Privacy Policy
Last updated: 4 June 2026
Translations of this document into other languages are provided for your convenience. In case of any discrepancy between this English version and a translation, the English version controls.
If you have questions about your data or want to exercise any of the rights described below, email us. We’ll reply in English, German, or Esperanto.
This policy explains what happens to personal data when you use What the Shell — the mobile and tablet app and the companion website at whattheshell.games. It applies to everyone, but it is written with the General Data Protection Regulation (GDPR / DSGVO) in mind because we are based in Berlin.
You can play What the Shell against the computer or in tutorial mode without an account and without sending any personal data to our servers beyond the minimal anonymous analytics described in section 3.5. Personal data is only collected when you choose to play online, which requires an account.
2.6.0) and platform (iOS / Android) to the move record so we can diagnose platform- or version-specific bugs and know which client each move was made from.Game records (moves, outcomes, timestamps, and the usernames of the two players) are visible to the two players of the game. We may also use individual games to showcase or promote the Service, as described in Terms of Service, section 6.
What is never shared publicly: your email address, IP address, password hash, push notification tokens, account metadata, and preferences.
When you grant notification permission in the app, your device issues a push token:
We store this token against your account so we can notify you when it’s your turn, your opponent has resigned, a rematch has been requested, etc. You can revoke the permission in your operating system settings at any time — that invalidates the token and we stop being able to reach you.
Our hosting provider (Vercel) keeps standard HTTP access logs — things like IP address, user agent, request path, timestamp — for a short period, for security and operations. We do not read or aggregate these logs for analytics.
The app records two kinds of best-effort analytics:
We use these to understand whether the tutorial is working and whether the AI difficulty curve feels right. We do not use any third-party analytics, tracking, or advertising SDK.
We send a newsletter with updates about What the Shell — new releases, events, and the odd featured game. It is entirely optional. You only receive it if you actively ask for it: there is an unticked checkbox on the sign-up form, and we never add you by default.
We use a double opt-in. When you tick the box (or sign up through a standalone newsletter form), we send a single confirmation email. You are only added to the list once you click the link in that email. If you never confirm, nothing further is sent, and your unconfirmed sign-up is automatically deleted after 14 days.
As proof that consent was given, we record the confirmation — the email address, the time you confirmed, the IP address from which you confirmed, and a version tag for the consent wording you agreed to. This record is our legal basis evidence under GDPR and is kept for as long as you remain subscribed.
You can unsubscribe at any time using the one-click link in the footer of every newsletter; you can also reply and ask. Unsubscribing affects only the newsletter — you will still receive transactional emails (sign-up confirmation, password reset) because those are required to operate your account. The newsletter is delivered by Resend (see Section 5); we do not sell or share the list.
At in-person events and game-industry showcases, What the Shell may run on shared tablets in a special “booth mode” signed in to generic system accounts that we operate. If you play on one of those tablets:
What the Shell grows mostly by players inviting friends. A player’s personal invite link contains a reference to the inviter; if you install and create your account through it, we record which player invited you. If the inviter is signed in, that reference is their account; if they don’t have an account, it is an anonymous per-install identifier — a random value containing no personal information and no device or hardware identifiers — which lets us credit them, including if they create an account later. We use this to understand how the game grows through word of mouth, to recognize the players who bring friends in, and to support friend-oriented features (such as seeing which of your friends are online). We process it under legitimate interest (GDPR Article 6(1)(f)). This information is never shown publicly, and we do not sell or share it (and never with advertising networks or data brokers). We may also record or correct this reference manually — for example, when a player tells us who invited them, or when it is reasonably clear from how accounts are connected (such as two players who mainly play each other). You can object to this processing at any time (see “Your rights” below), in which case we remove the reference.
We rely on the following lawful bases under Art. 6 GDPR:
We use a small number of service providers (“processors” under GDPR) to operate the game. We have data processing agreements (DPAs / Standard Contractual Clauses) in place with each of them.
| Provider | Purpose |
|---|---|
| Vercel Inc. | Hosts our website and API backend; serves web pages; writes server logs. |
| Upstash Inc. | Stores account and game data in a Redis database; daily backups to Vercel Blob. |
| Upstash QStash | Runs scheduled tasks (move deadline reminders, daily backups). |
| Resend | Delivers transactional emails (sign-up confirmation, password reset) and, if you opt in, the newsletter; holds the newsletter subscriber list. |
| Apple Inc. | Delivers push notifications to iOS devices via APNs. |
| Google / Firebase | Delivers push notifications to Android devices via FCM. |
All of the providers above are US-incorporated. Three of them are configured to store data in the EU: Upstash Redis (your account and game data) and Upstash QStash (scheduled tasks) in Frankfurt (eu-central-1), and Resend (transactional email and the newsletter list) in Ireland (eu-west-1). Apple (APNs) and Google / Firebase (FCM) are global push-delivery services, not regional data stores: they route notifications to your device and hold no game data. Vercel, which hosts the site and API, runs its serverless functions and server logs in the United States (iad1); the daily backups it stores for us are kept in the EU (Frankfurt, fra1).
We do not sell or rent your data to anyone. We do not use it to profile you or to build advertising audiences.
All of the providers above are US-incorporated companies. Where personal data does cross to the United States, those transfers rely on the European Commission’s Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. The exceptions are Upstash Redis, Upstash QStash and Resend, where data is stored in the EU as noted above; the SCC framework still governs the processor relationships with the US-incorporated entities. You can request a copy of the relevant safeguards by emailing us.
/delete page on our website. You’ll be asked to sign in and confirm before any data is removed. On deletion we remove: your user record, email address, push notification tokens, head-to-head statistics, and any pending matchmaking entries. Active games you have not yet finished are forfeited to your opponent.Under GDPR you have the right to:
To exercise any of these, email . We’ll respond within 30 days.
Accounts require you to be at least 16 years old, the DSGVO baseline in Germany. The game itself can be played without an account by anyone of any age — against the computer or through the tutorial — and collects only the anonymous analytics described in section 3.5.
We may update this policy as the game evolves. If the change is material (new data categories, new processors, changes to your rights), we will announce it by email to registered users. The “last updated” date at the top of this page will always reflect the latest version.