Privacy Policy

• Email — for account verification and password reset only.
• Username — public identifier shown on the leaderboard and your profile page.
• Password — hashed with bcrypt. We never see, store, or transmit plaintext passwords.
• Mission progress — best score, grade, hints used, completion time. Tied to your user id for leaderboard ranking.
• Session cookie — an encrypted HTTP-only cookie that keeps you signed in for 30 days.

We don't collect analytics, device fingerprints, or any third-party tracking data. There are no ads.

To run the service: sign you in, verify your email, reset your password, save your game progress, and rank you on the public leaderboard. That's it.

Verification, welcome, and password-reset emails are sent over SMTP through our mail provider. They include a link or a clear call to action and nothing else.

Your username and best scores are visible on the leaderboard. Your email is never shown publicly. No data is shared with third parties.

If you play without registering, nothing touches our servers. Progress lives only in your browser's localStorage and stays there until you clear site data.

Email info@fatusa.at from the address on your account and we'll wipe your user, all progress, sessions, and tokens within 7 days.

Passwords are bcrypt-hashed (11 rounds). Verification and reset tokens are stored as SHA-256 hashes — even a full database dump couldn't be replayed to reset anyone's password. Session cookies use iron-session encryption.

If this policy materially changes, we'll note it on the landing page and update the date above.