Privacy Policy - The Scholar's Grid
The Scholar's Grid ("the app", "we") is a mobile board-game app published by the project owner. This policy describes what data the app collects, why, and your choices.
Summary
| Data | Purpose | Required for |
|---|---|---|
| Federated sign-in (Apple / Google via Cognito) | Online play, Standings, cloud cosmetic and Scholar's Marks sync | Online features only |
| Match and ELO records | Async online matches and global Standings | Rated online play |
| Push notification token (Android FCM) | Notify you when it is your turn | Online play (optional fallback: polling) |
| Local game settings and AI skill progress | Offline play and Adaptive AI | Local play |
| Personalization progress | Board/piece skins and local-first Scholar's Marks with signed-in recovery | Personalization |
Local play (vs AI or Pass and Play) does not require an account.
Information we collect
Account and authentication
When you use online features (Find Online Match, Standings, or cloud Personalization sync), the app opens Amazon Cognito Hosted UI with federated sign-in:
- Sign in with Apple (where available)
- Google Sign-In
We receive a Cognito user identifier (sub) and session tokens. We do not
operate a separate email/password login. Identity providers may share profile fields allowed by your IdP
settings;
we use the Cognito sub as your player ID on our backend.
Session tokens are stored locally on your device (for example cloud_session.json)
so you do not need to sign in every launch.
Online play and Standings
When you play rated async matches online, our AWS backend stores:
- Match state (board position, turn, game type)
- Player IDs for both sides
- Per-game ELO ratings for Standings
- Match status and turn/clock expiry metadata
Standings show display names and ELO as returned by the API. Adaptive Skill Level (local AI difficulty) stays on your device and is not uploaded to Standings.
Push notifications (Android)
If you grant notification permission and play online on Android, the app registers an FCM device token with our backend so we can alert you when it is your turn. You can disable notifications in system settings; the app still works via periodic polling.
Personalization and Scholar's Marks
The Personalization panel offers cosmetic-only items (board skins and piece sets). Gameplay is never locked behind payment.
- Scholar's Marks are earned through completed matches, wins, daily bonuses, and one-time achievements
- The local-first Marks wallet and daily reward counters are stored in a signed
economy.json - When you sign in, cumulative Marks earned and spent are stored in your Player record so the balance can merge and recover across devices
- Owned cosmetic IDs are stored in our Player record and synced when you sign in
The app does not include ads or an ad SDK, and does not collect advertising data.
Local data on your device
The app may store locally:
- Game settings (audio levels, haptics, language preference, capture mode)
- Adaptive AI skill profiles per game
- Owned/equipped cosmetics (
cosmetics.json) - Scholar's Marks balance and reward counters (
economy.json) - Paid expansion entitlements (
entitlements.json) - Cached cloud session tokens
This data stays on your device unless you sign in and use cloud sync. Owned cosmetic IDs and cumulative Scholar's Marks earned/spent totals then sync to your Player record; daily reward counters stay local.
How we use information
- Run async online matches and validate moves on our servers
- Maintain Standings (ELO leaderboards) per game
- Send turn notifications when you are the active player in an online match
- Sync cosmetic ownership across devices when signed in
- Merge and recover Scholar's Marks across signed-in devices
- Improve reliability and prevent abuse of online APIs
We do not sell personal data. We do not use LLM or active third-party ad networks.
Legal bases and retention
- Online play: necessary to perform the service you request (matchmaking, move validation, Standings)
- Push tokens: legitimate interest in timely turn alerts; you may disable notifications
- Personalization: legitimate interest in persisting play-earned cosmetic progress locally and fulfilling cloud ownership and Scholar's Marks sync when you sign in
Match and player records are retained while your account is active and as needed for Standings integrity. See Account and data deletion to request removal.
Account and data deletion
If you signed in for online play, you may request deletion of your cloud account and associated data. Local-only play does not create a cloud account.
What we delete
When we process a verified request, we delete or anonymize:
- Your Cognito user record (federated sign-in identity)
- Your Player profile on our servers (ELO ratings, owned cosmetics, and Scholar's Marks totals)
- Registered push notification tokens linked to your account
Completed match history may be retained in anonymized form where needed for Standings integrity, or deleted where applicable law requires.
What stays on your device
Local files (settings, Adaptive AI skill profiles, session cache) are not removed by us automatically. Sign out in the app, or clear app storage in Android Settings, to remove local data on your device.
How to request deletion
Email us from the address tied to your sign-in provider (Google or Apple), if possible. Include:
- Subject line: Account and data deletion request
- The Google or Apple account email you used to sign in
- Confirmation that you want your online account and associated cloud data deleted
Request by email: papersignalstudios@gmail.com
We aim to complete verified requests within 30 days.
Third-party services
| Provider | Role |
|---|---|
| Amazon Web Services (Cognito, API Gateway, Lambda, DynamoDB, SNS) | Auth, game API, storage, notifications |
| Apple / Google (federated IdP) | Sign-in when you choose Hosted UI |
| Google Firebase Cloud Messaging | Android push delivery |
Each provider has its own privacy policy governing identity and notification flows.
Children
The app is intended for a general audience. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA) without appropriate consent. Contact us if you believe a child has provided data through online sign-in.
Security
We use HTTPS for API calls and Cognito-issued JWTs for authenticated requests. No system is perfectly secure; report concerns to the contact below.
Your choices
- Play offline: no account required
- Sign out: clears local session; online features require sign-in again
- Notifications: disable in OS settings
- Personalization: spend play-earned Scholar's Marks on optional cosmetics
- Ads: none (no ad SDK)
- Delete account: request cloud account and data deletion
Changes
We may update this policy. The "Last Updated" date will change. Material changes may be noted in release notes or the store listing.
Contact
Email: papersignalstudios@gmail.com
Developer / Data controller: Paper Signal Studios