Gallery Gambit
← Back

Privacy Policy

Last updated: May 19, 2026

Who we are

This privacy policy describes how Four Suit Studio (Robin Stokkel, "we", "us", "our") collects, uses, and shares information when you use the Gallery Pass application at pass.gallerygambit.com (the "Service"). Gallery Pass lets fans complete challenges, earn Prestige, unlock prizes, and track their progress on a leaderboard for Gallery Gambit.

For privacy questions, contact us at robin@foursuitstudio.com.

Information we collect

We collect the following categories of information:

  • Account information. Your email address, used to authenticate you and send a magic login link. If you sign in with Google or Apple, we receive your email address and display name from that provider. We do not store passwords.
  • Activity data. Challenge progress, Prestige earned, prizes redeemed, daily login streaks, trivia answers, achievements unlocked, and your position on the leaderboard.
  • Discord data (optional). If you connect your Discord account to complete the "Join the Discord" challenge or redeem a Discord role prize, we receive your Discord user ID and verify that you are a member of our server. With your permission (via the Discord OAuth consent screen), our bot may assign you a role on our server when you redeem a corresponding prize. You can disconnect Discord by contacting us.
  • Newsletter signup (optional). If you complete the "Join the newsletter" challenge, your email address is sent to our email provider Kit (formerly ConvertKit). Kit becomes the controller of that email for newsletter purposes. You can unsubscribe at any time via the link in any newsletter email.
  • Kickstarter data. When you complete the "Follow on Kickstarter" or "Back on Kickstarter" challenges, we record that you self-reported the action. We do not access your Kickstarter account; verification is self-declared.
  • Technical data. Standard server logs (IP address, user agent, request timestamps) used to operate, secure, and debug the Service.
  • Cookies and session storage. We set a small number of cookies to keep you signed in (Supabase session tokens) and to remember UI preferences. We do not use third-party advertising or cross-site tracking cookies.

How we use your information

We use the information we collect to:

  • Create and manage your fan account.
  • Verify challenge completion and credit Prestige, achievements, and prizes.
  • Display your position on the leaderboard.
  • Communicate with you about the Service (account notifications, support).
  • Detect, investigate, and prevent fraud or abuse of the Service.

How we share information

We do not sell your personal information. We share data only with the following service providers, who process it on our behalf to operate the Service:

  • Supabase — authentication, database storage, and session management. Data is stored in the EU region. See supabase.com/privacy.
  • Vercel — application hosting, edge delivery, and cookieless web analytics (page view counts, country-level location, device type — no individual user is identified). See vercel.com/legal/privacy-policy.
  • Kit (ConvertKit) — newsletter delivery, if you subscribe via the newsletter challenge. See kit.com/privacy.
  • Discord — Discord OAuth + bot interactions, if you connect your Discord account. We send your Discord user ID and the server/role IDs to Discord; Discord sends us your guild membership status and (with your consent) lets our bot assign you a role. See discord.com/privacy.

We may also disclose information when required by law, to enforce our terms, or to protect the rights, property, or safety of the Service, our users, or others.

How long we keep your data

We retain your account data and activity history for as long as necessary to provide the Service and comply with our legal obligations. When you request deletion, we remove your personal data within 30 days, except where retention is required by law.

Your rights and choices

Depending on where you live (including under the GDPR if you are in the EU/EEA), you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information (the "right to be forgotten").
  • Restrict or object to certain processing.
  • Receive a copy of your data in a portable format.
  • Opt out of marketing communications.

To exercise any of these rights, contact robin@foursuitstudio.com. We will respond within 30 days.

To delete your account, email us and we will permanently remove your fan account and associated data.

Data security

We implement appropriate technical and organizational measures — including encryption in transit, restricted server access, and short-lived session tokens — to protect your personal information. No system is perfectly secure, but we work to minimize risk and will notify you promptly of any incident that affects your data.

Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us so we can delete it.

International data transfers

Four Suit Studio is based in the Netherlands. Our service providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border data transfers.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated via the Service or by email.

Contact

For privacy questions, requests, or concerns:

© 2026 Four Suit StudioPrivacyTerms