Privacy Policy
Last updated: March 29, 2026
1. Who We Are
Hunchy (“we”, “us”, “our”) is a social prediction game operated at hunchy.io. We are based in Sweden (EU) and comply with the General Data Protection Regulation (GDPR).
Data Controller: Richard Sandenskog, richard@sandenskog.se
2. What Data We Collect
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, notifications | Contract |
| Display name | Shown on leaderboards | Contract |
| Google profile (name, email, avatar) | Google Sign-In | Consent |
| Predictions & scores | Core game functionality | Contract |
| Password hash | Authentication (never stored in plain text) | Contract |
| Session cookies | Keeping you signed in | Legitimate interest |
| Locale preference | Language selection | Legitimate interest |
We do not collect: location data, financial data, health data, browsing history, or device fingerprints.
We do not use any third-party analytics, advertising, or tracking services.
3. How We Use Your Data
- Running the prediction game (displaying your predictions, scores, leaderboard rankings)
- Sending optional email notifications (question resolved, contest completed, daily digest — you control these in Settings)
- AI-powered question generation (your data is not sent to AI services — only admin-provided topics are)
4. Data Sharing
We do not sell, rent, or share your personal data with third parties, except:
- Google — if you use Google Sign-In, Google processes the OAuth authentication
- Resend — email delivery service, processes your email address to send notifications
- Hetzner — our hosting provider (EU-based, Germany), stores data on our behalf
All processors are GDPR-compliant and data stays within the EU.
5. Data Retention
We keep your account data as long as your account exists. If you delete your account, we delete all personal data within 30 days. Anonymized, aggregated statistics (e.g. total predictions count) may be retained.
6. Your Rights (GDPR)
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct inaccurate data (you can edit your display name in Settings)
- Erasure — request deletion of your account and all associated data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — for Google Sign-In, disconnect via your Google account settings
To exercise any of these rights, email privacy@hunchy.io. We will respond within 30 days.
7. Cookies
We use only essential cookies:
- Session cookie (authjs.session-token) — keeps you signed in. Expires when you sign out or after 30 days.
- CSRF token (authjs.csrf-token) — prevents cross-site request forgery. Session-scoped.
- Locale cookie (NEXT_LOCALE) — remembers your language preference. Persists 1 year.
We do not use analytics cookies, advertising cookies, or any third-party cookies.
8. Security
We protect your data with:
- HTTPS/TLS encryption for all connections
- Passwords hashed with bcrypt (never stored in plain text)
- JWT session tokens with server-side secret
- Database hosted in EU (Hetzner, Germany) with encrypted storage
9. Children
Hunchy is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.
10. Changes
We may update this policy. Significant changes will be communicated via email or in-app notice. The “last updated” date at the top reflects the latest revision.
11. Contact
Questions about this policy or your data? Contact us at privacy@hunchy.io.