Privacy Policy

In simple words

We only store the minimum needed to make the game work. The site keeps short-lived session tokens on the server and small preferences (theme, language, local scores) in your browser. We do not set advertising or analytics cookies by default, and you do not need to provide an email to play.

If you register an account we store your username and a password hash on the server so you can log in later. Anonymous players who submit scores will have those score records saved, but no email or other contact data is required.

Formal privacy information (GDPR-ready)

Data controller

The project maintainer is the controller for any personal data processed by this application. See the project README for maintainer contact details.

What we collect

• Account username and password hash (for registered users).
• Session tokens and CSRF tokens (server-side) to authenticate and protect requests.
• Gameplay data you submit: scores, errors, duration, board size and difficulty.
• Frontend preferences stored locally in your browser (theme, language, local saved games/scores).

Purpose and legal basis

Data is processed to provide the service (authentication, game persistence, leaderboards). Processing is necessary for the performance of the service (contract) or for the legitimate interest of operating and securing the application.

Cookies and local storage

This application does not set analytics/advertising cookies. Authentication is handled via opaque session tokens stored server-side and returned to the client in API responses; the frontend may persist an authentication token in localStorage if you choose to stay logged in. UI preferences are stored in localStorage. No cookies containing personal data are set by default.

Retention

Session records and CSRF tokens are retained for a limited period (implementation default). Score records are retained until removed by the maintainer.

Data subject rights

You have the right to access, rectify, or request erasure of personal data held about you, and to lodge a complaint with a supervisory authority. To exercise these rights, contact the project maintainer (see README).

Security

Passwords are stored as salted PBKDF2 hashes. Session tokens and CSRF tokens are stored server-side in the application database. Follow best practices: deploy over HTTPS, protect your device from malware, and avoid sharing tokens.

Data storage location

Personal data collected by this service is stored on servers located in Germany, within the European Union. Where we use third-party processors that transfer or store data outside the EU, we ensure appropriate safeguards such as Standard Contractual Clauses or rely on an adequacy decision; details are provided in the Third parties section below.

Third parties

The application does not include third-party analytics or advertising by default. If that changes, the privacy policy will be updated.

Changes

We may update this policy; substantial changes will be published on this page.