Privacy Policy

Last updated: May 7, 2026

This Privacy Policy explains how Wikiguessr ("Wikiguessr", "we", "us", "our") collects, uses, and shares information when you use wikiguessr.org and related services.

1. Information We Collect

Depending on how you use the service, we collect:

• Account data: username, email address, password hash, verification status, last sign-in timestamp, and timestamps recording acceptance of Terms of Service and Privacy Policy at registration.
• Authentication/session data: an HTTP-only authentication cookie (`authToken`) used to keep you signed in.
• Email security tokens: email verification tokens (stored with expiry) and password reset tokens used to complete account security workflows.
• Gameplay data: lobbies, participants, match outcomes, selected category/ruleset, article navigation history, and profile and leaderboard statistics.
• Contact/support data: submission type, subject, message, optional contact email, optional authenticated username, and optional screenshot/image attachments and moderation/reply status metadata.
• Connection diagnostics: network and request metadata such as IP-related data, user-agent, referer, origin, and connection timestamps for active socket sessions, used for security and abuse monitoring. In the admin UI, unknown-socket IP addresses are shown in masked form.
• Cookie/analytics/ads data: consent preferences, analytics identifiers and events, and advertising-related identifiers where applicable.
• Client-side storage: session/local storage values for app state, such as guest username, active lobby state, and admin UI preferences.

2. How We Use Information

We use information to:

• operate game features, lobbies, profiles, and leaderboards;
• authenticate users and secure accounts;
• send account emails (verification, reset, and support replies);
• investigate abuse, protect infrastructure, and prevent fraud;
• review and resolve contact submissions;
• measure usage and performance, and improve the service;
• serve ads and apply consent settings; and
• comply with law and enforce our Terms.

3. Cookies, Consent, Analytics, and Ads

• We use Cookiebot to manage consent choices for non-essential categories.
• We use Google tag/GA4 with consent mode to honor consent choices where required.
• We use Google AdSense for website advertising and Google AdMob for native mobile app advertising.
• Third parties, including Google, may place and read cookies on your browser or use web beacons, IP addresses, device identifiers, or similar technologies as a result of ad serving on this website or in the mobile app.
• Google may use information from this site and other sites to provide, personalize, and measure ads, depending on your consent choices and applicable law. Learn more at How Google uses information from sites or apps that use our services.
• We send limited server-side GA4 Measurement Protocol events for key account actions (currently sign-up, login, and logout). These events use your GA client identifier when available from the `_ga` cookie.

4. Legal Bases (EEA/UK)

For users in the EEA/UK, we generally rely on contract (service delivery), legitimate interests (security, abuse prevention, service reliability and product improvement), consent (where required for non-essential cookies/ads), and legal obligations.

5. Sharing and Recipients

We do not sell personal information for money. We may share data with:

• service providers that host or operate parts of the service;
• analytics, consent, and ad providers (for example Google services and Cookiebot);
• email delivery/SMTP providers;
• infrastructure/security providers (for example Cloudflare);
• payment/donation tooling if you use those features (for example PayPal);
• law enforcement or authorities when legally required; and
• a buyer/successor in a corporate transaction, where permitted by law.

6. International Transfers

Your data may be processed in countries other than your own. Where required, we use legally recognized transfer safeguards.

7. Data Retention

We retain data for as long as needed for the purposes above, including:

• auth cookie lifetime: up to 30 days unless cleared sooner (for example on logout);
• email verification token expiry: 24 hours;
• password reset token expiry: based on server configuration (default 60 minutes);
• unknown-socket diagnostics: maintained in memory for active connections and cleared on disconnect;
• account, gameplay, and contact records: retained until deletion, operational need ends, or legal obligations require otherwise.

8. Security

We use technical and organizational safeguards intended to protect information. No system is perfectly secure, and we cannot guarantee absolute security.

9. Your Rights and Choices

• manage cookie preferences through the consent tools;
• request account updates or deletion support by contacting us; and
• where applicable, exercise privacy rights under local law (such as access, correction, deletion, objection/restriction, and portability).

10. Children's Privacy

Wikiguessr is not intended for children under 13. If you believe a child has provided personal data, contact us so we can review and remove data where appropriate.

11. Changes to This Policy

We may update this Privacy Policy. The date at the top shows the latest revision.

12. Contact

For privacy questions or requests, contact: [email protected]