Privacy

The short version

We do not sell your data. We do not have ads. There are no third-party trackers on this site. Everything we collect lives in our own database, runs through our own code, and never leaves Nerd Shizz.

We do collect analytics about how the games are used, because we want to make them better. You can turn that off with one click and the site will still work fine.

Two tiers

Everything we collect falls into one of two categories.

Tier 1 — Essential

Strictly necessary for the site to work. We don't ask consent for these because the service cannot function without them.

• Anonymous player cookie (ns_player): generated on your first visit so your scores stick to the same leaderboard identity across sessions. HttpOnly. Lasts ~18 months. Equivalent to a "this browser played here" badge.
• Session cookie (ns_session): only set after you sign in. Authenticates you. HttpOnly, Secure, SameSite=Lax. 30-day idle expiry, 90-day hard cap.
• Hashed IP: SHA-256 of your IP plus a daily rotating salt. Used for abuse detection and rate limiting. The salt drops after 24 hours, so the hash becomes unverifiable as a link to a specific IP address.
• Server access log: path, status, latency, request id. No bodies, no headers beyond what we need to operate the service.
• Game data: your scores, the duration of each play, game-specific metadata (which puzzle, hints used, run seed, input log). Required to power the leaderboards and to detect cheating.

Tier 2 — Analytics (consent-gated in EU/UK, opt-out elsewhere)

This is the data that helps us understand who's using Nerd Shizz, what's working, and what isn't. You can choose what's on:

• Page metrics: which page you're viewing, how you got there (referring host, never the full URL), UTM tags if a link had them, time on page, basic interaction events (click on a CTA, expand a menu).
• Game metrics: game start, game end, score submission, error events, run abandonment. Not your individual moves; the existing essential telemetry already covers what's needed for the leaderboard.
• Source attribution: referring host, UTM tags, the broad device category (mobile/tablet/desktop), browser family (Chrome/Firefox/Safari/etc), OS family (Windows/macOS/iOS/Android/Linux), and the country code from your network's IP geolocation. Never precise location, never a fingerprint.

If you turn Tier 2 off, we keep running the service exactly the same way. We just don't write events to our analytics table.

What we never do

• No third-party tracking scripts. Not Google Analytics. Not Plausible. Not Cloudflare Web Analytics. Not Fathom. Nothing.
• No fingerprinting beyond user agent, accept-language, and screen size. No canvas/audio/font/WebGL fingerprinting.
• No precise geolocation. Country level only.
• No cross-site tracking, because we never set third-party cookies.
• No retargeting, no audience exports, no advertising partnerships.
• No selling. No sharing. No leasing. No "trusted partners".

How consent works

The first time you visit, the consent banner appears at the bottom of the page (it doesn't block content). You have three choices:

• OK, sure: all three Tier 2 categories on.
• No thanks: all three off. The site keeps working.
• Customize: three checkboxes, one per category. Save any combination.

Both buttons are the same size and prominence. Whichever you pick, the site remembers for 12 months. You can change your mind any time via the "manage privacy" link in the footer.

If you visit from the EU, EEA, or UK, the banner shows on first visit and Tier 2 is off until you affirm. If you're elsewhere, we show a smaller notice and Tier 2 defaults on with a one-click opt-out via the same footer link.

If your browser sends the Global Privacy Control signal (Sec-GPC: 1), we treat that as opt-out and skip the banner.

Data we additionally collect when you sign in

• Your email address (from Google or GitHub OAuth).
• Your display name and avatar URL.
• The OAuth provider you used and the provider's user ID. We never see, store, or transmit your password.
• If you choose to fill out the profile survey: age range bucket, role, company size, primary languages, where you heard about us. Optional. Always editable. Always deletable.

How long we keep things

• Your account: until you delete it, plus 30 days for backup recovery.
• Anonymous players: 18 months from your last play, then auto-purged.
• Your scores: indefinitely. After 18 months of inactivity on an anonymous player, the player_id and display name are anonymized but the score values stay so leaderboards aren't retroactively rewritten.
• Audit logs of security-relevant events: 13 months.
• Hashed IPs: 24 hours of verifiability, then permanent unverifiability.
• Tier 2 events: 25 months at row level. Older than that, aggregated into daily rollups and the row-level data dropped.
• Consent records: indefinite (we have to be able to prove what you consented to and when, per GDPR Art. 7). On account deletion, your consent history is anonymized.
• Demographics survey: until you delete your account, or until you remove it via the profile page.

Your rights

Whether or not your jurisdiction requires it, we honor these. From your profile page (signed in):

• Right to know: download a JSON export of every byte we have tied to your account. Includes events, consent history, demographics if filled in.
• Right to delete: "delete my account" button. Soft-delete first (30 days), then hard delete. Scores stay (anonymized) so leaderboards are stable.
• Right to correct: edit display name. Edit demographics. Email cannot be changed (delete and re-create).
• Right to opt out: "manage privacy" link in the footer toggles Tier 2 categories. Effective immediately.

If you're not signed in but want to exercise these rights, email privacy@nerdshizz.com with the player_id from your ns_player cookie (DevTools > Application > Cookies; copy the value). We'll act on it within 30 days.

Sensitive data

We don't collect any. No precise location. No biometrics. No health data. No data about children. No government IDs. If we ever consider changing this, we'll write an ADR and update this page first.

Where the data lives

Authoritative data is in PostgreSQL on Elest.io in US East. Hot-path session and rate-limit state is in Redis local to our VPS. Cloudflare provides DNS, CDN, and the tunnel that fronts everything. We do not currently offer customer-controlled data residency, and we never use a third-party analytics vendor.

Compliance posture

We are a Houston-based hobby project. We comply with:

• Texas Data Privacy and Security Act (TDPSA): notice + opt-out + universal opt-out signals. Below thresholds in the strict sense, but we comply anyway.
• CCPA / CPRA (California): same. We don't sell or share, so the headline-grabbing requirements don't change much, but we honor the access/delete/correct/opt-out rights without requiring a California ID.
• VCDPA / CPA / CTDPA / UCPA (Virginia, Colorado, Connecticut, Utah): same.
• GDPR / UK GDPR / ePrivacy: lawful basis declared per category. Tier 1 is necessity / contract / legitimate interest with documented LIA. Tier 2 is consent in the EU/UK, freely given via the consent banner with reject-all matching accept-all in prominence.

Children

Nerd Shizz is not directed at children under 13. If you're under 13, please don't use the site or send us any data. If we learn we've collected data from a child under 13, we delete it.

If something goes wrong

If we discover a data exposure, we contain it, rotate keys, and email affected users within 72 hours of confirmation. We post a public write-up at /incidents/<date>-<slug>.md and a root cause within 14 days. We do not hide incidents.

Changes to this page

If we change anything material, the change is in git history at apps/storefront/public/privacy.html, the policy-version meta increments, and the consent banner re-shows for previously-consented EU/UK users so they can re-affirm.

Contact

Privacy questions or rights requests: privacy@nerdshizz.com.
Security issues: security@nerdshizz.com.
Everything else: open an issue.

policy version 2026-05-06.