Privacy Policy

Spot the Human (“the game”, “we”, “us”) is operated by Bunduk, based in the Netherlands, who is the data controller for the personal data described here under the EU General Data Protection Regulation (GDPR).

For any question about this policy or your personal data, contact us at info@bunduk.com.

Because there are no accounts, we never ask for your name, email address, postal address or phone number. The data we do process is:

• Device identifier. When you first open the game your browser generates a random identifier (a UUID) and stores it locally under sth_device_id. We use it to recognise your device across sessions so we can save your progress and streak. It is not linked to your real-world identity, but because it can be matched to your activity on our server it counts as personal data under the GDPR.
• Display name. If you appear on the leaderboard, the name you choose (or one we generate for you) is stored and shown publicly next to your score. You can change it at any time.
• Game progress and statistics. Your scores, the picks you make, time taken, streaks and completion dates. In-progress puzzles are cached in your browser under sth_progress_…, and a sth_intro_seen flag records that you have seen the intro. Completed results and streaks are also stored on our server, keyed to your device identifier.
• Content you contribute. If you use the Contribute feature, the free-text answers you submit are stored together with the device identifier of the submitter. Submissions are reviewed before they can appear in the game.
• Sync code. If you choose to sync your streak across devices, we generate a short code that links those devices to the same progress.
• Usage analytics. We record basic, first-party gameplay events (for example: a puzzle started, a round answered, a puzzle completed or shared) together with your device identifier, to understand how the game is used and improve it. These events stay in our own database; we do not use Google Analytics or any third-party tracking service.
• Technical and connection data. Like any website, our hosting provider receives your IP address and standard request information in order to deliver the site. We use your IP address only momentarily and in memory to rate-limit abuse; we do not store it in our own database.

We rely on the following legal bases under Article 6 GDPR:

• Legitimate interests (Art. 6(1)(f)). To run and secure the game: saving your progress and streaks, operating the public leaderboard, accepting and moderating contributed content, measuring usage with our first-party analytics, and protecting the service from spam and abuse (rate limiting and content screening). Our legitimate interest is providing and maintaining a working, free game. You can object to this processing at any time (see “Your rights” below).
• Performance of the service you request (Art. 6(1)(b)). Storing the device identifier and your progress is necessary to deliver the gameplay you ask for.
• Consent (Art. 6(1)(a)). We do not currently run any advertising or third-party tracking. If we ever add non-essential analytics or similar, we will ask for your consent first.

Spot the Human does not use cookies and does not load any third-party advertising, analytics or tracking scripts. The only information stored on your device is a small set of strictly necessary values in your browser’s local storage: the device identifier (sth_device_id), your in-progress puzzle (sth_progress_…) and the intro flag (sth_intro_seen), which are needed to run the game and remember your own play state.

Under the Dutch Telecommunications Act (Telecommunicatiewet, art. 11.7a) this kind of strictly necessary functional storage does not require a consent banner. You can clear it at any time by clearing site data in your browser.

We do not sell your data. We use a small number of service providers (“processors”) who handle data on our behalf under data-processing agreements:

• Our hosting provider serves the site and processes IP addresses and request logs.
• Our database provider stores your device identifier, display name, game statistics and contributed answers.
• A third-party AI provider is used to generate the game’s AI answers. When we create new puzzles, the text of previously submitted answers may be sent to this provider as a reference list so the AI avoids reproducing them. This is sent without your device identifier or display name.

In addition, your display name and leaderboard ranking are, by design, shown publicly to anyone who visits the game.

The database where your personal data is stored is located in the European Union, so that data is not transferred outside the European Economic Area. Some other providers (such as our hosting and AI providers) may process limited data (for example technical and connection logs, or contributed text used for the AI feature) outside the EEA. Where that happens, we rely on the data-protection terms offered by each provider, which are intended to provide an appropriate safeguard under Chapter V GDPR, typically the European Commission’s Standard Contractual Clauses and/or certification under the EU-US Data Privacy Framework. You can ask us for current detail about the safeguard that applies, using the contact details above.

• Data in your browser (device identifier, progress, intro flag) stays until you clear your browser’s site data.
• Data on our server (device identifier, display name, statistics, contributed answers) is kept for as long as needed to run the leaderboard and the game, and is deleted or anonymised when it is no longer needed or when you make a valid erasure request.
• We do not store your IP address in our database; the transient rate-limit data lives only briefly in memory. Server logs held by our hosting provider follow that provider’s own retention periods.

Under the GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and the right to data portability. Where we rely on consent, you can withdraw it at any time.

Because the game has no accounts, we identify your data by your device identifier and/or your leaderboard display name. To make a request, contact us at info@bunduk.com and include your device identifier (or display name) so we can locate your data. Requests that cannot be matched to a device identifier or display name may not be actionable. We handle requests free of charge and within one month.

If you believe we have mishandled your personal data, you have the right to lodge a complaint with the Dutch supervisory authority: the Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag (autoriteitpersoonsgegevens.nl). You may also complain to the authority in your own EU country of residence.

We do not carry out any automated decision-making that produces legal or similarly significant effects, and we do not profile you. Our rate limiting and content screening are routine technical safeguards, not decisions about you. The AI provider is used to create game content, not to make decisions about players.

Spot the Human is a general-audience game and is not directed at young children. In the Netherlands the age of digital consent under the GDPR is 16; where any processing would rely on a child’s consent, children under 16 should use the game only with the involvement of a parent or guardian. If you are a parent and believe your child has provided personal data, contact us and we will help you access or delete it.

We take reasonable technical and organisational measures to protect your data, including using reputable providers that encrypt data in transit, restricting database access, screening contributed content and rate-limiting abuse. No online service can be completely secure, but we work to keep the risk low given the limited data we hold.

We may update this policy from time to time. When we do, we will change the “last updated” date at the top of this page, and we will give clearer notice of any significant change, for example if we ever introduce tracking that requires your consent.