LexiMint
LM
GamesStatsShopGame guide
Sign in
LexiMint

A seasonal word ticket game. Submit words, collect rare tickets, climb the leaderboard.

v0.11.2 · ALPHA
Explore
Game guideGamesGalleryLeaderboardsChangelogDiscord
Legal
Privacy policyTerms of serviceCookies policyContact us
© 2026 LexiMint
  • Home
  • Games
  • Gallery
  • Stats
  • Shop
  • Sign in

      Privacy policy

      LexiMint respects your privacy and complies with the General Data Protection Regulation (GDPR). This policy explains what data we collect, why we collect it, and what rights you have over it.

      Effective 2026. Applies to all LexiMint services

      1. What we collect

      Account information

      Provided when you create an account.

      You can sign in with GitHub, Google, Discord, a magic link sent to your email, or a traditional email and password. We store your email address, display name, and profile avatar. If you use email and password, we store a securely hashed version of your password, never in plain text. OAuth providers only grant us access to your basic profile (name, email, avatar).

      Gameplay submissions

      Words you submit to the lexicon.

      Any words you submit become part of the shared public lexicon. Your submissions are associated with your account for leaderboard attribution, ticket ownership, and mastery tracking.

      Optional analytics

      Only with your explicit consent.

      With your consent, we use PostHog for product analytics. PostHog is only initialized after you grant analytics consent. It is never loaded by default. It is not used for advertising. Manage your preferences.

      Optional ad measurement

      Only with your explicit marketing consent.

      If you grant marketing consent, we load Google Ads measurement to understand whether paid ads bring visits to LexiMint. It is never loaded before that consent, and you can withdraw consent at any time from the cookies page.

      First-party acquisition logs

      Minimal campaign diagnostics without cookies.

      When a visit arrives with campaign parameters such as UTM tags or known ad click markers, we store a minimal first-party log to check whether paid or community traffic actually reached LexiMint and where the signup funnel drops off. This log stores campaign buckets, referrer host, page path, CTA or outcome buckets, device class, browser family and operating-system family. When infrastructure headers provide it, it also stores a coarse two-letter country code. It does not store IP addresses, cookies, user IDs, emails, full URLs, raw user-agent strings, raw ad click IDs or precise location.

      Error monitoring

      Stability monitoring with privacy safeguards.

      Sentry captures anonymous crash reports to help us maintain application stability. This runs under GDPR legitimate interest (Art. 6(1)(f)). By default, no personally identifiable information is collected: emails are stripped, IP addresses are discarded, and sendDefaultPii is disabled. If you grant error monitoring consent, we additionally attach your anonymous user ID (not your email or username) to help us diagnose user-specific issues.

      Feedback reports

      When you submit feedback or bug reports.

      If you use the feedback widget, your message and optional screenshot are stored. Screenshots are uploaded to Cloudflare R2 (object storage). Feedback is linked to your account but this link is removed if you delete your account.

      Email communications

      System emails and alpha updates you may receive.

      We use Postmark to send transactional emails: email verification, password resets, magic link sign-in, and game achievement notifications (e.g. legendary discoveries). These are operational emails and contain no tracking pixels.

      During the private alpha, we may also send rare product-status updates about active seasons, live events, major onboarding improvements, or feedback requests. These updates use Postmark's broadcast stream, include an unsubscribe link, and are not used for third-party advertising.

      2. How we use it

      Your data is used exclusively to operate LexiMint: maintaining your account, attributing your word discoveries and tickets, running leaderboards, powering the mastery and mission systems, sending transactional emails, sending rare alpha status updates when relevant, measuring whether paid or community traffic reaches the landing page and moves through the signup funnel, and improving the stability and fairness of the game.

      We do not sell your data. We do not share gameplay or account data with ad networks. If you grant marketing consent, Google Ads receives basic ad measurement signals so we can understand whether paid ads work.

      3. Third-party services

      Always active (legitimate interest)

      Railway

      Hosting and infrastructure

      Runs our application server, background workers, WebSocket server, PostgreSQL database, and Redis instance. Data is stored in managed environments.

      PostgreSQL

      Game data and accounts

      Stores all game data, accounts, tickets, submissions, and achievement progress in a managed cloud database.

      Redis

      Rate limiting, caching, and real-time

      Used for rate limiting, stamina management, echo pools, and real-time pub/sub for notifications. Connected via direct TCP. No personal data is persisted, only operational counters and transient game state.

      Sentry

      Error monitoring (always active)

      Captures anonymous crash reports to maintain application stability. Runs under legitimate interest. No PII is collected by default. User ID attachment requires your explicit consent.

      Cloudflare Turnstile

      Bot protection

      A privacy-preserving CAPTCHA alternative used to verify that form submissions come from real humans, not bots. Turnstile does not use visual puzzles. It runs silently in the background.

      Postmark

      Transactional email delivery

      Delivers system emails (verification, password reset, magic link, achievement notifications). Your email address is shared with Postmark solely for delivery. No tracking pixels or marketing.

      Cloudflare R2

      Object storage

      Used to store feedback report screenshots uploaded by users. Files are stored securely and are not publicly accessible.

      Only with your consent

      PostHog

      Product analytics (opt-in)

      Helps us understand how players discover and use LexiMint. Only initialized after you grant analytics consent. The PostHog script is never loaded without your opt-in. You can withdraw consent at any time.

      Google Ads

      Ad measurement (opt-in)

      Measures whether paid Google traffic reaches LexiMint and how those visits perform at a basic level. The Google tag is only loaded after you grant marketing consent. You can withdraw consent at any time.

      Sentry user identification

      Enhanced error context (opt-in)

      If you grant error monitoring consent, your anonymous user ID (never email or username) is attached to crash reports, helping us diagnose user-specific issues more effectively.

      4. Your rights under GDPR

      Your rights at a glance

      Access

      Request a copy of your personal data.

      Rectification

      Ask us to correct inaccurate information.

      Erasure

      Delete your account and personal data.

      Restriction

      Ask us to pause processing of your data.

      Portability

      Download your data as a portable JSON file from your profile settings.

      Objection

      Object to certain types of processing.

      Downloading and deleting your data

      Self-service exports and the 30-day deletion grace period.

      You can download a complete copy of your personal data (account, wallet, tickets, submissions, mastery progress, notifications) at any time from your profile settings in a machine-readable JSON format. This satisfies your right to data portability under GDPR Article 20 without requiring you to contact us.

      You can also request deletion of your account from the same page (Danger zone). Deletion is not immediate: your account enters a 30-day grace period during which it is inactive but recoverable. You will receive a confirmation email with the date of permanent erasure. If you sign in within 30 days and click Restore, the deletion is cancelled.

      After the 30-day window, the erasure is finalized: name, email, avatar, sessions, wallet, badges, and notifications are permanently removed. Your authored words and tickets remain in the public lexicon under anonymous ownership, preserving the game history for all players. Where required by law (for example, retention of billing records under EU tax obligations for FOIL purchases), minimal accounting data may be retained in anonymized form.

      For any GDPR request you cannot perform self-service, contact us via the contact page or at [email protected].

      5. Questions

      Privacy questions can be sent to [email protected] or via the contact page. We aim to reply within 48 hours on working days.