1. Data Controller
This website (Enrico) is operated as a personal side project. For all data-related enquiries, including requests to access or delete your data, contact:
Email: [email protected]
2. What Data We Collect
We collect only what is strictly necessary to operate the service:
| Data | Why | Required? |
|---|---|---|
| Cookie ID (UUID) | Links your scores between sessions | Only with consent |
| Random username | Shows you on the leaderboard | Only with consent |
| Gameplay records | Score history & leaderboard | Only with consent |
| Email address | Optional sign-in / identity linking | Voluntary |
| One-time passcodes (OTP) | Email verification; auto-deleted after 24 h | Voluntary |
We do not collect names, IP addresses, device fingerprints, advertising identifiers, or any sensitive personal data.
3. Legal Basis (GDPR Art. 6)
- ·Consent (Art. 6(1)(a)): cookies, persistent username, leaderboard scores. You may withdraw consent at any time by clearing your browser cookies and local storage.
- ·Legitimate interest (Art. 6(1)(f)): transient, session-only gameplay (answer scoring without persistence) so the game is usable without consent.
- ·Contract (Art. 6(1)(b)): email address, solely for sending the one-time verification code you requested.
4. Cookies
We use one first-party cookie:
Name: enrico_id
Purpose: Stores an anonymous UUID that links your scores across sessions
Duration: 1 year (httpOnly, SameSite=Lax)
Set only after: explicit consent via the banner
No third-party tracking cookies, analytics scripts, or advertising pixels are used.
5. Retention Periods
- ·One-time passcodes: automatically deleted 24 hours after creation.
- ·Email address: retained until you request account deletion.
- ·Gameplay records & leaderboard scores: retained indefinitely until you request deletion.
- ·Cookie ID & username: retained until you request deletion or clear your browser data.
6. Sub-processors
We rely on two infrastructure providers, both subject to EU data protection standards:
Hetzner Online GmbH — Server hosting (Nuremberg, Germany). Data Processing Agreement in place. Privacy policy
Resend, Inc. — Transactional email delivery (EU DPA available). Used only to send one-time verification codes. Privacy policy
No data is shared with any other third party.
7. Your Rights (GDPR Art. 15–22)
You have the right to:
- ·Access: Request a copy of all data we hold about you.
- ·Erasure: Request deletion of your account and all associated data.
- ·Correction: Ask us to correct inaccurate data.
- ·Restriction: Ask us to stop processing your data while a dispute is resolved.
- ·Portability: Receive your data in a machine-readable format.
- ·Objection: Object to processing based on legitimate interest.
- ·Withdraw consent: At any time, without affecting past processing.
To exercise any right, email [email protected]. We will respond within 30 days. If you are unsatisfied, you have the right to lodge a complaint with your national supervisory authority.
8. How to Delete Your Data
Send an email to [email protected] with the subject line "Data deletion request". Include the email address or username associated with your account (if any). We will confirm deletion within 30 days.
To remove the local cookie immediately: clear cookies for this site in your browser settings. This will unlink your session; historical scores already saved to the server are not removed until you send the deletion request above.
9. Changes to This Policy
We may update this policy when we change how we handle data. Material changes will be announced on the main page. The "Last updated" date at the top of this page reflects the most recent revision.