Last updated: 15 June 2026
This Privacy Policy sets out the rules for collecting, processing and protecting Users' personal data when using the Privé game in the browser version (privegame.com), as well as the rules for storing and reading data on Users' Devices (Cookies).
This Privacy Policy is an integral part of the Terms of Service.
§1 Definitions
Service - the Privé platform: the browser version available at https://privegame.com (freemium game: first game free, one-time Privé+ and Privé Max packages).
Administrator - "bidibidibambam sp. z o. o.", ul. Puszkarska 7M, 30-644 Krakow, Poland.
User - a natural person using the Service.
Couple - two Users connected in the game via a private link.
Share link - a short identifier used to pair the second User with the game without creating an account or providing contact details.
Guest session - an anonymous token stored in an httpOnly cookie (TTL 30 days) that allows using the browser version without an account.
Browser fingerprint - an anonymous SHA-256 hash computed from User's browser characteristics (canvas, fonts, screen resolution, timezone, audio context, WebGL). The hash is one-way - original characteristics cannot be recovered nor can a person be identified.
Device - electronic equipment with software through which the User accesses the Service (computer, smartphone, tablet).
Cookies - text data stored as files on the User's Device.
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
Personal data - any information relating to an identified or identifiable natural person.
Special category data - data listed in Article 9 GDPR; in the context of Privé this concerns information about Users' sexual preferences expressed in their quiz answers and dare interactions.
Anonymisation - an irreversible process making it impossible to attribute a record to a specific person.
Pseudonymisation - processing data so that they can no longer be attributed to a specific person without additional information held separately.
§2 Data Protection Officer
Pursuant to Article 37 GDPR, the Administrator has not appointed a Data Protection Officer. For matters related to data processing, please contact the Administrator directly (§17).
§3 Types of Cookies
First-party cookies - placed by the Service (e.g. guest session token, language preference, cookie consent status).
Third-party cookies - placed by external services integrated with the Service (list in §7).
Session cookies - removed when the browser is closed.
Persistent cookies - remain on the Device until manually removed or expired (max 30 days for guest session, longer for preferences).
§4 Cookie security and control
Mechanism - Cookies use built-in browser mechanisms; they cannot fetch other data from the Device or execute code.
Security - session cookies (httpOnly, Secure, SameSite=Lax) are protected against reading by third-party JavaScript.
User control - Users may change cookie settings at any time in their browser (Chrome, Safari, Firefox, Edge, Opera) or in our consent banner.
Consequences of disabling - disabling cookies may prevent use of the browser version of the game (loss of guest session, no quiz answer persistence).
§5 Purposes of cookies
- Maintaining the guest session in the game (necessary cookie - no consent required)
- Remembering language preferences and cookie consent status (necessary cookie)
- Product analytics - anonymous usage measurement (consent cookie)
- Marketing and remarketing on third-party services (consent cookie)
§6 Purposes of personal data processing
Users' data are processed for one of the following purposes:
- Providing the Privé game service - freemium model: first game free, one-time Privé+ and Privé Max packages.
- Sending an invitation to the partner - Users may share a private link with their partner via SMS or email (fire-and-forget relay - we do not store the recipient address beyond the moment of sending).
- Payments - Stripe Checkout (one-time Privé+ / Privé Max).
- Real-time communication - Mercure Server-Sent Events synchronising the couple's game state across devices.
- Newsletter - sending promotional content after sign-up and email confirmation.
- Product and marketing analytics - understanding User behaviour (anonymous), product optimisation, advertising campaigns.
- Research and aggregate statistics - analysing anonymous answers from the post-quiz survey to understand trends in couples' preferences, and publishing findings as aggregate statistical summaries (details in §8.5).
- Security and abuse prevention - see §13 (Anti-abuse).
- Crash reporting - anonymous application error reports (Sentry).
- Pursuing the Administrator's legitimate interests.
§7 Cookies and scripts of external services
The browser version integrates scripts and components from the following partners (some may place their own cookies):
- Payments:
- Stripe (USA) - Stripe Checkout for Privé+ and Privé Max packages.
- Security / Anti-abuse:
- Cloudflare Turnstile (USA / EU) - invisible challenge protecting against bots (CAPTCHA alternative).
- FingerprintJS (open-source, client runtime) - generates a SHA-256 hash of unique browser characteristics (anti-abuse).
