HITAZOS
Privacy policy
Last updated: May 15, 2026
HITAZOS is a music-trivia platform operated by Marolabs. This page explains what data we collect, why we use it, and how you can exercise your rights.
What we collect
We store the minimum needed for the game to work. If you play anonymously: an anonymous identifier in a browser cookie (htz_player_id), your nickname if you enter one, your daily score and the date you played, and your consecutive-day streak. If you subscribe to the weekly email: your address and your player name. If you turn on push notifications: the endpoint your browser issues, the encryption keys for delivery (never the message content), the locale, and the user-agent of the browser you subscribed from. If you create an account: your email, a hashed password (stored by Supabase — we never see the plaintext), and optionally a nickname. If you subscribe to HITAZOS Pro: the internal id returned by the payment provider (Lemon Squeezy or Mercado Pago), the subscription status, and the end of the paid period. We never see or store your card data — the payment providers handle that directly. If an admin grants you the Supporter role (free Pro-equivalent access), we store your email, who granted it, and the reason; if it's granted before you have an account, we keep your email on a waitlist until your first sign-up. We also store a flag for when you completed the app's onboarding tour and, for Supporters, the date the invitation was last sent.
How we use it
Your anonymous identifier lets us show your score on the day's leaderboard and remember you've played. Your email (if you subscribe) is used only to send the weekly recap — we never sell or share it with third parties for commercial purposes. Your nickname appears on the public daily leaderboard and, if you play multiplayer, on the room podium. Pro subscription data is used only to validate that you have access to paid features. Push notifications are used exclusively to ping you when the day's hitazo drops.
Cookies and local storage
Cookies we set: htz_player_id (httpOnly, identifies your play session), htz_guest_id (ephemeral guest id for multiplayer rooms), hitazos_cookie_consent (remembers if you accepted the banner). In localStorage we save: htz_player_name (nickname across sessions), htz_streak_count and htz_streak_last_date (your streak), htz_subscribed_<locale> (marker that you're already subscribed by email so we don't show the popup again), htz_subscribe_dismissed_<date> (you closed the popup today), hitazos_push_cta_dismissed_at (you dismissed the push CTA — it won't show again for 14 days). If you accept the cookie banner we load Google Analytics 4 with IP anonymization, PostHog (funnel analytics) and Sentry (error capture); if you decline, no measurement scripts load at all.
Notifications
We offer two opt-in channels to remind you about the day's hitazo: browser push notifications (daily) and email (a Monday recap). They're independent — you can enable one, both, or neither. Push subscriptions can be managed from the Notifications section of your profile (toggle on/off for this device), by clicking "No thanks" on the prompt, or from the browser's notification settings. Push notifications are per-device. Email subscriptions can be cancelled with one click from the footer of any email (one-click unsubscribe compliant with RFC 8058). Unsubscribing is free and immediate on both channels.
Payments and the Pro subscription
HITAZOS Pro is an optional subscription that unlocks extra features. Billing is handled by two external providers depending on your region: Lemon Squeezy for users outside Argentina (charged in EUR) and Mercado Pago for users in Argentina (charged in ARS). We do NOT see or store your card data — each provider has its own privacy policy and complies with the relevant security standards (PCI-DSS). For each subscription we store only: the internal id (provider_subscription_id), the status (active, cancelled, expired), the paid-period end date, and which provider you used. You can cancel anytime from your Lemon Squeezy or Mercado Pago account — your Pro access stays until the end of the period you already paid for.
Third-party services
To deliver the service we rely on: Deezer (30-second song previews), Supabase (database where we store subscriptions, scores, and accounts), Resend (email delivery), Vercel (site hosting), Fly.io (realtime server for multiplayer), Lemon Squeezy (international billing), Mercado Pago (Argentine billing), push providers (Mozilla, Google FCM or Apple, depending on your browser) and, if you've consented, Google Analytics 4 (anonymous measurement), PostHog (funnel analytics) and Sentry (error capture). Each has its own privacy policy.
Your rights
You can unsubscribe from the weekly email with one click via the link at the bottom of every email, or switch to weekly-only / unsubscribe completely from the preferences page linked in each email. You can disable push notifications from your browser's notification settings. If you have an account you can permanently delete it from the "Danger zone" on your profile — this wipes your account, custom packs, Pro subscription, and stats. If you played anonymously (no nickname, no subscription, no account), clearing your browser cookies removes any trace tied to you. For requests you can't execute yourself, write to hola@hitazos.fun.
Retention
Daily scores are kept indefinitely so the historical leaderboard remains visible. Email subscriptions are kept until you unsubscribe; on unsubscribe we mark the row as cancelled (unsubscribed_at) but keep the email for a reasonable period to prevent an accidental re-signup from re-subscribing you. Push subscriptions are deleted automatically when the provider tells us they're permanently invalid (410 Gone), or when you cancel them manually. If an admin added you to the Supporter waitlist before you had an account, that email is kept until you sign up (at which point the role is materialized and the waitlist row deleted) or until an admin removes it. Deleted accounts are permanently wiped along with all associated data (including any Supporter role and linked push subscriptions).
Children
The service is not directed at children under 13. If you believe your child has provided us personal data without your consent, write to hola@hitazos.fun and we'll delete it.
Changes
If we update this policy we'll post the change on this page and, if the change is significant, also notify subscribers by email.
Contact
For any privacy-related question, write to hola@hitazos.fun.