Privacy Policy
Last updated: 28 February 2026
1. Who we are
Guled Said Osman (“we”, “us”, “our”) operates the Flickd film-quiz game available at flickd.fun and through our mobile and desktop apps.
Data Controller (Art. 4(7) GDPR):
Guled Said Osman
Popitzweg 8, 13627 Berlin, Germany
[email protected]
2. What data we collect and why
2.1 Account data (when you register)
If you create an account, we collect:
- Email address — to identify your account and send the one-time verification email.
- Display name — the name shown to other players during multiplayer games. You choose this name.
- Password — stored as a bcrypt hash (12 rounds). We never store or transmit your plain-text password.
- Profile picture URL — only if you register via Google or GitHub; this is the URL of the avatar hosted by the OAuth provider.
Legal basis: Performance of a contract (Art. 6(1)(b)) — you need an account to save progress and play multiplayer.
2.2 Sign-in data collected automatically
On every login or session renewal, we record:
- IP address hash — a one-way SHA-256 hash of your IP address combined with a secret salt. The raw IP is never written to our database.
- User-Agent string — your browser or app name and version, truncated to 256 characters.
These are stored in the refresh token record and deleted automatically after 30 days.
Legal basis: Legitimate interest (Art. 6(1)(f)) — fraud prevention, abuse detection, and session security.
We have conducted a Legitimate Interest Assessment (LIA) for each of these processing activities to verify that our interests do not override your fundamental rights and freedoms.
2.3 Film submissions and corrections
If you submit a new film or report an incorrect field, we record the submitted data, a pseudonymous IP hash, and your browser's locale to assist with moderation.
Legal basis: Legitimate interest (Art. 6(1)(f)) — content quality and integrity.
2.4 Analytics (PostHog)
We use PostHog to understand how the game is played. We collect anonymous gameplay events such as “film card displayed”, “guess submitted”, “game completed”. No event includes your name, email, or account ID. PostHog is configured with person_profiles: 'identified_only' and we do not call identify(), meaning no personal profile is created in PostHog.
PostHog is hosted exclusively in the EU (eu.i.posthog.com). No data is transferred to the US or any other third country. A Data Processing Agreement (DPA) is in place with PostHog.
Analytics cookies are only set after you give explicit consent via the cookie banner.
Legal basis: Consent (Art. 6(1)(a)).
2.5 Multiplayer session data
During a multiplayer game, your chosen player name and game state are shared in real time with other players via WebRTC peer-to-peer. This data is not stored on our servers and is cleared when your browser tab is closed.
Where direct peer-to-peer connections are not possible (e.g. symmetric NAT), traffic may be relayed through a TURN server. We do not log the content of relayed sessions. If no TURN server is configured, the browser falls back to public STUN servers (Google, Cloudflare).
Legal basis: Performance of contract (Art. 6(1)(b)).
2.6 Infrastructure logs
Our web server records standard access logs (IP address, User-Agent, request path, HTTP status). Logs are retained for a maximum of 7 days and then automatically deleted.
Legal basis: Legitimate interest (Art. 6(1)(f)) — operational security and debugging.
2.7 Summary of legal bases
| Processing activity | Legal basis | Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Session management and authentication | Performance of contract | Art. 6(1)(b) |
| Email verification | Performance of contract | Art. 6(1)(b) |
| Multiplayer session data | Performance of contract | Art. 6(1)(b) |
| IP hashing for fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Film submissions and correction reports | Legitimate interest | Art. 6(1)(f) |
| Cloudflare CDN and security processing | Legitimate interest | Art. 6(1)(f) |
| Infrastructure (nginx) access logs | Legitimate interest | Art. 6(1)(f) |
| Anonymous analytics | Consent | Art. 6(1)(a) |
| Frontend error monitoring | Consent | Art. 6(1)(a) |
2.8 Data minimization and automated decision-making
We collect only the personal data that is necessary to provide the game and operate the service. We do not use your data for profiling, advertising, or targeted marketing. We do not make automated decisions that produce legal or similarly significant effects about you (Art. 22 GDPR).
