What the Shell – Privacy Policy

1. Data Controller

Charles Smith (trading as Ludisto)
Gartenstr. 3a
10115 Berlin
Germany

Email:

If you have questions about your data or want to exercise any of the rights described below, email us. We’ll reply in English, German, or Esperanto.

2. What This Policy Covers

This policy explains what happens to personal data when you use What the Shell — the mobile and tablet app and the companion website at whattheshell.games. It applies to everyone, but it is written with the General Data Protection Regulation (GDPR / DSGVO) in mind because we are based in Berlin.

You can play What the Shell against the computer or in tutorial mode without an account and without sending any personal data to our servers beyond the minimal anonymous analytics described in section 3.5. Personal data is only collected when you choose to play online, which requires an account.

3. What We Collect and Why

3.1 Account data (only if you create an account)

Email address — so you can log in, receive confirmation and password-reset emails, and be contacted about your account.
Username (display name) — shown to your opponents in the inbox and during games. You choose it and can change it.
Password — stored only as a bcrypt hash, never in plain text.
Authentication tokens — JWT access tokens (signed, expire after 90 days) and short-lived one-time tokens used for email confirmation and password reset.

3.2 Game data

Game state — for every online game you play: the 9×9 board, move history, eggs, captures, turn counters, timestamps, and which two accounts played.
Ratings and stats — an Elo-style rating from your completed online games, plus win/loss/draw and sudden-death counts. You can see your own by signing in at whattheshell.games/login. Additional ratings (e.g. competitive ranked) may be added when new game modes ship.
Client version and platform — when you submit a move, your app attaches its version string (e.g. 2.6.0) and platform (iOS / Android) to the move record so we can diagnose platform- or version-specific bugs and know which client each move was made from.

Game records (moves, outcomes, timestamps, and the usernames of the two players) are visible to the two players of the game. We may also use individual games to showcase or promote the Service, as described in Terms of Service, section 6.

What is never shared publicly: your email address, IP address, password hash, push notification tokens, account metadata, and preferences.

3.3 Push notification data (only if you allow notifications)

When you grant notification permission in the app, your device issues a push token:

On iOS: an APNs device token provided by Apple.
On Android: an FCM registration token provided by Firebase.

We store this token against your account so we can notify you when it’s your turn, your opponent has resigned, a rematch has been requested, etc. You can revoke the permission in your operating system settings at any time — that invalidates the token and we stop being able to reach you.

3.4 Technical data (server logs)

Our hosting provider (Vercel) keeps standard HTTP access logs — things like IP address, user agent, request path, timestamp — for a short period, for security and operations. We do not read or aggregate these logs for analytics.

3.5 Anonymous in-app analytics

The app records two kinds of best-effort analytics:

Tutorial steps — which steps of the interactive tutorial a player reaches on first run. Keyed to a per-install random UUID, not to your identity.
AI game outcomes — when you play against the computer, we count wins/losses/draws per difficulty tier. If you’re signed in, these are attributed to your account so your AI stats follow you between devices; if you’re not signed in, they stay on the device.

We use these to understand whether the tutorial is working and whether the AI difficulty curve feels right. We do not use any third-party analytics, tracking, or advertising SDK.

3.6 Beta tester email updates

While What the Shell is in beta, every account created on the website is automatically enrolled in occasional email updates for testers. These messages cover things like new build releases, known issues, planned events, and other information directly relevant to your role as a beta tester. They are not promotional emails for the general public.

To unsubscribe, reply to any such email with “unsubscribe” and we will remove you from the list. Unsubscribing only affects these tester updates — you will still receive transactional emails (sign-up confirmation, password reset) because those are required to operate your account.

When the game leaves beta and reaches general release, this auto-enrollment ends. You will receive one final email inviting you to opt in to the post-launch newsletter; without that opt-in, you will not receive further updates from us.

3.7 Booth and demo devices

At in-person events and game-industry showcases, What the Shell may run on shared tablets in a special “booth mode” signed in to generic system accounts that we operate. If you play on one of those tablets:

You may be asked to type a short session name (e.g. a first name) so opponents can tell who they’re playing. This name is held only on the tablet for the duration of your session and is automatically discarded within 15 minutes.
The game record itself is preserved under the booth account’s username, not under your name. After the session-name is discarded, the historical record carries the booth account, not you.
No personal data about you is created on our servers. You don’t need an account to play on a booth device, and we don’t link booth play to any personal account you may already have.

