Privacy Policy
Last updated: March 2026
Controller
Michael Palmer, palmomedia
Email: hallo@schere-stein-papier.org
Web: palmomedia.de
Principle
Ninja Duell can be played as a guest without an account. Users who voluntarily register receive a personal profile with statistics. No tracking or third-party analytics tools are used.
What is stored
Game data (all players)
When creating or joining a game, a temporary game state is stored in the database. It contains a random game ID, HMAC tokens for player identification, moves, and timestamps. Completed game results (mode, winner, timestamp) are stored permanently in the database and used for the leaderboard and personal statistics.
User accounts (optional, after registration)
Upon registration, the following data is stored:
- Username (chosen by the user, publicly visible on the leaderboard)
- Avatar emoji (chosen by the user)
- Email address (for magic link login or OAuth linking; not public)
- Password hash (only for password registration; bcrypt-encrypted)
- Registration timestamp
Game results are permanently linked to your account and shown in your personal statistics.
Sessions
After login, a session is stored in the database (session token, user ID, expiry time). Expired sessions are automatically deleted daily.
Magic links
When logging in via magic link (passwordless), a time-limited token (valid 30 minutes) is sent to your email address and stored in the database. Used and expired tokens are automatically cleaned up daily.
Server logs
The web server automatically stores IP address, timestamp, and requested URL in server log files for each request. These logs are used for error diagnosis and are deleted after 7 days at the latest.
Rate limiting
To prevent abuse, IP addresses and access counters are temporarily stored on the server. This data is automatically deleted and not linked to other data.
Cookies
This website sets the following cookies:
langโ language preference (DE/EN), 365 days, technically necessary- Session cookie โ after login for authentication, expires after 30 days or upon logout
oauth_stateโ short-lived CSRF protection cookie during OAuth login (Google/Facebook), deleted after completionoauth_pendingโ short-lived cookie (10 min) during new OAuth registration, deleted after completion
No tracking cookies are set. The cookie banner confirmation is stored in your browser's localStorage (no additional cookie).
Third parties
This website does not embed any external analytics or advertising services (no Google Analytics, no Facebook Pixel, no external fonts, no CDN resources). All content is delivered directly from our own server.
Google Login (OAuth)
If you sign in with your Google account, you will be redirected to Google. Google transmits your name, email address, and Google user ID to us. We only store the email address and an anonymized identifier for account linking. Google's Privacy Policy applies.
Facebook Login (OAuth)
If you sign in with your Facebook account, you will be redirected to Facebook. Facebook transmits your name, email address, and Facebook user ID to us. We only store the email address and an anonymized identifier for account linking. Meta's Privacy Policy applies.
When you use the share buttons (WhatsApp, Telegram, Signal, Teams), you leave this website and are subject to the privacy policy of the respective provider.
Legal basis (GDPR)
Your data is processed based on:
- Art. 6(1)(b) GDPR โ Performance of a contract (providing the game and user account)
- Art. 6(1)(f) GDPR โ Legitimate interests (abuse prevention, server security)
- Art. 6(1)(a) GDPR โ Consent (voluntary registration, OAuth login)
Your rights (GDPR)
You have the right to access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint with a supervisory authority.
To delete your account and all stored data, please contact us by email. Game results without account association (guest games) cannot be attributed to a specific person.
Contact
For privacy-related questions: hallo@schere-stein-papier.org