Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller is Numen Games S.L., a Spanish limited liability company. Contact: legal@numengames.com
2. Data We Collect
When you sign in with a wallet (SIWE)
- Ethereum address — stored in a session cookie
- Chain ID — used during signature verification, not stored
When you sign in with GitHub
- Username and email — from GitHub OAuth
- User ID — stored in session cookie
Automatically collected
- Favorites — stored in your browser's localStorage (never sent to our servers)
- Session data — httpOnly cookies for authentication
We do not use analytics services. We do not track your browsing behavior. We do not use advertising cookies.
3. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Authentication (wallet/GitHub) | Art. 6(1)(b) — contract performance |
| Admin access control | Art. 6(1)(f) — legitimate interest |
| CSRF protection | Art. 6(1)(f) — legitimate interest (security) |
| Legal compliance | Art. 6(1)(c) — legal obligation |
4. Data Retention
- Session cookies — 24 hours (wallet) or 7 days (GitHub)
- CSRF cookies — 5-10 minutes
- Favorites — stored locally in your browser until you clear them
- GitHub user records — until account deletion is requested
5. Data Sharing
We do not sell your data. We may share data with:
- GitHub — for OAuth authentication and data storage (as a processor)
- Vercel — hosting provider (as a processor)
- Cloudflare — CDN and R2 storage (as a processor)
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses or adequacy decisions approved by the European Commission.
6. Your Rights (GDPR)
You have the right to:
- Access — obtain a copy of your data
- Rectification — correct inaccurate data
- Erasure — request deletion
- Restriction — limit processing
- Portability — receive data in machine-readable format
- Object — oppose processing based on legitimate interest
- Withdraw consent — at any time
Contact: legal@numengames.com. Response within 30 days. You may also lodge a complaint with the Spanish Data Protection Authority (AEPD).
7. Security
We use HTTPS, httpOnly cookies, CSRF protection, and Zod-validated environment variables. Authentication uses cryptographic signatures (SIWE) and OAuth with state parameter validation.
8. Cookies
See our Cookie Policy for detailed information about cookies used on this Platform.
9. Children
The Platform is not directed at individuals under 16. We do not knowingly collect data from minors. Contact us if you believe we have collected such data.