3. Data retention
| Data | Retention period |
|---|---|
| Account (name, email, avatar) | Until you delete your account |
| Refresh tokens and session data | 30 days, or immediately on logout / account deletion |
| Email verification tokens | 24 hours (one-time use) |
| Film submission / correction records | Indefinitely, for as long as the game service operates (required for content integrity and moderation auditability) |
| Audit log entries | 3 years (auto-deleted) |
| nginx / server access logs | 7 days (auto-deleted) |
| Database backups | 35 days (auto-deleted from cloud storage) |
| PostHog analytics | Per PostHog's retention settings |
| Multiplayer session data (sessionStorage) | Browser tab lifetime — cleared when tab is closed |
4. Third parties and data processors
We share data with the following third parties acting as our data processors. We do not sell, rent, or share your personal data with any third party for advertising or marketing purposes.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| MongoDB Atlas | Database hosting | All account and game data | Belgium (EU) |
| Google Cloud Platform | Server infrastructure, secret storage, backups | All server-side data | Frankfurt, Germany (EU) |
| Cloudflare | DNS, CDN, and TLS | Processes full client IP addresses as part of CDN routing and DDoS protection. IPs are not forwarded to our database (we store only a salted hash). All HTTP request metadata. | Global (EU gateway available) |
| PostHog | Anonymous analytics | Anonymous gameplay events, anonymous device ID | EU only — DPA in place |
| Resend | Transactional email | Your email address (verification only) | US — DPA in place |
| OAuth sign-in | Your Google email, name, and profile picture | Global | |
| GitHub | OAuth sign-in | Your GitHub email, name, and profile picture | Global |
| Grafana Cloud (Alloy agent) | Server-side infrastructure monitoring (metrics, logs) | Container logs from all backend services; Prometheus metrics. Runs on our server — no data originates from your browser. | EU region — DPA in place |
| Grafana Cloud (Faro SDK) | Frontend error and performance monitoring | JavaScript errors, page load metrics, browser metadata, IP address. Only active after you give analytics consent. | EU region — consent required — DPA in place |
Where personal data is transferred outside the European Economic Area (EEA), we rely on the European Commission's Standard Contractual Clauses (SCCs) and/or, where applicable, the EU-US Data Privacy Framework (DPF) to ensure an adequate level of protection in accordance with Art. 46 GDPR.
5. Cookies and local storage
See the separate Cookie Policy for the full inventory of cookies, localStorage, and sessionStorage entries we use, their expiry periods, and instructions for managing your preferences.
6. Your rights (GDPR)
| Right | Article | How to exercise |
|---|---|---|
| Access | Art. 15 | Email [email protected] — we will respond within 30 days |
| Rectification | Art. 16 | Update your username in account settings, or email us |
| Erasure | Art. 17 | Use "Delete my account" in account settings, or email [email protected] |
| Restriction of processing | Art. 18 | Email [email protected] |
| Data portability | Art. 20 | Email [email protected] — we will provide a machine-readable export |
| Object to processing | Art. 21 | Email [email protected] |
| Withdraw consent | Art. 7 | Use "Change cookie preferences" on the Cookie Policy page |
You also have the right to lodge a complaint with the supervisory authority in your country of residence. In Berlin (Germany), this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI).
7. Children
Flickd is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it.
8. Security
- Passwords are hashed with bcrypt (12 rounds) and never stored in plain text.
- Refresh tokens are stored only as SHA-256 hashes; the raw token exists only in your HttpOnly cookie.
- IP addresses are hashed with a secret salt before storage; raw IPs are never written to the database.
- All traffic is encrypted with TLS.
- Production secrets are stored in Google Cloud Secret Manager and accessed only by the server at runtime.
- Database access is restricted to our production server IP address.
9. Changes to this policy
We will post any changes to this page and update the “Last updated” date. For material changes, we will notify registered users by email.
10. Contact
For privacy enquiries or to exercise your rights:
[email protected]
Guled Said Osman
Popitzweg 8, 13627 Berlin, Germany