lastegg.io

data protection

Privacy Policy

|

1. Controller

lastegg.io | Julian Frick

Spichernstraße 6, 42103 Wuppertal, Germany

Email: hey@lastegg.io

2. Scope

This Privacy Policy applies to the lastegg.io web application available at lastegg.io and all associated features. It is designed to comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

3. Data We Collect

3.1 Account & authentication data. When you create an account we collect your email address and, optionally, a username and self-selected country. Authentication is handled by Supabase Auth (Supabase Inc.). Passwords are stored only as salted hashes.

3.2 Google sign-in (OAuth 2.0). If you sign in with Google, Google shares your Google account ID, email address and display name with us. We never receive your Google password.

3.3 Gameplay data. We store your tap count, daily/weekly/all-time tap statistics and your position in the leaderboards. This data is the core of the game.

3.4 Device & security data. To protect the game from bots, scripts and abuse, we collect a device fingerprint (derived from browser/hardware characteristics), your IP address (truncated/hashed) and interaction metadata such as tap rhythm. Cloudflare Turnstile is used as a human-verification challenge.

3.5 Cookies & local storage. We use strictly necessary cookies and browser local storage to maintain your session (auth token), remember your cookie consent and store temporary guest gameplay data before you create an account.

3.6 Anti-bot & security logs. Suspicious activity (auto-clickers, coordinated farming, etc.) is recorded in security logs and automatically deleted after 90 days.

4. Legal Basis for Processing

  • Art. 6(1)(b) GDPR (contract) – providing the game, account, leaderboards.
  • Art. 6(1)(f) GDPR (legitimate interest) – anti-cheat, bot detection, network security, fraud prevention. Our interest is to ensure fair play and platform integrity.
  • Art. 6(1)(a) GDPR (consent) – where required, e.g. for optional analytics cookies.

5. Data Retention

  • Account & gameplay data: retained as long as your account is active. On deletion, removed within 30 days.
  • Security / anti-bot logs: 90 days, then purged.
  • Server logs: up to 14 days.
  • Guest / local-storage data: only in your browser until sign-up or browser data is cleared.

6. Third-Party Processors

  • Supabase (Supabase Inc., USA) – database hosting, authentication, realtime infrastructure. Transfers based on EU Standard Contractual Clauses (SCCs).
  • Cloudflare Turnstile (Cloudflare, Inc., USA) – bot / abuse protection. Processes IP, browser signals and behavioural data for risk scoring. SCCs.
  • Google (Google LLC / Google Ireland Ltd.) – OAuth identity provider when you choose Google sign-in.

7. Your Rights Under GDPR

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure / "right to be forgotten" (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent at any time with effect for the future
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR), e.g. LDI NRW in Germany

8. Deletion Requests

To request deletion of your account or personal data, email hey@lastegg.io from the address linked to your account. Deletion is completed within 30 days.

9. Security

All data is transmitted over TLS. Passwords are stored only as hashes (Argon2/bcrypt via Supabase Auth). Database access is protected by Row-Level Security (RLS). Rate-limits and anti-bot heuristics prevent abuse.

10. Cookie Settings & Withdrawal

You can adjust or withdraw your cookie consent at any time: Cookie settings · Revoke consent.

11. Changes to This Policy

We may update this Privacy Policy in response to changes in law or to new features. The current version will always be available at this URL.

← Back to the egg