Data protection policy
Controller
The controller responsible for data processing on this website is Bennedik Online Marketing GbR. For the full postal address please see the Impressum. You can contact us at [email protected].
Personal data when you register
You can use this website without any personal data if you don't register.
If you register, you have to enter your email address. We process it to operate your account and to send you
security-related emails (a confirmation email after registration, and a password reset email if you request one).
The legal basis is the performance of our contract with you (Art. 6(1)(b) GDPR).
We also ask for a name. You can enter your real name or an alias. If you enter your real name, you consent to us
storing it (Art. 6(1)(a) GDPR). The name is shown to you in the menu as a link to your settings and is not shared with anybody else.
You can opt in to receive our newsletter and to join the leaderboard. Both are based on your consent (Art. 6(1)(a) GDPR),
which you can withdraw at any time with effect for the future. If you join the leaderboard, your name and results are shown there.
We keep this account data until you delete your account.
Payments (Premium membership)
If you buy a Premium membership, payment is processed by Stripe Payments Europe, Limited. We do not see or store your
full card details. For each payment we store the amount, currency, date, product, buyer email address, the country
you bought from (needed to apply the correct VAT), and a payment reference. For club purchases, we also store a VAT
ID if you provide one. Where relevant, we store withdrawal/refund status and a withdrawal link token for gift
purchases. The legal basis is the performance of the purchase contract, including order confirmation and handling
withdrawals or refunds (Art. 6(1)(b) GDPR).
Payment and invoice records have to be retained for up to 10 years under German tax and commercial law
(e.g. § 147 AO, § 257 HGB). This is a legal obligation (Art. 6(1)(c) GDPR) and takes precedence over a request for
erasure, so we keep these records even after an account is deleted.
Cookies and consent
This website uses cookies that are strictly necessary for technical reasons, including a session cookie and an
authentication cookie that identifies registered users who are logged in. These are stored on the basis of
§ 25(2) TDDDG and our legitimate interest in operating the site (Art. 6(1)(f) GDPR).
Cookies that are not strictly necessary — in particular for analytics and advertising — are only set after you have
given your consent via our consent banner (§ 25(1) TDDDG, Art. 6(1)(a) GDPR). You can change or withdraw your consent
at any time using the "Privacy Preferences" link in the footer. Consent management is provided by Sourcepoint.
Analytics
Subject to your consent, we use Google Analytics 4, a service provided by Google Ireland Ltd., to understand how the website is used. This may involve the transfer of data to Google LLC in the USA (see "International transfers" below). You can withdraw your consent at any time via the "Privacy Preferences" link.
Advertising
On pages with advertising, and subject to your consent, advertising partners including Google may set cookies and similar technologies to display ads and, where you have consented, personalised ads. You manage this consent through the consent banner / "Privacy Preferences" link.
Email delivery
Transactional emails (such as confirmation, password reset and purchase confirmation emails) are sent on our behalf by Twilio SendGrid. This may involve the transfer of data to the USA (see "International transfers").
Server log and content delivery
In normal operation, we do not keep separate web server access logs. For troubleshooting and security, Azure App
Service and our application may create diagnostic or error logs. These logs may include technical request data such
as IP address, browser information, requested URL, time of the request, error details and, where relevant, account
or payment references. We use these logs only to operate, secure and debug the service. Diagnostic logging is
normally disabled or limited and is retained only for as long as needed for troubleshooting, according to the
configured retention period. The legal basis is our legitimate interest in a stable and secure service
(Art. 6(1)(f) GDPR).
We use Cloudflare as a content delivery network and security proxy. Cloudflare processes connection data, including
your IP address, to deliver the site and protect it against attacks.
International transfers
Some of the providers above (Google, Stripe, Twilio SendGrid, Cloudflare) may process data outside the EU/EEA, in particular in the USA. Such transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or the EU Standard Contractual Clauses.
Puzzle progress and usage data
We keep track of which puzzles you have already solved to ensure you don't see the same puzzle more than once.
This includes the ID of the puzzle, date and time of the solving, and whether you selected the puzzle as a favorite.
Registered users can see a list of the last solved puzzles and their favorites.
We also calculate a rating for you, so that you get puzzles with a difficulty corresponding to your puzzle solving level.
If you are logged in, this information is stored in our database as part of your account so we can provide your
puzzle history, favorites, rating and personalized puzzle selection (Art. 6(1)(b) GDPR). If you are not logged in,
it is kept in the session and is lost when you leave the website.
Your rights in connection with your personal data
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information, where there is no good reason for us continuing to process it (note the legal retention obligations for payment records described above).
- Object to processing of your personal information where we are relying on a legitimate interest, including processing for direct marketing purposes.
- Request the restriction of processing of your personal information.
- Request the transfer of your personal information to another party.
- Withdraw your consent at any time, with effect for the future, where processing is based on consent.