Privacy Policy

Effective date: May 27, 2026 · Tabaconda LLC

Joyantenna is a browser-based arcade made by Tabaconda LLC (a Florida single-member LLC owned by Sean Hayward). This policy explains what information we collect when you visit joyantenna.com or create an account, how we use it, and the choices you have.

1. Who we are

Tabaconda LLC · Florida, USA · [email protected]

2. What we collect

We keep this list short on purpose.

Account data: If you create an account, we store your email address, a hashed birth-month-and-year (used only for COPPA age gating — we do not store your full birthday), a display name you choose, and a Nakama user ID. Passwords are stored as bcrypt hashes.
Game data: Scores, play-session timestamps, in-game currency balances, and cosmetic ownership. This data is tied to your Nakama user ID.
Early-access email: If you submit your email on the landing page before launch, we store that address in a Nakama storage collection called notify_list. We use it for exactly one purpose: to tell you when Joyantenna is on the air.
Technical logs: Server-side request logs. Client IP addresses are hashed at the edge before storage. We do not retain raw IPs.
Cookies: Session cookies only (see our Cookie Policy). No advertising trackers. No cross-site pixels.

We do not collect payment information (no purchase path exists). We do not embed social-login buttons, ad-network pixels, or third-party analytics SDKs.

3. Children under 13 — COPPA disclosure (and under 16 in the EU)

Joyantenna asks for birth month and year before account creation. We do not ask for the day of birth — only the month and year, which is enough for age verification and is stored only as a one-way hash (SHA-256 with a per-user salt). The raw value is discarded immediately after the check.

If the age gate determines a user is under 13 (US) or under 16 (EU/EEA detected by device timezone):

No full account is created. The user may play every game as a guest — no personal data is retained beyond an anonymous session identifier that expires when the browser tab is closed.
The user may request a parent or guardian receive a consent email. We collect the parent’s email address for this sole purpose. The email contains a single-use confirmation link valid for 48 hours.
If the parent confirms, we create a minor account with the following restricted data profile: a hashed birth month-year, a display name chosen by the child, game scores, in-game currency balance (coins/gems earned by playing — no real money), and cosmetic ownership. No real name, no address, no payment information.
Minor accounts have the following features permanently disabled: in-game chat, public username on leaderboards, and real-time multiplayer.
The parent’s email address is deleted from our systems after consent is confirmed (or after the 48-hour window expires unused). We do not use it for marketing.

We do not knowingly collect personal data from children under 13 without verifiable parental consent. If a parent or guardian believes we have inadvertently collected personal data from a child under 13 without consent, please contact us immediately at [email protected] and we will delete it within 5 business days. See our dedicated COPPA Notice for the full parental consent process.

4. How we use your data

Operate the game: authenticate you, persist scores, award currency.
Send the one launch notification email (early-access list only).
Detect abuse or cheating (score plausibility checks, rate limiting).
Comply with legal obligations.

We do not sell, rent, or broker your personal data. Full stop.

5. Data retention

Active accounts (adult and verified minor): retained while your account exists.
Deleted accounts: all personal data purged within 30 days of a verified deletion request.
Minor accounts awaiting parent consent: the anonymous session and pending consent record are purged automatically after 48 hours if the parent does not confirm. No personal data about the child is retained after that window.
Verified minor accounts: retained until a deletion request is made by the parent/guardian or the account holder (once of age). Parent contact email used for consent is deleted immediately after the consent record is confirmed.
Guest/anonymous sessions: anonymous session data expires after 24 hours.
Early-access emails: deleted after the launch notification is sent, unless you create an account.
Server logs: 14-day rolling window. IP addresses are hashed before storage.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, or export the personal data we hold about you. Email [email protected] with the subject line "Data Request" and we will respond within 30 days. Account holders can also trigger a data export or deletion directly from the Profile page once the site launches.

7. Security

All traffic is encrypted in transit (HTTPS via Cloudflare). Passwords are hashed with bcrypt. Database backups are encrypted at rest. We run on a private VPS with no public database port. We use Cloudflare WAF and rate-limiting rules to protect the API.

8. Third parties

We use Cloudflare for DNS, CDN, and tunnel routing (their privacy policy: cloudflare.com/privacypolicy). We do not use any other third-party services that receive your personal data in connection with Joyantenna.

9. Changes to this policy

We will update this page when anything meaningful changes. The effective date at the top tells you when the last revision was made. If you have an account, we will notify you by email of any material changes.

10. Contact

Questions? [email protected] or use the contact form.