4. Lawful Basis

We rely on the following lawful bases under Art. 6 GDPR:

Art. 6(1)(b) — performance of a contract. Account data, game data and push tokens are needed to deliver the game to you as described.
Art. 6(1)(f) — legitimate interests. Server logs (for security and abuse prevention), the minimal anonymous analytics (for improving the game), and beta tester email updates (Section 3.6 — keeping testers informed about the product they signed up to test) rely on our legitimate interest. These interests are balanced against your rights; if you object, contact us, or unsubscribe in the case of tester emails.
Art. 6(1)(a) — consent. Push notifications are sent only after you explicitly grant permission in the OS dialog.

5. Who We Share Data With

We use a small number of service providers (“processors” under GDPR) to operate the game. We have or are in the process of executing data processing agreements (DPAs / Standard Contractual Clauses) with each of them.

Provider	Purpose
Vercel Inc.	Hosts our website and API backend; serves web pages; writes server logs.
Upstash Inc.	Stores account and game data in a Redis database; daily backups to Vercel Blob.
Upstash QStash	Runs scheduled tasks (move deadline reminders, daily backups).
Resend	Delivers transactional emails (sign-up confirmation, password reset).
Apple Inc.	Delivers push notifications to iOS devices via APNs.
Google / Firebase	Delivers push notifications to Android devices via FCM.

All of the providers above are US-incorporated. Upstash Redis — which holds your account and game data — is configured to store that data in the EU (Frankfurt, eu-central-1). Data residency for the other providers is being verified during an in-progress service audit and will be reflected here as that work completes.

We do not sell or rent your data to anyone. We do not use it to profile you or to build advertising audiences.

6. International Transfers

All of the providers above are US-incorporated companies. Where personal data does cross to the United States, those transfers rely on the European Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. The exception is Upstash Redis, where data is stored in the EU as noted above; the SCC framework still governs the processor relationship with the US-incorporated entity. You can request a copy of the relevant safeguards by emailing us.

7. How Long We Keep Your Data

Account data — for as long as your account exists. You can delete your account at any time via the /delete page on our website. You’ll be asked to sign in and confirm before any data is removed. On deletion we remove: your user record, email address, push notification tokens, head-to-head statistics, and any pending matchmaking entries. Active games you have not yet finished are forfeited to your opponent.
Finished games — game records (moves, outcomes, turn history) are preserved indefinitely with the usernames as displayed when the games were played. This applies to games you played before deleting your account as well — your move history remains attributed to the username you used at the time. Preserving this history matters because every game is part of the record between you, the person you played, and (for public games) the broader What the Shell community, and altering it retroactively would falsify that record. We process retained usernames under legitimate interest (GDPR Article 6(1)(f)) — specifically, the integrity of competitive rankings, the historical record of the game, and the interest of your former opponents and other viewers in an accurate account of the match. You can object to this processing at any time under Article 21 (see “Your rights” below); we will then replace your username in the affected records with a non-identifying label. You can also change your username to a non-identifying handle before requesting deletion if you prefer.
Server logs — retained by Vercel per their policy (usually no more than 30 days).
Backups — daily Redis snapshots are kept in Vercel Blob for 30 days, then automatically deleted.
Ephemeral tokens — email confirmation tokens (24 h), password reset tokens (1 h), one-time login tokens (15 min), join codes (72 h) all expire automatically.

8. Your Rights

Under GDPR you have the right to:

Access the personal data we hold about you.
Rectify data that’s wrong or out of date.
Erase your data (“right to be forgotten”).
Restrict or object to our processing.
Portability — get a machine-readable copy of your data.
Withdraw consent at any time (affects future processing only).
Complain to a supervisory authority. For Berlin residents this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de). You can complain to the authority in your own EU member state too.

To exercise any of these, email . We’ll respond within 30 days.

9. Security

Passwords are hashed with bcrypt. We never see your plaintext password.
All communication between app, website and server is over HTTPS/TLS.
JWT session tokens are signed (HS256) and expire after 90 days.
Password resets bump a server-side token version, invalidating any old sessions.
Redis access is authenticated with per-service tokens; backups are stored in a private Vercel Blob bucket.
We are a small operation. If a data breach affects you, we will notify you and the supervisory authority within 72 hours as required by Art. 33 and 34 GDPR.

10. Children

Accounts require you to be at least 16 years old, the DSGVO baseline in Germany. The game itself can be played without an account by anyone of any age — against the computer or through the tutorial — and collects only the anonymous analytics described in section 3.5.

11. Changes to This Policy

We may update this policy as the game evolves. If the change is material (new data categories, new processors, changes to your rights), we will announce it by email to registered users. The “last updated” date at the top of this page will always reflect the latest version.