- Product analytics:
- Marketing:
- Meta (Facebook) Pixel + Conversions API (USA) - measuring conversions of advertising campaigns.
- Newsletter:
- Mailjet (EU) - sending mailings and partner invitation relay (fire-and-forget).
- Crash reporting:
- Sentry (EU host) - anonymous error reports.
Services provided by third parties are outside the Administrator's control. These entities may change their terms, privacy policies and cookie usage at any time without the Administrator's consent.
§8 Types of data collected
8.1 Anonymous data collected automatically:
- IP address (stored in Redis only for anti-abuse, TTL 30 days)
- Browser type (User-Agent), operating system, version
- Browser / device language
- Screen resolution
- Approximate location (based on IP - country/region)
- Pages visited, time spent
- Referrer URL
8.2 Data collected in the browser version (Web):
- Partner names (optional - solely for report personalisation, not required to play)
- Couple profile (fm / mf), chosen intensity level (discover / explore / unleash)
- Quiz answers (sexual preferences - special category data, Article 9 GDPR)
- SHA-256 browser fingerprint hash - anti-abuse
- Session token (httpOnly cookie, TTL 30 days)
- SHA-256 hash of email address (optional - only if the User opts in for an email reminder; we do not store the raw address)
- Email address from the „Send me the report link" form on the blurred report (optional - entered manually). The raw address is stored for a maximum of 7 days (to enable a resend of the link) and is then automatically purged by a scheduled job. We keep indefinitely only the SHA-256 hash of the address - for potential advertising audience matching (Facebook CAPI, Google Customer Match). Legal basis: Art. 6(1)(b) GDPR (service performance - sending the link) and (f) (legitimate interest - campaign measurement). Right to deletion of the hash: contact by email (§18).
- We do not collect: the raw email address permanently, phone number, identifying data, payment data (these are processed exclusively by Stripe).
8.3 Data collected for the Newsletter:
- Email address
- Optionally first name / nickname
- IP address (collected automatically for sign-up audit)
8.4 Payment-related data:
- Stripe - the Administrator does not store card data or other payment data. From Stripe we receive only: Stripe customer ID, payment status, transaction metadata (amount, currency, package).
8.5 Anonymous post-quiz survey:
- After completing the quiz we may offer you a short, voluntary survey. We store its answers anonymously - we do not link them to your name, email address or a specific couple.
- We reserve the right to use the findings from these surveys publicly - for example in press materials, on our blog, on social media or in marketing communications - solely in the form of aggregate statistical summaries.
- We publish such statistics only once the aggregate covers at least 1,000 couples, so that no individual person or couple can be identified from them. Data prepared in this way are fully anonymised and do not constitute personal data within the meaning of the GDPR.
§9 Third-party access to data
Users' data are not sold to third parties. Access to data - usually under a Data Processing Agreement (DPA) - is granted to the following entities necessary to operate the Service:
- Hosting / Infrastructure - Amazon Web Services EMEA SARL (eu-central-1, Frankfurt) - databases, application, Mercure SSE, Redis.
- Payments - Stripe Payments Europe.
- Invitation SMS - SMSPlanet (Poland).
- Invitation emails and Newsletter - Mailjet (EU).
- Anti-abuse:
- Cloudflare Turnstile (USA / global network),
- FingerprintJS (open-source, client runtime - hash sent to our API).
- Analytics: PostHog (EU host), Mixpanel (USA).
- Marketing: Meta (USA) - Pixel + Conversions API.
- Crash reporting: Sentry (EU host).
§10 Transfer of data outside the European Union
Some partners listed in §9 are based outside the EU (mainly USA): Stripe, Meta, Mixpanel. Data transfers are based on:
- Standard Contractual Clauses (SCC) approved by the European Commission,
- Adequacy decisions for transfers to the USA (EU-US Data Privacy Framework - for certified entities).
The Administrator prefers EU-hosted partners wherever possible (PostHog, Sentry, Mailjet, AWS Frankfurt).
§11 Legal bases for processing
- Article 6(1)(b) GDPR - performance of a contract (providing the game service, executing payments).
- Article 6(1)(f) GDPR - Administrator's legitimate interests (anti-abuse, analytics, security, own marketing).
- Article 6(1)(a) GDPR - User consent (Newsletter, marketing cookies, optional reminder email).
- Article 9(2)(a) GDPR - User's explicit consent to processing of special category data (sexual preferences - necessary to provide the game service; see §12).
