You may print this page or save it as PDF using your browser's print function (Ctrl+P / Cmd+P).
1. Introduction
This Privacy Policy explains how Nonograms Club ("we," "us," or "our"), operated at nonograms.club, collects, uses, stores, and protects your personal data when you visit our website, create an account, submit listings, make payments, or otherwise interact with our services.
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller responsible for your personal data is the operator of Nonograms Club, based in Germany (European Union). Our servers are hosted in the European Union (Germany) by Contabo GmbH. You can reach us via our Contact page.
3. Data We Collect
3.1 Account Data
When you register an account, we collect:
- Name or display name
- Email address
- Password (stored as a bcrypt hash - we never store plaintext passwords)
3.2 OAuth Data from Third-Party Providers
If you sign in using a third-party OAuth provider, we receive limited profile data from that provider. We support sign-in via: Google, GitHub, Discord, Microsoft, Twitter/X, LinkedIn, Facebook, and Apple.
From these providers, we typically receive:
- Name or display name
- Email address
- Profile picture URL
- OAuth account identifier (unique ID from the provider)
We do not receive or store your password from any OAuth provider. We do not request access to your contacts, posts, repositories, or other data beyond basic profile information. Each provider's consent screen shows exactly what data will be shared before you authorise.
3.3 Profile Data
You may optionally provide:
- Biography, location, website URL
- Social media handles (Twitter/X, LinkedIn, GitHub, etc.)
- Profile avatar
3.4 Listing Data
When you submit a website listing, we collect:
- Website URL and name
- Description, category selection, and tags
- Screenshots or logos you upload
- Verification badge status
3.5 Payment Data
Payment card details are collected and processed directly by our third-party payment processors (Stripe, PayPal, Dodo Payments, LemonSqueezy). We never receive or store your full card number, CVV, or bank account details. We receive and store:
- Transaction ID and payment status
- Amount paid and currency
- Payment processor used
- Billing email (if different from account email)
- Last four digits of card (for display purposes only)
3.6 Usage and Technical Data
- Pages visited, buttons clicked, and features used
- Votes cast, reviews written, collections created, and points earned
- Referral source (HTTP referrer URL)
- Device type, browser type and version (user agent), and screen resolution
- IP address (stored only in hashed/anonymised form for analytics and abuse prevention)
- Approximate geographic region (derived from IP, not stored as precise coordinates)
3.7 Communication Data
- Messages sent through our contact form
- Email correspondence with our support
- Newsletter subscription preferences
4. Lawful Basis for Processing (GDPR)
Under Article 6 of the GDPR, we process your personal data on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide our services to you - account creation, listing submission, payment processing, and backlink delivery.
- Legitimate interests (Art. 6(1)(f)): Analytics to improve our service, anti-fraud detection, abuse prevention, and security monitoring. We balance our interests against your rights and freedoms and do not use this basis where your interests override ours.
- Consent (Art. 6(1)(a)): Newsletter emails, optional analytics cookies (Google Analytics), OAuth sign-in with third-party providers, and optional profile data you voluntarily provide. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legal obligation (Art. 6(1)(c)): Retaining payment records for tax compliance (§ 147 AO, § 257 HGB) and responding to lawful requests from authorities.
5. How We Use Your Data
- To create and manage your account and authenticate your sessions.
- To process listing submissions, reviews, votes, and directory operations.
- To process payments and issue receipts for premium listings.
- To send transactional emails: account verification, listing approval/rejection, badge alerts, and payment confirmations.
- To send the optional weekly digest newsletter (unsubscribe at any time via the link in each email).
- To operate the gamification system (points, tiers, leaderboards, badges).
- To detect, prevent, and respond to fraud, spam, abuse, and security incidents.
- To generate aggregated, anonymised analytics to improve the platform.
- To comply with legal obligations, including tax reporting and responding to lawful government requests.
- To enforce our Terms of Service.
6. Cookies and Tracking Technologies
We use the following cookies, categorised by type:
6.1 Strictly Necessary (Essential)
These cookies are required for the platform to function. They cannot be disabled.
| Cookie | Purpose | Duration |
|---|
| next-auth.session-token | Authenticates your session (JWT) | Session / 30 days |
| next-auth.csrf-token | Prevents cross-site request forgery | Session |
| next-auth.callback-url | Stores redirect URL after login | Session |
6.2 Functional Cookies
| Cookie | Purpose | Duration |
|---|
| _GRECAPTCHA, rc::a, etc. | Google reCAPTCHA bot protection | Session / 6 months |
6.3 Analytics Cookies (Optional)
These are only loaded when Google Analytics is configured by the site administrator.
| Cookie | Purpose | Duration |
|---|
| _ga, _gid | Google Analytics - anonymised usage tracking | Up to 2 years |
We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies.
You can manage cookies through your browser settings. You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on. Google Analytics is subject to Google's Privacy Policy.
