KickOff
Back to game

Privacy Policy

Last updated April 2025

Our approach

KickOff is designed with minimal data collection as a first principle. We collect only what is strictly necessary to run a fair, abuse-resistant daily game. We do not advertise, track users across sites, or sell data.

What we collect

Daily play token

A signed JWT stored in an httpOnly cookie. Contains your session ID and today's puzzle date only. Expires at midnight UTC.

Attempt count

The number of guesses you have made today. Stored server-side as a count — we do not log which players you guessed.

Coarse fingerprint hash

A one-way SHA-256 hash of limited browser signals (user-agent prefix, accept-language, screen width) for soft abuse detection. Not a unique identifier.

Salted IP hash

A daily-rotating, salted hash of your IP. The raw IP is never stored. Cannot be reversed or linked across days.

What we do NOT collect

  • No user accounts or profiles
  • No name, email, or contact details
  • No raw IP addresses
  • No advertising identifiers
  • No cross-site tracking cookies
  • No personal statistics or history

Cookies

We set two cookies per day:

play_tokenhttpOnly · secure · expires midnight UTC. Signed JWT for session management.
play_officialClient-readable · expires midnight UTC. Indicates official vs. unofficial session.

These cookies are strictly functional. No analytics or advertising cookies are set.

Data retention

Session records are retained for 30 days then deleted. No session data is linked to any identifiable individual.

Legal basis

Processing is based on legitimate interests (preventing abuse of a free service), with pseudonymisation and minimisation applied by design.

Note: This policy represents our best-effort GDPR alignment and does not constitute formal legal compliance certification.