Last updated: 2026-07-14
Framed is a local-area game you play with people you already know, over a fixed session (a "game"). This page explains what the app collects while you play, why, and when it's deleted. It applies to everyone who joins a game, host or not.
| Data | Encrypted before it reaches us? | Kept until |
|---|---|---|
| Display name | Yes | Game ends, or 24h, whichever first |
| Reference selfie | Yes | Game ends, or 24h, whichever first |
| Frame photos (the pictures you take of your target) | Yes | Game ends, or 24h, whichever first |
| Dead-chat messages | Yes | Game ends, or 24h, whichever first |
| Live GPS location | No — only last-known position is stored, never a movement history | Game ends, or 24h, whichever first |
| Push notification token | No | Game ends, or 24h, whichever first |
"Encrypted before it reaches us" means client-side end-to-end encryption: the game key is generated on the host's phone and shared with other players only through the join QR code or link, never sent to our server. We physically cannot read your name, selfie, frame photos, or dead-chat messages — we only ever store and relay opaque ciphertext for those. Location is the one exception: our server reads it in plain text because the game itself depends on it (see "Why we need your location" below).
A lobby that never starts a game expires sooner than 24 hours: the whole lobby is deleted after an hour of nobody in it being active, and an individual player who's gone quiet is dropped from an otherwise-active lobby after 15 minutes.
The server uses your GPS position, in plain text, to:
Only your most recent position is ever stored. There is no location history, no movement trail — each new update overwrites the last.
Consent. This page, and the shorter notice shown before you join a game, tell you what's collected and for how long before your selfie is ever taken. Joining a game is the consent action.
Leaving a lobby before the game starts deletes your data immediately. Leaving mid-game isn't possible the same way — going silent marks you MIA, and everything is wiped when the game ends (24 hours at the latest either way). That's the right to erasure, automated rather than requested.
Framed runs on a self-hosted Supabase instance in the EU. Your data doesn't leave the EU, and there's no third-party data processor involved beyond that hosting provider. Thanks to end-to-end encryption, even the hosting provider only ever holds unreadable ciphertext for the fields listed as encrypted above.
Push notifications (via Apple's APNs or Google's FCM) carry no readable content — only a bare wake-up signal (which kind of game event happened, and which game). The app decrypts and renders the actual notification text on your device, using the game key it already has. Apple and Google never see your name, a photo, or any other content through their push services.
No accounts, no ads, no third-party analytics or crash reporting of any kind. We don't know who you are beyond the display name you pick for a single game, and we don't want to.
Frame photos might catch people who aren't playing. Photograph your target, not crowds. Frame photos are deleted within 24 hours at the latest, same as everything else.
One anonymous row per finished game, with nothing that can be traced back to a player, a name, or a location:
create table aggregate_stats (
finished_on date not null,
player_count integer not null,
duration_minutes integer not null,
autocleaned boolean not null
);
That's it — when a game happened, how many people played, how long it lasted, and whether it was cleaned up automatically versus properly finished. No IDs, no names, no locations. Used only to see, in aggregate, whether the game gets played.
Framed is a hobby project. For questions about this policy or your data, open an issue on the GitHub repository.