FNreplay analyzes Fortnite .replay files in your browser. This policy explains exactly what we receive, what we never touch, and the rights you have over it.
fnreplay.com (“the Site”) is an independently operated web application that provides analysis of Fortnite .replay files. Anyone can review a replay on the Site without an account; signing in with Epic Games is optional and only enables additional features.
basic_profile scope. We do not request your friends list, country, or presence.Authentication records (Epic Account ID, role, synthetic email of the form epic-<id>@fnreplay.invalid) are stored in a Supabase project hosted by Supabase, Inc. Application hosting is provided by Railway. We do not maintain our own database for user data beyond what Supabase Auth requires.
Authentication records persist for as long as your account is authorized. You may request deletion of your authentication record at any time by contacting us at the address below; we will delete it within 30 days.
The Site relies on the following service providers, each acting as a data processor for limited and specific purposes:
Receives a sign-in request initiated by you and returns your Epic Account ID after you consent. Epic’s own privacy policy at epicgames.com governs that interaction.
Stores your Epic Account ID, role, and synthetic email for authentication.
Runs the Next.js server that processes sign-in and the checkpoint-decryption endpoint.
DNS resolution and edge caching of public static assets.
Stores email addresses submitted to the Teams waitlist so we can notify you when team features launch. We do not send marketing email and do not share the address.
We do not share your data with any third party for advertising, analytics, or marketing purposes.
All traffic to and from the Site is encrypted in transit via HTTPS (TLS). Session cookies are issued with the HttpOnly, Secure, and SameSite=Lax flags so they cannot be read by JavaScript or sent on cross-site requests. Server-side credentials (Supabase service-role key, Epic OAuth secret) are never sent to the browser. JWT tokens issued by Supabase are cryptographically signed and validated on every request via Supabase’s JWKS endpoint.
The Site and its service providers (Supabase, Railway, Cloudflare, Resend) operate primarily from data centers in the United States. If you access the Site from outside the United States — including from the European Economic Area, the United Kingdom, or Switzerland — your information will be transferred to and processed in the United States, which may not provide the same level of data protection as your local jurisdiction. By using the Site you consent to this transfer.
Depending on where you live, you may have the following rights with respect to your data:
To exercise any of these rights, contact us at the address in the Contact section below.
The Site uses functional cookies only — specifically, the Supabase authentication session cookie and short-lived OAuth state cookies used during the sign-in flow. We do not use advertising, analytics, or cross-site tracking cookies.
The Site is not directed at children under 13 and we do not knowingly collect personal information from them.
We may update this policy from time to time. The “Effective date” at the top of this page reflects the most recent revision.
Questions about this policy or requests to delete your authentication record can be sent to [email protected].
Reach out about this policy, a data request, or the Teams waitlist.