Privacy Policy

Last updated: 2026-05-28

1. Controller

CHANGE_ME
Musterstraße 1
12345 Musterstadt, DE
Email: kontakt@example.com

2. General information about data processing

We process personal data only insofar as it is necessary to provide a functional website as well as our content and services. Personal data is only collected with your consent, or where prior consent is not possible for factual reasons and processing is permitted by law.

3. Legal bases

4. Categories of data processed

4.1 Server log files

On every request the web server records: IP address, date and time, requested URL, HTTP status, referrer, user agent. Stored for max. 7 days for security and debugging (Art. 6(1)(f) GDPR).

4.2 Joining a game session

When you join a game with a code or QR link, we generate a random 64-character device token stored in your browser's local storage. If the host has enabled it, you also enter a display name. We do not require login, email or password. Data stored: device token, display name (optional), join timestamp, last activity timestamp (Art. 6(1)(b) GDPR).

4.3 Game progress

While playing, we store your answers, completed steps, used hints, ratings and (optionally) photos you upload, all linked to the device token. Data is deleted at the latest 30 days after the session ends, unless legal retention obligations apply.

4.4 Geolocation

Some game steps require your current location. We ask for consent via your browser before activating GPS. Coordinates are only used in your browser to determine if you have reached a target point — they are not stored on our servers (Art. 6(1)(a) GDPR). You can revoke consent at any time in your browser settings.

4.5 Camera

For QR code steps we access your device's camera. Camera consent is requested by your browser. Image data is only processed in your browser; we receive only the decoded QR text (Art. 6(1)(a) GDPR).

4.6 Contact form

When you contact us via the contact form we process: name, email address, optional phone, message text, IP address. Used for handling your request (Art. 6(1)(b) and (f) GDPR). Closed support tickets are deleted after 6 months unless legal obligations require longer retention.

4.7 Booking / purchase

For paid games we process: name, billing address, email, language, payment method, order number. Used for performing the contract and tax-compliant invoicing (Art. 6(1)(b) and (c) GDPR). Invoices are retained for 10 years (§ 147 AO).

4.8 Cookies and local storage

This website uses only strictly necessary cookies and local storage entries (Art. 6(1)(f) GDPR, § 25 (2) TDDDG):

NameTypePurposeLifetime
escape_adminCookieAdmin session (admin area only)Session
site_langCookieLanguage preference30 days
player_tokenLocalStorageAnonymous player identification within a sessionUntil cleared
themeLocalStorageDark/light theme preferenceUntil cleared
hapticsLocalStorageVibration feedback preferenceUntil cleared
cookie_notice_dismissedLocalStorageDismissed the cookie noticeUntil cleared
geo_consent_*SessionStorageRemembers your geolocation consent for this sessionTab session

5. Third-party services

5.1 Stripe (payment processing)

For card payments we use Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland. Stripe receives the data necessary to process the payment. Stripe's privacy policy: https://stripe.com/de/privacy. Legal basis: Art. 6(1)(b) GDPR.

5.2 PayPal (payment processing)

For PayPal payments we use PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. The PayPal SDK is only loaded on the checkout page. PayPal's privacy policy: https://www.paypal.com/de/legalhub/privacy-full. Legal basis: Art. 6(1)(b) GDPR.

5.3 OpenStreetMap

For map display we embed OpenStreetMap (operated by the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom). When loading the map, your IP address is transmitted to OSM. Privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy.

5.4 Email delivery

For transactional emails (booking confirmations, support replies) we use our hosting provider's SMTP service. Legal basis: Art. 6(1)(b) GDPR.

6. Recipients of data

We do not transfer your personal data to third parties beyond what is described above. The payment service providers (Stripe, PayPal) act as independent controllers within their own scope.

7. Transfer to third countries

Payment providers (Stripe, PayPal) may transfer data to non-EU countries on the basis of EU standard contractual clauses (Art. 46 GDPR) and an adequacy decision (where applicable).

8. Retention periods

9. Your rights

You have the following rights regarding your personal data:

To exercise these rights, contact us at kontakt@example.com.

10. Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority. The competent supervisory authority is the data protection authority of your federal state.

11. Changes to this privacy policy

We reserve the right to amend this privacy policy at any time to reflect changes in legal requirements or to our services. The current version is always available on this page.