Privacy Policy

Last updated: April 16, 2026

Important:

This is a draft privacy policy for the current version of this app. Replace all placeholders in square brackets before publication. This draft is written for GDPR / DSGVO use in the EU, including Germany, but it is not legal advice.

1. Controller

Controller for data processing within the meaning of the GDPR / DSGVO:

[Full legal name / company name]

[Street, number]

[Postal code, city]

[Country]

Email: [privacy email]

Phone: [optional]

If you have appointed a data protection officer, add:

Data Protection Officer

[Name / role]

Email: [DPO email]

2. Scope of this policy

This privacy policy explains how we process personal data when you use this website and the interactive guessing game available on it.

3. Categories of data we process

Depending on how you use the website, we may process:

• Technical connection and usage data, such as IP address, date and time of access, requested URL, referrer URL, browser type, operating system, and response status.

• Content you actively submit in the game input field.

• Names you submit for custom game creation, AI-generated fact lists created from that input, and public share slugs generated for those custom games.

• Session identifiers used to associate multiple guesses with the same game session.

• Stored game interaction data, including submitted guesses, the AI-generated response result, success state, and timestamps, so that game sessions can be reconstructed.

• Technical metadata necessary to provide the game functionality and protect the service.

• Aggregated or analytics-related usage data, if analytics is enabled.

4. Purposes and legal bases

4.1 Website delivery and security

When you access this website, we process technical connection data in order to:

• deliver the website,

• ensure stability and security,

• detect abuse and troubleshoot technical issues.

Legal basis:

• Art. 6(1)(f) GDPR (legitimate interests in secure and reliable website operation)

• where strictly necessary storage or access on a device is involved, § 25(2) TDDDG

Our legitimate interest is providing a stable and secure website.

4.2 Game input and AI-based response generation

If you use the guessing game, we process the text you enter in order to provide the requested game response.

The content you submit is sent to our AI service provider for response generation.

We also store submitted guesses together with a session identifier, timestamp, and the AI result in order to operate the game, support session continuity and reconstruction, analyze gameplay quality, and debug errors.

Legal basis:

• Art. 6(1)(b) GDPR, insofar as processing is necessary to provide the service you requested

• alternatively or additionally Art. 6(1)(f) GDPR, our legitimate interest being operation and improvement of the interactive service

Please do not submit sensitive personal data or confidential information in the input field.

4.3 Custom game creation and share links

If you use the custom game creation feature, we process the name you submit, generate a fact list for that name via our AI provider, store the resulting fact set, and create a public share link with a random slug so the custom game can be reopened and shared.

Legal basis:

• Art. 6(1)(b) GDPR, insofar as processing is necessary to provide the custom game feature you requested

• alternatively or additionally Art. 6(1)(f) GDPR, our legitimate interest being operation and improvement of the interactive service

4.4 Analytics

We use Vercel Analytics to understand how the website is used and to improve the service.

For users in the EU / EEA and Germany, the safer compliance approach is to use analytics only where permitted under applicable law and, where required, only after valid consent.

Use one of the following approaches before publication and delete the other:

Option A: Analytics only after consent

Legal basis:

• Art. 6(1)(a) GDPR

• § 25(1) TDDDG, where storage of or access to information on the user device requires consent

You may withdraw your consent at any time with effect for the future.

Option B: Analytics without consent only after legal review

If you conclude after legal review that your concrete Vercel Analytics setup does not require consent and does not process personal data beyond what is permissible, replace this section with the reviewed wording.

5. Recipients and service providers

We use service providers that process data on our behalf or as separate recipients, depending on the processing activity:

• Vercel, Inc. for hosting, infrastructure, and, if enabled, analytics

• X.AI LLC / xAI for AI response generation used by the game

If you use other providers in production, add them here.

6. International data transfers

Some recipients may process data outside the EU / EEA, in particular in the United States.

Where personal data is transferred to a third country, we rely on an appropriate transfer mechanism under Chapter V GDPR, for example:

• an adequacy decision, where applicable,

• the EU Standard Contractual Clauses,

• or another legally recognized safeguard.

Replace this section with your actual transfer setup for each provider before publication.

Suggested implementation note:

• Vercel: document the transfer mechanism actually used in your Vercel contractual setup.

• xAI: document the transfer mechanism actually used for the xAI API relationship.

7. Retention periods

We retain personal data only for as long as necessary for the stated purposes, unless a longer retention period is required by law.

Typical retention logic for this app:

• website and security logs: [insert actual retention period]

• game session logs, guesses, timestamps, session IDs, and AI result data: [insert actual retention period]

• analytics data: according to the configuration and retention settings of the analytics provider

Replace this section with your actual retention periods before publication.

8. Obligation to provide data

You are not legally required to provide personal data.

However, if you do not provide data that is technically necessary for the website or the game input needed for response generation, some features may not work.

9. Your rights under the GDPR / DSGVO

Subject to the applicable legal requirements, you have the following rights:

• right of access, Art. 15 GDPR

• right to rectification, Art. 16 GDPR

• right to erasure, Art. 17 GDPR

• right to restriction of processing, Art. 18 GDPR

• right to data portability, Art. 20 GDPR

• right to object, Art. 21 GDPR

• right to withdraw consent at any time, Art. 7(3) GDPR

• right to lodge a complaint with a supervisory authority, Art. 77 GDPR

If you are in Germany, you may lodge a complaint with the supervisory authority responsible for your federal state or for the controller’s seat.

10. Right to object

Where we process your data on the basis of Art. 6(1)(f) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to such processing.

If the legal requirements are met, we will then stop processing your data for those purposes.

11. No automated decision-making

We do not use your personal data for automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

12. Changes to this privacy policy

We may update this privacy policy from time to time to reflect legal, technical, or business changes.

The current version will be made available on this website.