Privacy Policy

Last updated: 2026-02-23

Privacy-First Commitments

• No analytics, ad trackers, pixels, geolocation APIs, or external tracking scripts are used.
• No raw IP addresses are intentionally stored in application data.
• Location is optional manual text only. We do not track device location.
• Submissions are private and not publicly shared by the platform.

Data We Store

• Account data: email address, display name, password hash (never plain text password).
• Puzzle and submission data you enter, including optional notes and optional image uploads.
• Operational logs for moderation and abuse prevention without raw IP storage.
• Security and account-verification data (for example two-factor authentication state and delivery metadata).

Legal Basis (UK GDPR / GDPR)

• Contract: to provide your account and core service features.
• Legitimate interests: security, moderation, and service reliability.
• Consent: where you choose to provide optional fields.

Retention

• Default retention is 5 years (admin configurable 1 to 10 years).
• Daily retention job anonymizes expired submissions, deletes old submission images, and deletes old audit logs.
• Where local law requires longer retention (for legal claims, tax, or fraud prevention), data may be retained for that legal period only.

Your Rights

• Access and portability: use Export My Data (JSON/CSV).
• Rectification: update profile and your own submissions.
• Erasure, restriction, objection, or correction requests: use Profile > Privacy Requests or contact the operator.
• You can also submit in-app privacy requests from Profile > Privacy Requests.
• Appeal/escalation: if you disagree with a decision, contact the operator for manual review.

Regional Privacy Frameworks

• UK/EU: UK GDPR and EU GDPR rights including access, rectification, erasure, restriction, portability, and objection.
• United States: state privacy laws may apply (such as CCPA/CPRA and similar state laws) for access/delete/correct rights where required.
• Brazil: LGPD rights for confirmation of processing, access, correction, anonymization/deletion, and portability where applicable.
• Canada: PIPEDA principles including meaningful consent, access, and correction.
• APAC and other regions: applicable local privacy frameworks (for example APPI, PDPA variants, Privacy Act regimes) are honored where legally required.
• If multiple laws apply, this service follows the strictest applicable standard reasonably possible for that request.

International Data Transfers

Data may be processed in countries other than your own. Where required, the operator should use appropriate safeguards (for example contractual safeguards and access controls) for international transfers.

Children's Privacy

This service is not directed to children under the minimum age required by applicable law in their jurisdiction. If a parent/guardian believes a child has provided data, they should submit a deletion request immediately.

Security Measures

• Password hashing via ASP.NET Core Identity.
• No geolocation tracking and no third-party analytics/tracking scripts.
• Role-based access controls for moderation and administrative actions.

Breach Notification

If a data incident occurs, the operator should assess impact promptly and notify affected users/regulators where required by applicable law.

Controller Responsibility

The site operator is the data controller for this deployment and remains responsible for compliance with applicable law. This policy reduces data collection and exposure, but it does not remove all legal obligations.