PRIVACY NOTICE AND COOKIE NOTICE
1. Controller
- Name: Veszely István Nándor
- Address: Germany, Bavaria, 83714 Miesbach, Frauenschulstraße 27.
- Email: [email protected]
2. Categories of personal data processed
Account data:
- Email address, username, password (stored hashed, never in plain text), account status (active/suspended), timestamps such as registration and last login
Registration data:
- Timestamp of consent to IP-based approximate location detection, plus any country or residence data stored from earlier registrations, if present
Game data:
- Results, leaderboard points, game statistics such as rounds played, wins, losses and difficulty, plus saved game positions
- For an active unfinished game, a temporary randomly generated client identifier and lock expiry may be associated with the game to ensure that only one controlling client can write the game state at a time. This identifier is not a hardware identifier and is not used for device fingerprinting.
Subscription data:
- Subscription status and type. Payment data such as card details are processed only by Stripe, Inc.; the provider has no access to them.
Login and session data:
- Login and logout timestamps, session duration and, where applicable, IP address during login
Approximate location:
- During registration, an approximate country or location may be determined and stored on the server using a local GeoIP database. The IP address is not passed to third parties for this purpose.
Security and abuse-prevention data:
- Rate-limiting log: technical identifier, usually IP-based, action type, timestamp, success or failure result
- Failed logins: entered email address, IP address, timestamp
- Password reset: token hash, requesting IP, expiry, status
“Keep me signed in” (optional):
- Remember-me token, expiry date and possibly user-agent and last IP, only if activated by the user
Page analytics (technical):
- Pseudonymised session identifiers, page identifier and timestamps; for logged-in users optionally linked to the account
3. Purposes of processing
- Providing and operating the Quadro Place platform
- Managing user accounts, including registration, login and account functions
- Managing game statistics and the leaderboard
- Protecting the integrity of active game states, preventing conflicting saves and handling device switching
- Managing subscriptions and checking subscription status
- Technical security, including abuse prevention and protection against unauthorised access
- Error analysis and platform stability
4. Legal basis (Article 6 GDPR)
- Article 6(1)(b) GDPR – performance of a contract, including the technical enforcement of exclusive control for active games
- Article 6(1)(a) GDPR – consent for IP-based approximate location detection
- Article 6(1)(f) GDPR – legitimate interests in security, stability, abuse prevention and preventing conflicting or unauthorised parallel game writes
5. Retention periods
| Data category | Retention period |
|---|---|
| Account data | Until the account is deleted |
| Legacy country/residence data and approximate location | Until the account is deleted |
| Game statistics, leaderboard points, saved positions | Until the account is deleted |
| Subscription status | Until the account is deleted, subject to Stripe's own privacy terms |
| Stripe webhook events (technical billing logs) | For the period required for billing, error analysis and abuse prevention; afterwards deleted or anonymised |
| Email verification token | A few hours, deleted after successful verification |
| Password reset token | Up to 10 minutes, expired tokens are regularly deleted |
| Remember-me token | Up to 30 days, revoked on logout or password change |
| Technical client identifier for active game control and lease state | For the duration of the active unfinished game; deleted on game completion, and may be overwritten earlier on a new lease or device switch |
| Rate-limiting log | Minutes to hours, regularly deleted |
| Failed login data | Up to 30 days, regularly deleted |
| Page analytics | Stored for evaluation purposes; may be anonymised when the account is deleted |
When an account is deleted, account data, access tokens and gameplay data directly tied to the account are deleted. Some technical statistics and security-related data may remain temporarily without direct user reference and are later deleted or anonymised.
Archived leaderboard entries may remain in anonymised form without a direct link to the account.
6. User rights
Subject to the applicable legal conditions, you have the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to processing based on legitimate interests
Requests: [email protected]
You also have the right to lodge a complaint with any supervisory authority in an EU Member State. For Bavaria, this is the Bavarian State Office for Data Protection Supervision (BayLDA).
7. Data security
- Passwords are stored only as hashes, never in plain text
- CSRF protection and session security measures
- Rate limiting to defend against abuse
- Regular security updates
8. Processors and data transfers
| Provider | Role | Location |
|---|---|---|
| netcup GmbH | Web hosting and email infrastructure | Germany |
| Stripe, Inc. | Payment service provider for subscriptions | USA (based on the EU-US Data Privacy Framework) |
Cloudflare, Inc. provides DNS resolution for the domain. Actual web traffic does not pass through Cloudflare's servers; for DNS requests, Cloudflare's own privacy terms apply.
No data is transferred to third parties for advertising or tracking purposes.
International transfers: Stripe, Inc. is based in the United States. Transfers take place under the EU-US Data Privacy Framework and other appropriate safeguards.
When an account with Stripe-related activity is deleted, billing- or tax-related data required by law may continue to exist under Stripe's own responsibility. Ongoing subscriptions must be cancelled through the Stripe Customer Portal.
9. Children's privacy
The service is not directed at persons under 16 years of age. If we become aware that we process data of a person under 16 without valid consent, we will delete it without undue delay. Notifications: [email protected]
10. Global availability
quadroplace.com operates under the data protection laws of the European Union (GDPR), which are among the highest privacy standards worldwide. The same privacy standards are applied to users outside the EU.
COOKIE NOTICE
quadroplace.com uses technically necessary cookies and one functional preference cookie for language selection:
| Cookie name | Type | Purpose | Retention |
|---|---|---|---|
| PHP session cookie (PHPSESSID) | Strictly necessary | Login and session management | Until the browser is closed |
| remember_me | Optional, activated by the user | “Keep me signed in” function | Up to 30 days |
| _qp_lang | Functional preference cookie | Stores the selected language | Up to 1 year |
CSRF protection: the security token is stored server-side in the session, not as a separate cookie.
During an active game, a locally generated technical client identifier may also be stored in the browser's sessionStorage to prevent simultaneous conflicting saves. This is not a cookie, not a hardware identifier, and is not used for tracking or marketing.
No tracking, analytics or marketing cookies are used. Under the ePrivacy rules and the German TTDSG, no separate consent is required for technically necessary cookies.
Contact: [email protected]
Last updated: May 25, 2026