🎯SYTW

Privacy Policy

Version 1.4 — effective from May 19, 2026

1. Data Controller

Thorsten Ahrens
Zillestr. 75, 51067 Köln, Deutschland
Phone: +49 174 6628053
E-Mail: contact@serahr.de
USt-IdNr.: DE363343172

1a. Data Protection Officer

We have not appointed a data protection officer. Under Art. 37 GDPR no appointment is required because we neither carry out large-scale processing of special categories of data nor systematic monitoring of data subjects, and we employ fewer than 20 persons routinely processing personal data.

2. Overview: What Data Is Processed?

Most of the website can be used without registration. Games, jokes and horoscopes run entirely in your browser (client-side). The following data is automatically transmitted by your browser to the hosting infrastructure:

  • IP-address
  • Date and time of the request
  • Requested page/file
  • Browser type and version, operating system
  • Referrer URL (the page you came from)

Game-related data such as highscores and preferences for the lightweight browser games are stored exclusively in your browser's localStorage and are not transmitted to us.

Optionally you can create an account via Magic-Link-Login. We then additionally process: your e-mail address, a display name (default: prefix of your e-mail), session cookies and — depending on the feature you use — saved game projects of the Arcane Depths editor (rooms, items, settings) as well as a credits balance. Details on these processings can be found in sections 3, 7 and 9.

3. Legal Basis

  • Art. 6 Abs. 1 lit. f DSGVO legitimate interest (server logs for security, error analysis, and delivery of the website; cookie-free reach analytics; abuse prevention). Legitimate interest: secure and stable operation of the website; balance of interests: only technically necessary data is processed, no user profiles are built.
  • Art. 6 Abs. 1 lit. b DSGVO performance of a contract / pre-contractual measures (account management, Magic-Link login, storing your game projects and credits balance when you are logged in)
  • Art. 6 Abs. 1 lit. a DSGVO consent (sending the Magic-Link e-mail when you actively trigger a login request). You may revoke this consent at any time with effect for the future.
  • Art. 6 Abs. 1 lit. c DSGVO legal obligation (disclosure to law enforcement authorities under Regulation (EU) 2023/1543)

4. Hosting (Vercel)

This website is hosted on Vercel Inc. (440 N Baxter St, Covina, CA 91723, USA). Server log data is processed by Vercel for up to 30 days.
Legal basis for transfer to the USA: EU-U.S. Data Privacy Framework (DPF) pursuant to the adequacy decision of 10 July 2023, additionally Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

5. Cookies and Local Storage

This website uses no tracking cookies and no third-party trackers for advertising purposes. A cookie-free reach analytics service (Vercel Analytics) is active — see section 6.

Technically necessary cookies / local storage:

  • Game data (localStorage, on your device): highscores, settings of the lightweight browser games. Stays on your device, is not transmitted to us.
  • Login session (HTTP-only cookie, only after Magic-Link login): contains an encrypted session token issued by Supabase, no readable personal data. Required to keep you logged in. Deleted on logout or expiry.

Legal basis for these technically necessary accesses: § 25 Abs. 2 Nr. 2 TDDDG (Telecommunications and Digital Services Data Protection Act, replaced TTDSG on 14.05.2024).

6. Vercel Analytics (cookie-free)

This website uses Vercel Analytics, a cookie-free analytics service by Vercel Inc. (USA). Data collected: anonymised IP address (hashed + rotated daily, no traceability to the end user), requested page, referrer, user-agent, access time. No cookies are set, no fingerprinting techniques used, no user profiles built. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reach analytics for product development). Third-country transfer: USA (EU-U.S. Data Privacy Framework + SCCs pursuant to Art. 46(2)(c) GDPR). More info: vercel.com/legal/privacy-policy.

