This policy describes the personal data collected by FerrLabs (Bryan Ferrando, sole proprietor, SIREN 104 243 951) acting as data controller, in accordance with the GDPR.
Anonymous play
FerrGames can be used without creating an account. In that mode, only a temporary session identifier and the live game state are stored; no personal data is retained beyond the end of the game.
Data collected
- Anonymous session: a session identifier (UUID), a chosen or generated nickname, an avatar, and an HMAC-SHA256 fingerprint of the source IP (never the IP in clear) for anti-spam and unique-visitor counting.
- Registered account (optional): email, password (hashed with Argon2id), gameplay history, scores, in-game items.
- Cookies:
fg_session(httpOnly, SameSite=Lax) — strictly necessary for authentication. - Server logs: 12-month retention.
Purposes
- Running the game sessions and matchmaking.
- Account management and security.
- Compliance with legal obligations.
Legal bases (GDPR art. 6)
- Performance of the contract (6.1.b) for accounts and the game service.
- Legitimate interest (6.1.f) for security, anti-bruteforce and logs.
- Legal obligation (6.1.c) for accounting data once paid tier launches.
Subprocessors
- OVH SAS — hosting (France).
- Stripe Inc. — payments (United States, certified under the Data Privacy Framework) — active when the paid tier launches; not yet active.
No data is sold, rented or transferred to third parties for commercial purposes. No advertising SDK, no third-party analytics, no fingerprinting library is loaded by FerrGames.
Retention period
| Data | Retention |
|---|---|
| Active registered account | For the lifetime of the account |
| Inactive anonymous account | 6 months without login, then automatic purge |
| Deleted account | 30 days, then permanent purge |
| Server logs | 12 months |
| Failed login attempts | 1 hour (anti-bruteforce), then purged |
| Billing data (when paid tier launches) | 10 years (art. L.123-22 of the French Commercial Code) |
Your rights
Under the GDPR, you have the rights of access, rectification, erasure, portability, objection, and restriction of processing. To exercise your rights: privacy@ferrlabs.com. Reply within one month maximum (GDPR art. 12).
You may also lodge a complaint with the CNIL (cnil.fr).
Minors
FerrGames is intended for users aged 13 or older. If you are under 13, you must not create an account without verified consent from your legal representative.
For users under 16 (the French GDPR threshold), parental consent is required before any personal-data processing beyond what is strictly necessary to run the game. FerrLabs collects the minimum data needed to run the game (nickname, score, plays); no targeted advertising and no marketing profiling is performed on minor accounts.
If you are a parent or guardian and notice that an account for your child has been created without your consent, contact privacy@ferrlabs.com for immediate deletion.
Transfers outside the European Union
The main infrastructure is located in the European Union. Stripe may process some data in the United States under the EU-US Data Privacy Framework. No other transfer outside the EU is performed.
Security
Passwords are hashed with Argon2id (OWASP-recommended parameters). Sessions use HMAC-SHA256 signed cookies, HTTP-only and SameSite=Lax. Communications are encrypted with TLS 1.3. IP addresses stored by the application are hashed (salted HMAC-SHA256) — never persisted in clear.
Changes
This policy may be updated. Substantive changes are notified by email to account holders 30 days before they take effect.
French version: Politique de confidentialité.