Privacy Policy

How we handle data on flags.games. Contact us if you have questions or want to exercise your rights.

Last updated: 20 May 2026. This Privacy Policy explains how the operator of flags.games ("we", "us") handles personal data when you use flags.games (the "Service"). It applies to the public website and game experience at flags.games.

Who is responsible

For data protection questions, contact us at support@flags.games. We will identify the legal controller in replies when required (for example regulatory requests).

Data we collect

Depending on how you use the Service, we may process:

  • Gameplay and technical data: scores, challenge progress, difficulty, multiplayer room activity, and anti-cheat signals.
  • Anonymous session identifier: a cookie-based session token so solo play, rate limits, and basic analytics work without an account.
  • Account data (if you register): email address, authentication provider identifiers (Google/GitHub), username, avatar, XP, stats, friend code, and privacy preferences (such as leaderboard opt-out and friend-request settings).
  • Multiplayer: connection and room participation data processed by our game server.
  • Contact form: email, message content, reason for contact, optional page URL, and a device snapshot you submit with the form.
  • Security: IP address (from standard proxy headers) for bot checks, abuse rate limits, and similar verification when you sign in or use protected forms.
  • Client settings: sound, appearance, and privacy toggles stored in your browser (local storage) before or after sign-in.
  • Error and usage diagnostics: crash reports and product analytics in production (see service providers below).

Why we use data

We use data to run the game, secure the Service, improve features, respond to contact messages, and comply with law. Typical legal bases under GDPR include performance of a contract (accounts), legitimate interests (security, anti-cheat, analytics at a proportionate level), and consent where required (for example certain optional communications if we add them later).

Cookies and similar technologies

We use essential cookies (such as the anonymous session token) for core functionality. Production builds may load analytics scripts that set their own cookies or similar identifiers.

You can limit cookies in your browser settings; some features may not work without the session cookie.

Who we share data with

We do not sell your personal data. We use service providers that process data on our behalf, including:

  • Hosting, content delivery, and infrastructure providers.
  • Backend and database providers that store account and gameplay data.
  • Email providers for contact notifications and account messages such as verification or password reset.
  • Sign-in providers (for example Google or GitHub) when you choose social sign-in — their privacy policies apply to that sign-in.
  • Form and support routing providers for contact submissions.
  • Analytics and product-metrics providers in production.
  • Error and performance monitoring providers in production.
  • Security and bot-protection providers.

How long we keep data

We keep data only as long as needed for the purposes above, unless law requires longer retention. Account and gameplay data may be deleted or reset during beta. Contact messages are kept long enough to handle your request and improve support.

You can ask us about retention for your account by emailing the contact address below.

Your choices and rights

In the Service you can adjust privacy-related settings (for example opting out of public leaderboard activity or controlling friend requests) where those controls are available.

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. Email us at the address below; we will respond within reasonable timeframes required by law.

If you signed in with a third party, you can also manage some data in that provider's account settings.

Security

We use technical and organisational measures appropriate to a web game (encryption in transit, access controls on providers, rate limits, and monitoring). No online service can guarantee perfect security.

Children

The Service is not directed at young children. If you believe a child has given us personal data without appropriate permission, contact us and we will take reasonable steps to delete it.

International transfers

Our providers may process data in the European Union, United States, or other countries. Where required, we rely on appropriate safeguards offered by those providers (such as standard contractual clauses).

Changes to this policy

We may update this Privacy Policy. The date at the top will change when we do. Material changes may be described on the site or by email where appropriate for account holders.

Contact

Privacy questions and requests: support@flags.games (subject line "Privacy" helps us route your message).

See also our Terms of Service for rules on using the Service.