance of a contract — to provide the Service to you once you sign up or subscribe (Art. 6(1)(b) GDPR).
• Consent — for opt-in telemetry, optional marketing emails, and any non-essential cookies. You can withdraw consent at any time from Settings, your account portal, or by emailing us. Withdrawal does not affect prior lawful processing (Art. 6(1)(a), Art. 7 GDPR).
• Legitimate interests — for crash reporting limited to debugging, fraud prevention, securing our services, and aggregate analytics. We balance these interests against your rights (Art. 6(1)(f) GDPR). You may object at any time.
• Legal obligation — to retain billing records for tax and accounting compliance (Art. 6(1)(c) GDPR).

6. Cookies and similar technologies

The website uses only strictly-necessary technologies: a session cookie set after you sign in, and a CSRF protection token. We do not use advertising cookies. Analytics is provided by Plausible Analytics, which does not set cookies and does not track users across sites. Full details, including a per-category list, are available in our Cookie Policy.

7. Disclosure of information

7.1 Service providers (sub-processors)

We use a small number of vendors to operate the Service. Each processes personal data only on documented instructions and is contractually required to maintain confidentiality and security standards no less protective than ours.

We update this list when we add a sub-processor; subscribers will receive at least 30 days' notice of material changes.

7.2 Legal obligations

We may disclose information when we believe in good faith that disclosure is required to comply with a lawful request from a competent authority, to enforce our Terms of Service, to protect the security of our users, or to defend legal claims. We will challenge any request we consider to be overbroad and, where the law permits, notify affected users.

7.3 Corporate transactions

If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users and any new operator will be bound by privacy commitments no less protective than this policy.

8. International data transfers

The Service is operated from Costa Rica. Some of our sub-processors are located in the United States, the European Union, or other jurisdictions. For transfers from the EEA, UK or Switzerland to countries that the European Commission has not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (2021/914) and complementary measures (encryption in transit and at rest, vendor security audits). You may obtain a copy of the relevant transfer mechanisms by writing to privacy@extraturn.gg.

9. Data retention

• Local data (config, ratings cache, deck and match history files on your computer) — kept on your device until you delete it. Uninstalling the app removes the program but leaves the data folder so you can re-install without losing history; delete %APPDATA%\ExtraTurn\ manually to remove it.
• Account & subscription records — kept while your account is active and for up to 7 years after closure to comply with tax, accounting, and consumer-protection record- keeping requirements in Costa Rica.
• Support tickets — retained for 24 months from the last interaction, then deleted or anonymised.
• Crash reports — retained for 90 days, then automatically deleted.
• Opt-in telemetry events — retained for 12 months at event level, then aggregated and deleted.
• Server logs — retained for 30 days.

10. Security

We protect personal information using industry-standard measures: TLS 1.2+ in transit, encrypted storage at rest, principle-of-least- privilege access controls, multi-factor authentication for staff, regular security reviews of dependencies, and segregated production environments. No system is 100% secure. If we discover a personal- data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33 and 34 GDPR.

11. Your rights

Subject to the conditions set out in your local law, you have the following rights with respect to your personal information:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure(“right to be forgotten”) — request deletion, subject to legal retention obligations.
• Right to restriction — limit how we process your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — for any processing that relies on consent (telemetry, marketing).
• Right not to be subject to automated decision-making — we do not make automated decisions that produce legal or similarly significant effects on you.
• Right to lodge a complaint — with your local data-protection authority. In Costa Rica, that authority is the Agencia de Protección de Datos de los Habitantes (PRODHAB). EEA residents may complain to their national DPA. UK residents may complain to the ICO.

To exercise any of these rights, email privacy@extraturn.gg. We may need to verify your identity before acting on the request and will respond within 30 days, extendable by 60 days for complex requests.

11.1 California residents (CCPA / CPRA)

California residents have the right to know the categories of personal information collected and the purposes for which they are used; to know whether their personal information is sold or shared (we do not sell or share it); to delete personal information; to correct inaccurate information; to limit the use of sensitive personal information (we collect none); and to be free from retaliation for exercising these rights. The categories we collect are described in section 3 of this policy.

11.2 Residents of Costa Rica

Costa Rican residents have rights of access, rectification, cancellation, objection, and revocation of consent under Ley 8968. You may register a complaint with PRODHAB. Some processing may be subject to registration with PRODHAB's database registry; we will maintain such registrations as required.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact privacy@extraturn.gg and we will delete it promptly.

13. Trademarks and third-party content

The Service is not affiliated with, endorsed by, or sponsored byDaybreak Game Company LLC, Wizards of the Coast LLC, Hasbro, Inc., or any other game publisher. Card names, set codes, mana symbols, and similar identifiers are the trademarks and copyrights of their respective owners and are referenced for interoperability and identification only. The Service reads the card-game client's log files on your computer and does not interact with the publisher's servers, modify the client, or interfere with gameplay.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes (such as the introduction of a new category of personal information or a new processing purpose) will be announced via email (to subscribers), an in-app banner, and an updated effective date at the top of this page, at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

15. Contact

Privacy questions, complaints, and rights requests: privacy@extraturn.gg.
Other questions: support@extraturn.gg.
Postal mail: 3-102-938708 SRL, Costa Rica (registered office on file with the Registro Nacional).