- Polish Act of 10 May 2018 on Personal Data Protection.
- Polish Telecommunications Act of 16 July 2004.
§12 Special category data (Article 9 GDPR)
Given the nature of the service, the Privé game processes information about Users' sexual preferences, expressed in their quiz answers and dare interactions. These are special category data within the meaning of Article 9 GDPR.
- Legal basis - User's explicit consent (Article 9(2)(a) GDPR) given before starting the game. Without this consent, the service cannot be provided.
- Security measures:
- Encrypted SSL/TLS connection for every transmission,
- Pseudonymisation - answers linked to an anonymous couple identifier, not to a person,
- Data are never sold to third parties,
- Partner answers are revealed only when there is mutual agreement - rejected preferences remain secret from the other User,
- Retention as per §15 - guest couple 30 days, paid couple until deletion is requested.
- User rights - the User may withdraw consent at any time (by contacting the Administrator), which results in immediate cessation of processing and deletion of data.
§13 Anti-abuse and security
To protect the Service against abuse (bots, scrapers, artificial repeated use of the free game), the Administrator employs the following mechanisms in the browser version:
- Cloudflare Turnstile - invisible challenge verifying that the visitor is human, not a bot.
- Browser fingerprint (SHA-256) - anonymous hash of unique browser characteristics used to identify a returning Device without identifying the User.
- IP rate limit - limit of free games per IP address (max 3 / 30 days), implemented via a Redis sliding window.
- Content honeypot - when the limit is exceeded, the Service serves previously seen questions (without a block message).
Legal basis: Article 6(1)(f) GDPR - Administrator's legitimate interest in protecting the Service against abuse.
Anti-abuse data (IP, fingerprint) are stored solely in Redis memory with a TTL of 30 days and are never combined with data that could identify the User.
§14 Payments
- First game - completely free.
- One-time packages Privé+ and Privé Max - Stripe Checkout. The Administrator never has access to card data.
- Coupon ladder system X→Y - credit of the amount paid for upgrading from Privé+ to Privé Max (TTL 30 days from Privé+ purchase).
- Refunds - pursuant to the Terms of Service; in case of a refund we revoke access to the package.
§15 Data retention period
- Guest couple: 30 days from last access → automatic deletion (cron job).
- Paid couple (Privé+ / Privé Max): no time limit (legitimate interest - access to the purchased product); financial data (invoices) - 5 years pursuant to tax law.
- IP / fingerprint in Redis (anti-abuse): TTL 30 days.
- Server logs: 30 days.
- Newsletter: until the User unsubscribes.
- Sentry / PostHog: 30-90 days according to the operator's policy.
§16 User rights
Each User has the following rights under the GDPR:
Right of access (Article 15 GDPR) - information about the data being processed.
Right to rectification (Article 16) - correcting inaccurate data.
Right to erasure ("right to be forgotten") (Article 17):
- Guest couple - automatic expiry after 30 days, or earlier on email request,
- Paid couple - by email request to the Administrator.
Right to restrict processing (Article 18) - temporary suspension of processing in cases listed in the GDPR.
Right to data portability (Article 20) - receiving data in a structured format (JSON / CSV).
Right to object (Article 21) - to processing based on legitimate interest (analytics, marketing).
Right to withdraw consent (Article 7(3)) - at any time; applies, among other things, to consent for processing special category data (Article 9), Newsletter, marketing cookies.
Right to lodge a complaint with a supervisory authority - Polish President of the Personal Data Protection Office (uodo.gov.pl) or the supervisory authority in your country of residence.
All requests should be sent to the Administrator's email address (§17). We respond within 30 days.
§17 Contacting the Administrator
Postal address - bidibidibambam sp. z o. o., ul. Puszkarska 7M, 30-644 Krakow, Poland
Email - prive@privegame.com
§18 External links and User-generated content
The Service may contain links to external sites with which the Administrator does not cooperate. These links and any pages or files referenced may pose a risk to your Device. The Administrator is not responsible for content located outside the Service.
§19 Changes to the Privacy Policy
The Administrator reserves the right to amend this Privacy Policy.
Material changes (concerning processing purposes, third parties or User rights) will be communicated to Users with active accounts / Newsletter subscribers via email at least 7 days in advance.
The current version of the Privacy Policy is always published on this page with the date of last update.
Continued use of the Service after the introduction of changes constitutes acceptance of those changes. If the User does not accept the changes, they should stop using the Service.