Privacy Policy

Last updated: June 2026

What We Collect and Why

Account data. You can sign in two ways: with Google or Discord (OAuth), or with a magic link sent to your email. Either way we store your email address. When you create a profile you also choose a username and display name, pick or generate an avatar, and can add a short bio. We use this only to log you in and to show your public profile. We never sell your data, and we only share it with the service providers listed under “Third-Party Services”.

What's public. Combalo is a social platform, so some things are public by design: your profile (username, display name, avatar, bio), and any combo you set to “Public” or “Unlisted”, along with its comments, likes, follower/following counts and view count. Combos set to “Private” are visible only to you.

Your Content

The combos, comments, likes, follows and tags you create are stored in our database (Supabase PostgreSQL). This is user-generated content that you control: you can edit or delete your combos and comments at any time. Each combo has a visibility setting — Public, Unlisted, or Private — that controls who can see it (see “What's public” above).

Feedback and Reports

If you send us feedback through the in-app form, we store your message, the category you pick, the page you were on, and — if you're signed in — your user ID, so we can follow up and improve the app. If you report a combo or comment, we store who reported it, what was reported, and the reason, so our admins can review it. To prevent spam, feedback submissions also store a one-way hashed (SHA-256) form of your IP address — never the raw IP — used solely to enforce a short rate limit. Please don't include sensitive personal information in free-text feedback or reports.

Card Data

Card names, images and game data come from a community dataset (the TakaOtaku GitHub repository) as static JSON, and card images may be resized through an image proxy (images.weserv.nl). We don't send your account data to either, but — like any web request — the image proxy receives the IP address of your browser when it loads an image. Digimon, card names and card art are © Bandai; Combalo is unofficial fan content and is not affiliated with or endorsed by Bandai. See our Terms for the full IP and takedown policy.

Analytics

We use a few privacy-friendly tools to understand how Combalo is used:

• Vercel Web Analytics — page views, referrers and visitor counts, so we know which pages are popular. Cookieless and aggregated.
• Vercel Speed Insights — performance metrics like page load times (Core Web Vitals), so we can keep the app fast. Cookieless and aggregated.
• Our own event tracking — a lightweight, first-party tracker that records anonymous product events (for example, when a combo is viewed) and per-combo view counts that power features like “Trending”. To count each viewer only once per hour without identifying anyone, a signed-in viewer is keyed by their account id and an anonymous viewer by a one-way hash of their IP address — we never store the raw IP. It does not set tracking cookies and does not build advertising profiles.

None of these set tracking cookies or share data with advertisers. The Vercel products are designed to comply with GDPR without requiring consent.

Cookies and Local Storage

Combalo does not use tracking or advertising cookies, and our analytics are cookieless. The only cookies we set are the ones required to keep you logged in.

Essential cookies

• sb-* (Supabase Auth) — secure, httpOnly session cookies that keep you signed in. Essential; cleared when you sign out or the session expires.

Browser local storage (not cookies, never sent to our servers)

• combalo_cookie_consent — remembers that you've seen this cookie notice.
• combalo-storage — your in-app and social state (current user, cached combos).
• card data cache — Digimon card metadata cached for up to 1 hour so the app loads faster.
• feedback cooldown — prevents accidental duplicate feedback submissions.

Because every cookie we set is strictly necessary and our analytics set no cookies, no consent is required under EU ePrivacy rules — the banner is a notice, not a request for consent. If we ever add non-essential cookies, we'll ask for your consent first and give you a way to refuse.

Third-Party Services

We rely on a small number of trusted providers:

• Supabase (database, authentication) — stores your account and content data.
• Vercel (hosting, analytics, performance) — serves the app and collects anonymous, cookieless analytics.
• Google / Discord (sign-in) — if you log in with them, they handle authentication and share your basic profile (name, email, avatar) with us.
• images.weserv.nl (image resizing) — proxies card images; receives your IP address when an image loads.
• TakaOtaku GitHub (card data) — static data fetched by your browser; no account data is sent.

Some of these providers may store or process data outside the EEA (see “International Transfers”).

Legal Basis for Processing

We process your personal data on these grounds:

• Providing your account and the service (login, profile, saving and showing your combos) — performance of our agreement with you.
• Security, moderation and analytics (keeping the platform safe, reviewing reports, understanding usage) — our legitimate interests; you can object to this (see your rights below).
• Optional communications, where applicable — your consent, which you can withdraw at any time.

Your Rights (GDPR)

If you're in the EEA/UK you have the right to:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate profile data (much of it you can edit directly in your profile).
• Erasure — delete your combos and comments yourself, and request full account deletion by email.
• Portability — request a machine-readable export of your data.
• Restriction & Objection — ask us to limit, or object to, processing based on our legitimate interests (such as analytics).
• Withdraw consent — where we rely on consent, withdraw it at any time.
• Complain — lodge a complaint with your local Data Protection Authority if you think we've mishandled your data.

To exercise any of these, email privacy@combalo.com.

International Transfers

Some of our providers (such as Supabase and Vercel) may store or process data on servers outside the European Economic Area, including in the United States. Where that happens, we rely on appropriate safeguards — such as the providers' Standard Contractual Clauses or equivalent — to protect your data.

Data Retention

• While your account is active: we keep your account and content data so the service works.
• Content you delete: combos and comments you remove are first soft-deleted (hidden) and then permanently purged on a periodic basis.
• Account deletion: you can request full deletion of your account by emailing us; we'll remove your associated personal data within 30 days, except where we're required to keep something to comply with the law.
• Feedback and reports: kept for as long as we need them to handle your request or for moderation, then deleted.
• Analytics: aggregated and retained per our providers' standard retention periods.

Age

Combalo is intended for users aged 13 and over. We don't knowingly create accounts for, or collect personal data from, children under 13. If you believe a child has provided us with personal data, contact us and we'll remove it.

Contact

Combalo is operated by Luigi Funaro (an individual, in the EU), the data controller for the purposes of this policy. Questions about your data, or to request access, export or deletion? Email us at privacy@combalo.com or use the in-app feedback form.

Changes

We may update this policy as Combalo evolves. Any changes will be reflected in the “Last updated” date at the top of this page.