Privacy Policy

Last updated: March 29, 2026

1. Who We Are

Hunchy (“we”, “us”, “our”) is a social prediction game operated at hunchy.io. We are based in Sweden (EU) and comply with the General Data Protection Regulation (GDPR).

Data Controller: Richard Sandenskog, richard@sandenskog.se

2. What Data We Collect

We do not collect: location data, financial data, health data, or device fingerprints.

We use Google Analytics 4 to collect anonymised usage statistics (pages visited, session duration, country-level location). No personally identifiable information is sent to Google Analytics. You can opt out using the Google Analytics Opt-out Browser Add-on.

3. How We Use Your Data

• Running the prediction game (displaying your predictions, scores, leaderboard rankings)
• Sending optional email notifications (question resolved, contest completed, daily digest — you control these in Settings)
• AI-powered question generation (your data is not sent to AI services — only admin-provided topics are)

4. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

• Google — if you use Google Sign-In, Google processes the OAuth authentication. We also use Google Analytics 4 to collect anonymised usage data.
• Resend — email delivery service, processes your email address to send notifications
• Hetzner — our hosting provider (EU-based, Germany), stores data on our behalf

All processors are GDPR-compliant and data stays within the EU.

5. Data Retention

We keep your account data as long as your account exists. If you delete your account, we delete all personal data within 30 days. Anonymized, aggregated statistics (e.g. total predictions count) may be retained.

6. Your Rights (GDPR)

You have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data (you can edit your display name in Settings)
• Erasure — request deletion of your account and all associated data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interest
• Withdraw consent — for Google Sign-In, disconnect via your Google account settings

To exercise any of these rights, email privacy@hunchy.io. We will respond within 30 days.

7. Cookies

We use the following cookies:

• Session cookie (authjs.session-token) — keeps you signed in. Expires when you sign out or after 30 days. Essential.
• CSRF token (authjs.csrf-token) — prevents cross-site request forgery. Session-scoped. Essential.
• Locale cookie (NEXT_LOCALE) — remembers your language preference. Persists 1 year. Essential.
• Analytics cookies (_ga, _ga_*) — Google Analytics 4 cookies used to measure anonymised usage. These cookies persist for up to 2 years and can be blocked by declining analytics in our cookie banner, or via the Google Analytics opt-out add-on.

We do not use advertising cookies or any third-party cookies beyond those listed above.

8. Security

We protect your data with:

• HTTPS/TLS encryption for all connections
• Passwords hashed with bcrypt (never stored in plain text)
• JWT session tokens with server-side secret
• Database hosted in EU (Hetzner, Germany) with encrypted storage

9. Children

Hunchy is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

10. Changes

We may update this policy. Significant changes will be communicated via email or in-app notice. The “last updated” date at the top reflects the latest revision.

11. Contact

Questions about this policy or your data? Contact us at privacy@hunchy.io.