7. Data Processors (Sub-Processors)

ServicePurposeLocation
Vercel Inc.Website hosting, server logsUSA (DPF + SCCs)
Vercel Inc.Cookie-free reach analytics (Vercel Analytics)USA (DPF + SCCs)
Supabase Inc.Authentication (Magic-Link login), user database (profile, display name, credits, saved Arcane-Depths editor projects), session managementEU (Frankfurt)
Supabase Inc.Sending the Magic-Link e-mail (login e-mail with one-time link). The e-mail platform Supabase uses for this is documented in the Supabase privacy policy.EU (Frankfurt) / USA (DPA, SCCs)

DPF = EU-U.S. Data Privacy Framework, SCCs = Standardvertragsklauseln, AVV = Vereinbarung zur Auftragsverarbeitung

Data processing agreements (DPA) pursuant to Art. 28 GDPR exist with all listed processors. Supabase hosts the database in the EU region Frankfurt; the corporate entity Supabase Inc. is based in the USA, transfer is therefore additionally secured via Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Supabase's privacy policy: supabase.com/privacy.

Planned for a future version: a credits top-up feature with Stripe Inc. (USA) as payment processor. When it goes live, this section will be updated accordingly.

8. Disclosure to Law Enforcement

We may be legally required to disclose stored data to law enforcement authorities on the basis of a European Production Order or Preservation Order pursuant to Regulation (EU) 2023/1543. Such disclosure will only occur on the basis of a lawful order and within the legally prescribed scope.

9. Retention

  • Server logs (Vercel): up to 30 days
  • localStorage data (highscores, preferences for the lightweight games): until you delete it via your browser settings — we have no access to it
  • Account data (e-mail, display name, credits): until you delete your account. Accounts that remain inactive for more than 24 months are deleted by us together with the associated data after a prior notification e-mail.
  • Saved Arcane-Depths editor projects (rooms, items, versions): until you delete the projects or your account.
  • Login session (Supabase session cookie): until logout or expiry of the session token (configured maximum 1 week).
  • Magic-Link e-mails: the link is valid for 1 hour and is consumed once on click. Server-side e-mail delivery logs at Supabase are retained according to the Supabase retention policy.

10. Your Rights

Under GDPR you have the following rights:

  • Access (Art. 15) — what data we store about you
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Withdrawal of consent (Art. 7 Abs. 3) — with effect for the future, especially regarding the consent given for the Magic-Link e-mail dispatch

To exercise these rights, please contact us at: contact@serahr.de

11. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Serahr is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf.

12. Automated Decision-Making

No automated decision-making within the meaning of Art. 22 GDPR takes place.

13. Contact

If you have questions about data protection, please contact us:
E-Mail: contact@serahr.de

14. Changes

This privacy policy may be updated when required. The current version with date is always displayed on this page. Material changes (e.g. introduction of paid features or new categories of processing) will be communicated to logged-in users in an appropriate manner before they take effect.

15. Minors / Children

Spendyourtimewisely.de is open to all ages — games, jokes and horoscopes are also attractive to children and teenagers. This policy therefore addresses data protection for minors explicitly, following the recommendations of the German Data Protection Conference (DSK) on Safer Internet Day 2026.

What this means in practice:

  • No data of minors is stored on our servers. Games run entirely in the browser (client-side). The only data reaching our hosting infrastructure are standard server logs (IP, time, requested page) — identical for adults and minors.
  • Login is optional, never required. The lightweight browser games, the jokes and the horoscope work completely anonymously without any account. An account (Magic-Link, only e-mail and display name) is only needed for the advanced Arcane-Depths editor — and even there only if a child actually wants to save their own projects on the server. We deliberately do not market accounts to children.
  • For children under 16: under Art. 8 GDPR / § 1626 BGB, account creation requires consent or authorisation by a holder of parental responsibility. If you suspect that a child under 16 has registered without such consent, please write to contact@serahr.de — we delete the affected account without delay.
  • Highscores and game preferences of the lightweight games stay on the child's device. They are written to the browser's localStorage and are never transmitted to us. Parents can delete them anytime via the browser settings (Settings → Privacy → Clear data for this website).
  • No tracking cookies, no advertising, no profiling. The cookie-free Vercel Analytics service mentioned in section 6 aggregates anonymised reach data — it cannot identify individual users and does not build any user profiles, including for minors.
  • Future features (e.g. server-side highscores, paid credits) are designed privacy-friendly from day one in accordance with Privacy by Design pursuant to Art. 25 GDPR. Where they require an account, they remain strictly opt-in.

Questions or concerns from parents or guardians: please contact us at contact@serahr.de. We respond to inquiries about children's data with priority.