7. Third-Party Data Processors
We share personal data with the following third-party processors, strictly as necessary to operate our service:
| Processor | Purpose | Data Shared | Privacy Policy |
|---|
| Stripe | Payment processing | Email, payment details | stripe.com/privacy |
| PayPal | Payment processing | Email, payment details | paypal.com/privacy |
| Dodo Payments | Payment processing | Email, payment details | dodopayments.com/privacy |
| LemonSqueezy | Payment processing | Email, payment details | lemonsqueezy.com/privacy |
| Resend | Transactional email delivery | Email address, email content | resend.com/privacy |
| SMTP Provider | Email delivery (alternative) | Email address, email content | Per configured provider |
| Google Analytics | Website analytics (optional) | Anonymised usage data, cookies | google.com/privacy |
| Google reCAPTCHA | Bot protection | Interaction data, IP address | google.com/privacy |
| Google, GitHub, Discord, Microsoft, Twitter/X, LinkedIn, Facebook, Apple | OAuth authentication | Auth tokens (name/email/avatar received) | Respective provider policies |
| Contabo GmbH | Server hosting (EU/Germany) | All data stored on our servers | contabo.com/privacy |
We do not sell, rent, or trade your personal data to any third party. We do not share data with data brokers, advertising networks, or any parties for marketing purposes.
8. International Data Transfers
Our servers are located in the European Union (Germany). However, some of our third-party processors (Stripe, PayPal, Resend, Google, and certain OAuth providers) are based in the United States and may process your data outside the EU/EEA.
Where data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into our agreements with US-based processors.
- EU-U.S. Data Privacy Framework: Where processors are certified under the EU-U.S. Data Privacy Framework, we rely on this as an additional safeguard.
- Adequacy decisions by the European Commission for countries deemed to provide an adequate level of data protection.
9. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period |
|---|
| Account data (name, email, profile) | Duration of account + 30 days after deletion |
| Listing data | Duration of account (or until listing removed) |
| Payment records | 10 years (§ 147 AO, § 257 HGB - German tax/commercial law) |
| Reviews, votes, user-generated content | Duration of account (anonymised on deletion) |
| Analytics and usage data | 2 years (anonymised/aggregated) |
| Contact form messages | 1 year |
| Server logs (hashed IPs, user agents) | 90 days |
When you delete your account, we will erase or anonymise your personal data within 30 days, except where retention is required by law (e.g., payment records for tax purposes). User-generated content (reviews, votes) may be anonymised (attributed to "Deleted User") rather than deleted to preserve platform integrity.
10. Your Rights Under GDPR
As a data subject, you have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances (e.g., while we verify the accuracy of your data).
- Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and have it transmitted to another controller.
- Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling. You may object to direct marketing at any time, and we will cease processing without exception.
We will respond to any data rights request within 30 days as required by GDPR. If we need more time due to complexity, we will inform you within the initial 30-day period.
11. Right to Withdraw Consent
Where we process your data based on consent (Art. 6(1)(a) or Art. 7(3) GDPR), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
You can withdraw consent by:
- Clicking the "unsubscribe" link in any newsletter email.
- Managing your cookie preferences through your browser settings.
- Disconnecting OAuth providers from your account settings.
- Contacting us directly via our Contact page to request withdrawal of consent for any specific processing.
12. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). As we are based in Germany, the relevant federal authority is:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
www.bfdi.bund.de
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.
13. How to Exercise Your Rights
You can exercise any of your data protection rights by:
- Visiting our Contact page and submitting a data rights request.
- Updating your profile and preferences directly in your account settings.
- Clicking the "unsubscribe" link in any marketing email to opt out of newsletters.
- Deleting your account through the account settings page (this initiates erasure of your data).
We may ask you to verify your identity before processing your request to prevent unauthorised access to your data.
14. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- All connections encrypted via TLS/HTTPS.
- Passwords stored using bcrypt hashing with salts.
- IP addresses hashed for analytics storage.
- Database access restricted and protected by firewall rules.
- Regular security updates and patches applied to server infrastructure.
- JWT-based session tokens with appropriate expiration.
- CSRF protection on all forms.
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
15. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR), via email and/or a prominent notice on our platform.
- Document the breach, its effects, and the remedial actions taken.
16. Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects concerning you, as described in Article 22 of the GDPR.
Content moderation decisions (such as listing approvals or rejections) are made by human reviewers. The gamification system (points, tiers, badges) is calculated automatically based on your activity, but these have no legal or financial effect and carry no monetary value.
17. Children's Privacy
Nonograms Club is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe that a child under 16 has provided us with personal data, please contact us immediately via our Contact page.
18. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Since there is no universally accepted standard for how to respond to DNT signals, we do not currently alter our data collection practices in response to DNT signals. If a binding standard is established, we will update this policy accordingly.
19. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users by email at least 14 days before material changes take effect.
- Display a prominent notice on our website for significant changes.
Your continued use of Nonograms Club after any changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account. We encourage you to review this page periodically.