Privacy Policy

The following information provides an overview of how personal data is processed when you use stateguessr.com. Personal data means any information that can identify you personally. This privacy policy has been adapted to the actual features and services used by stateguessr.

The controller responsible for data processing on this website is Ben Böck, Solla 17, 94078 Freyung, Germany, email: ben.boeck@protonmail.com. The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

This website is delivered using services from Cloudflare. In that context, technically necessary connection and access data such as IP address, request timestamps, browser details, and system information may be processed to provide the service securely and reliably. The legal basis is Art. 6(1)(f) GDPR. Further information is available at https://www.cloudflare.com/privacypolicy/.

When you access the website, technically necessary data is processed to deliver content correctly, defend against attacks, and ensure the availability of the service. If you use the games, gameplay-related data such as game mode, inputs, scores, leaderboard positions, seed-related validation data, exact mastery target ids, per-target played and solved counts, and timestamps of use may also be processed to provide the gameplay and prevent abuse.

If you create an account, we process in particular your username, email address, password hash, language preference, theme preference, and account-related gameplay, statistics, and mastery data. We use technically necessary HTTP-only cookies for sign-in and session management. For email verification and password resets, we send transactional emails via Resend. Authorized administrators may also access account metadata, session metadata, statistics, mastery records, and leaderboard records to operate the service, prevent abuse, handle support requests, and enforce the terms. Depending on the specific case, processing is based on Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR, and where required Art. 6(1)(a) GDPR.

Profiles are public by default. We store your visibility choice, approved avatar state, pending avatar ticket state, and friendship data so the social layer can work. Public profiles expose the mastery book and approved avatar to everyone. Private profiles are friends-only in full; non-friends can still see your username, that the account exists, and your leaderboard entries with rank and score so they can send a friend request. Pending avatar uploads are only shown back to the uploading user until administrators approve them through the support-based review ticket. Depending on the specific case, processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

For live non-ranking games, we store exact target-level mastery history so the mastery book can show how often each country, capital, or subdivision target was played and mastered on the first try without hints. Ranking and archived games are excluded.

If you contact us through the support inbox, we process the information you submit there, such as title, ticket type, message text, email address, read-state metadata, event history, and optional image attachments. Ticket metadata and messages are stored in our database, while uploaded images are stored separately so they can be displayed in the website. Avatar approval requests use the same support infrastructure, which means avatar review messages, review outcomes, and related attachments are stored as part of that ticket history. Authorized administrators can view and respond to support tickets, delete individual attachments, and close or remove tickets when necessary. Closed tickets are retained for a limited period and may be removed automatically by our cleanup job. If support email updates are enabled by an administrator, we may also send text-only email notifications that mention attachment counts and link back to the website instead of forwarding image files.

stateguessr uses technically necessary HTTP-only cookies for sign-in and session security. The web application also stores language, theme, anonymous gameplay and stats data, mastery progress for exact live-game targets, install-prompt status, and your cookie preference locally in the browser. This storage is used for technical delivery, security, and a consistent user experience. Google Analytics cookies are only set if you grant analytics consent, and Google user-provided data collection only runs where the corresponding feature is enabled and your analytics consent allows it.

We use two analytics services. Cloudflare Web Analytics helps us measure reach, stability, and aggregate usage without cookies on the basis of our legitimate interests under Art. 6(1)(f) GDPR. We also use Google Analytics 4, provided by Google Ireland Limited and Google LLC, with consent mode. In consent-required regions, Google Analytics loads with denied defaults until you decide; no analytics cookies are set unless you grant consent. If you consent, Google may process online identifiers, browser and device information, approximate location, and interaction data to provide usage reports. We have also enabled Google Signals, which may associate data from your visit with information from signed-in Google account users who have separately consented with Google, in order to support cross-device reporting and broader audience insights. In addition, where Google's user-provided data feature is enabled, Google may collect hashed user-provided data from supported form inputs, such as email addresses, for analytics measurement. Ad personalization remains disabled in our site-level tag configuration. The legal basis for Google Analytics, Google Signals, and this user-provided data processing is your consent under Art. 6(1)(a) GDPR. You can change or withdraw that consent at any time via Cookie settings.

If you contact us by email, we process the information you provide in order to handle your request. This data will not be shared without your consent unless we are legally required to do so or disclosure is necessary to process your request.

Subject to the applicable legal requirements, you have the right to access, rectification, erasure, restriction of processing, data portability, and to object to certain processing activities. You may withdraw consent previously given at any time with effect for the future. You also have the right to lodge a complaint with a competent data protection supervisory authority. If you have questions about privacy or want to exercise your rights, contact us at ben.boeck@protonmail.com. Authenticated users can also export their stored account data as JSON and initiate account deletion from the user area.