Privacy Policy

The data controller is the editorial lead of Hammerpint, reachable at [email protected]. Their full identity is disclosed without delay to any person exercising their GDPR rights (access, rectification, erasure, portability) or on a reasoned request from a supervisory authority (CNIL).

When you sign in with Google (OAuth), we receive:

• your email address (primary identifier);
• your Google display name (editable later in your settings);
• your Google avatar URL (optional).

When you sign up with email + password, we record:

• your password as a bcrypt hash (the plaintext is never stored nor logged);
• a salted SHA-256 fingerprint of the IP address and user-agent used at sign-up, retained to prevent multiple-account creation — irreversible and not practically reversible to the original values.

As you use the service, we store:

• your language preference (fr/en);
• the armies and battles you create (units, options, battle outcomes);
• your IP address and browser user-agent, for security and abuse prevention;
• in-game chat messages, retained for the duration of the battle and up to 30 days afterwards (moderation);
• your cookie consent log (date, Accept/Refuse choice, user or session ID, salted SHA-256 hash of IP and user-agent) — see Cookie management page §4.

• Service delivery (contract performance): authentication, army persistence, battle flow;
• Service security (legitimate interest): abuse detection, anti-bot (Cloudflare Turnstile), moderation;
• Service-related communication (legitimate interest / consent): waitlist invitations, paused-game reminders;
• Cookie consent log (legal obligation, GDPR Art. 7(1)): proof that consent was obtained for the audience-measurement cookies.

No data is used for advertising purposes or sold to third parties.

• Active account: kept as long as the account is in use. Automatically deleted after 36 months without a login (the most recent successful login is timestamped on each sign-in);
• Deleted account: data removed within 30 days, except for mandatory retention (connection logs: 12 months);
• Waitlist: email retained until activation, or 24 months after sign-up if activation never occurs;
• Saved games: 21 days, then the service marks the game as expired and deletes it within 24 hours;
• Cookie consent log: 5 years (CNIL-recommended retention for proof of consent).

• DigitalOcean (infrastructure hosting) — EU;
• Cloudflare (CDN + Turnstile anti-bot) — US transfers covered by Standard Contractual Clauses;
• Google (OAuth authentication) — transfers covered by SCCs;
• Google Analytics 4 (audience measurement, only after your explicit consent) — anonymised IP, advertising features disabled (Google Signals OFF, ad personalization OFF), 2-month retention, transfers covered by SCCs;
• Anthropic (AI opponent, where applicable) — AI decisions run on anonymised game state; no account data is transmitted.

Under GDPR, you have the following rights:

• right of access, rectification, and erasure of your data;
• right to portability (JSON export of your armies on request);
• right to object and to restrict processing;
• right to withdraw consent at any time.

To exercise these rights: [email protected]. You also have the right to lodge a complaint with the French data protection authority, the CNIL.

Hammerpint uses a restricted set of strictly necessary cookies. See the Cookie management page for details.

This policy may be updated to reflect service or regulatory changes. The last-updated date is displayed at the top of this page.