Privacy Policy

Short version: we only collect what we need to run the game, we store it on EU infrastructure, and you can delete it anytime.

1. Controller

The data controller is Polyák Csaba e.v. (brand: Hyperscales), 4324 Kállósemjén, Kölcsey Ferenc út 11., Hungary, Hungary. Tax number: 68747961-1-35. Contact for privacy matters: [email protected].

2. What we collect

Account data

• Email address (login + transactional mail).
• Password — stored as a PBKDF2-SHA-256 hash, never in plain text.
• Display name and company name you choose in-game.
• Optional: city (used to localise in-game flavour).

Gameplay data

• Your in-game state: servers, customers, tickets, finance log, achievements.
• LLM-generated content tied to your account (NPCs, dialogue, tickets).
• Aggregate usage signals (shifts completed, sessions per day) for product analytics.

Technical data

• IP address (transient, for rate-limiting and abuse detection).
• User-agent string and broad device class.
• Session token (cookie, see cookies).

What we don't collect

No third-party ad pixels, no Google Analytics, no Facebook Pixel, no cross-site trackers. We do not sell your data and never will.

3. Why we process it (legal basis)

• Performance of contract (GDPR Art. 6(1)(b)): account, gameplay state, session, support.
• Legitimate interest (Art. 6(1)(f)): abuse detection, rate-limiting, product analytics in aggregate.
• Consent (Art. 6(1)(a)): non-essential cookies / analytics — opt-in via the cookie banner.
• Legal obligation (Art. 6(1)(c)): tax / record-keeping (only if you buy something).

4. Where we store data

Account, gameplay and session data are stored in Cloudflare D1 (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA), pinned to EU regions where Cloudflare supports it. Cloudflare is a sub-processor; their EU Data Processing Addendum applies, including SCCs for any EU↔US transfers.

Static assets and edge requests are also served from Cloudflare's global network — no permanent user data is stored there.

5. Third parties (sub-processors)

• Cloudflare — hosting, D1 database, R2 object storage, CDN. DPA.
• Resend (Anti-Pattern, Inc.) — transactional email delivery. Privacy policy.
• Stripe — only if/when paid plans launch. Not active during free beta.
• LLM providers (OpenAI, Anthropic, Google or your own key) — receive only the prompt text needed to generate in-game content. No raw account data is sent.

6. How long we keep it

• Account + gameplay: as long as your account is active.
• After deletion request: erased within 30 days, except where law requires longer (e.g. billing records, 8 years per Hungarian tax law).
• Server logs: rolling 30 days.
• Aggregate analytics: indefinitely, but anonymised (no link back to individuals).

7. Your rights (GDPR)

You can:

• Access a copy of your data — email us, we'll send a JSON export.
• Rectify wrong data — most fields are editable in-app, others on request.
• Erase ("right to be forgotten") — see Section 9 of the Terms or email [email protected].
• Restrict or object to processing based on legitimate interest.
• Portability — export your data in a machine-readable format.
• Withdraw consent at any time (e.g. analytics) — toggle in the cookie banner.
• Complain to the Hungarian supervisory authority: NAIH (1055 Budapest, Falk Miksa u. 9–11.).

8. Cookies & similar tech

We use a small set of cookies. Details on the dedicated cookies page. Non-essential cookies are opt-in via the consent banner shown on your first visit.

9. Children

Hyperscales is not aimed at children under 16. We do not knowingly collect data from children below the GDPR digital-consent age (16 in Hungary). If you believe we have, please contact us and we'll delete it.

10. Changes

We'll update this page when we change how we handle data and bump the "Last updated" date. Material changes are also announced in-app.

11. Contact

Anything privacy-related: [email protected]. Abuse reports: [email protected].