How we protect studios and playtesters.
A plain-English summary of the data we collect, the security controls we have enabled today, and how to reach us with privacy or security questions.
This page is maintained by the GameXcel team to answer common security and privacy questions about GameXcel. It describes practices and platform capabilities that are enabled today; it is not an independent certification, audit report, or legal commitment.
GameXcel runs on the Lovable Cloud platform (managed Supabase + serverless edge runtime). Security is a shared responsibility: Lovable Cloud operates the underlying infrastructure, the GameXcel team configures application controls, and customers (studios and playtesters) are responsible for protecting their account credentials.
Only the right people reach the right data.
Accounts are protected with email + password or Google sign-in. Sessions are issued and refreshed by the Lovable Cloud auth service.
Every database table that holds user data has row-level security enabled. Policies scope reads and writes to the signed-in user, studio members, or project members — never "everyone".
Roles (playtester, studio, admin) are stored in a dedicated role table and checked server-side. Clients cannot grant themselves elevated privileges.
What we store, and why.
Email, display name, optional avatar, optional country and bio. Used to identify you in the app and to match playtesters with relevant projects.
Applications, invites, feedback you submit, ratings, XP and reward-point balances, and messages exchanged inside a project thread. Visible only to participants of that project.
Studio name, slug, logo, plan tier, project briefs, build URLs and requirements. Visible to studio members; public project listings show only marketing-safe fields (title, summary, platforms, genres, studio name and logo).
If you fill the early-access form, we store the fields you provide (name, email, audience, optional studio or platform info). Only admins can read these records.
Where GameXcel runs.
GameXcel is hosted on Lovable Cloud, which runs the application on a managed serverless edge runtime and stores data in managed Postgres (Supabase).
All traffic between your browser and GameXcel is served over HTTPS/TLS.
API keys and service credentials are stored as platform secrets and only read by trusted server-side code. They are never exposed to the browser bundle.
Subprocessors used today include Lovable Cloud (hosting), Supabase (database & auth), and the Lovable AI gateway (used to generate playtest summaries when a studio runs the AI insights feature). Studios that connect optional integrations are responsible for those providers' terms.
What runs in your browser.
We use browser storage to keep you signed in. These are required for the app to function and cannot be disabled without signing out.
The early-access form includes an explicit marketing-consent checkbox. We only send marketing emails if you opt in, and you can ask us to remove you at any time.
Your data, your choice.
Account, profile and playtest activity are kept while your account is active. Email us to request export or deletion of your account data and we will action it within a reasonable timeframe.
Studios can archive projects from the studio dashboard. Archived projects are hidden from playtester discovery; full deletion is available on request.
Reach the GameXcel team.
Email privacy@gamexcel.app for data export, correction, or deletion requests.
Suspected vulnerability? Email security@gamexcel.app with steps to reproduce. Please do not publicly disclose until we've had a chance to respond.
This page is editable content owned by GameXcel and will evolve as the product matures. If you spot something inaccurate, let us know at the address above.