Back to homepage
Privacy Policy
Last updated: March 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:
[COMPANY NAME]
[ADDRESS]
Email: [EMAIL]
(hereinafter referred to as "we" or "Controller")
2. Overview of Data Processing
We only process personal data to the extent necessary for providing our Escape Experience platform and related services. Personal data is regularly processed only with the consent of the data subject or where processing is permitted by law.
3. Legal Basis for Processing
The processing of personal data is based on the following legal grounds under Art. 6 GDPR:
• Art. 6(1)(a) GDPR — Consent: Where we obtain consent from the data subject for the processing of personal data.
• Art. 6(1)(b) GDPR — Performance of a contract: Where processing is necessary for the performance of a contract (e.g., providing the game experience, session management).
• Art. 6(1)(f) GDPR — Legitimate interest: Where processing is necessary for the purposes of legitimate interests (e.g., platform security, error resolution).
4. Security Measures
We implement technical and organizational security measures in accordance with Art. 32 GDPR to protect the processed data. These include:
• Encrypted data transmission (TLS/SSL)
• Access control and authentication
• Regular security updates
• Limiting access to personal data to the necessary minimum
5. Types of Data Processed
The following categories of personal data may be processed in connection with our service:
Master Data
Name, team name (if provided during use).
Contact Data
Email address (for contact requests or registration).
Usage Data
Pages visited, access time, game progress, puzzles solved, session data, time spent.
Meta/Communication Data
IP address, device type, browser type, operating system, language settings.
6. Purposes of Processing
We process personal data for the following purposes:
Providing the Game Experience
Enabling participation in GPS-based escape games, displaying puzzles, saving progress and leaderboards.
Session Management
Creating and managing game sessions, synchronization between two player devices via WebSocket connections.
Contact Requests
Handling incoming inquiries via email or contact form.
Security
Protection against misuse, fraud, and technical disruptions. Detection and resolution of errors.
7. Storage and Deletion
Personal data is only stored for as long as necessary for the respective processing purposes:
• Session data: Automatically cleaned up after the game session expires (max. 24 hours).
• Leaderboard entries: Team name and score are stored permanently, provided users consent to publication.
• Contact data: Deleted after the inquiry is resolved and statutory retention periods have expired.
• Usage data and logs: Deleted after 30 days at the latest.
Statutory retention obligations remain unaffected.
8. Cookies and Local Storage
Our platform uses cookies and local storage to ensure functionality.
Essential Cookies and Storage (strictly necessary)
• *Session cookies*: To identify your game session and maintain the WebSocket connection.
• *Cookie consent*: Storage of your cookie preferences.
• *Locale preference*: Storage of the selected language (de/en).
Optional Cookies (currently not in use)
• In the future, optional analytics cookies may be used (e.g., for anonymized usage statistics). These will only be set with explicit consent.
You can manage and delete cookies at any time through your browser settings. Please note that disabling essential cookies may limit the functionality of the platform.
9. Hosting and Infrastructure
Our platform is hosted with the following third-party providers:
Vercel Inc.
440 N Baxter St, Los Angeles, CA 90012, USA
Purpose: Hosting the frontend (Next.js application). Vercel processes technical access data (IP address, access time, browser information).
Privacy Policy: https://vercel.com/legal/privacy-policy
Supabase Inc.
970 Toa Payoh North #07-04, Singapore 318992
Purpose: Database hosting (PostgreSQL), authentication. Supabase processes data stored in the database.
Privacy Policy: https://supabase.com/privacy
Render Services Inc.
525 Brannan St, Suite 300, San Francisco, CA 94107, USA
Purpose: Hosting the Go backend (API server, WebSocket). Render processes technical access data.
Privacy Policy: https://render.com/privacy
Data transfers to the USA are based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and/or the EU-US Data Privacy Framework.
10. Rights of Data Subjects
You have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You have the right to request information about the personal data we process about you.
Right to Rectification (Art. 16 GDPR)
You have the right to request the correction of inaccurate data or the completion of incomplete data.
Right to Erasure (Art. 17 GDPR)
You have the right to request the deletion of your personal data, provided no statutory retention obligations exist.
Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request the restriction of processing of your data.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, commonly used, and machine-readable format.
Right to Object (Art. 21 GDPR)
You have the right to object to the processing of your personal data at any time, where processing is based on Art. 6(1)(f) GDPR.
Right to Withdraw Consent (Art. 7(3) GDPR)
You may withdraw your consent at any time with effect for the future.
Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Austria is:
Austrian Data Protection Authority (Datenschutzbehörde)
Barichgasse 40–42
1030 Vienna, Austria
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at
11. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to adapt it to changed legal requirements or changes to our services and data processing. The current version is always available on this page. We recommend visiting this page regularly.