Available in English only · Anglais uniquement · Nur auf Englisch · Solo en inglés · Solo in inglese · 英語版のみ · 영어만 제공 · 仅限英文 · 僅限英文
What We Collect
When you play WhosThatMon, we collect the following data:
- Display name — the name you choose when registering
- Game results — guesses, scores, streaks, and session data
- IP address — used temporarily for rate limiting; not stored long-term
- Authentication token — a randomly generated token stored in your browser to identify your account
How We Use It
- Game functionality — tracking your progress, scores, and streaks
- Leaderboards — displaying your display name and scores publicly on the leaderboard
- Rate limiting — preventing abuse of our API endpoints
- Trainer Rating — calculating your ELO-style rating across games
Data Storage
Your data is stored on a Neon PostgreSQL database. Game state is also stored locally in your browser via localStorage, which you can clear at any time through your browser settings.
Third-Party Sharing
We do not sell, share, or transfer your personal data to any third parties. Pokemon data and sprites are loaded from PokeAPI and GitHub — these services do not receive your player data.
Account Safety Providers
If you choose to connect your account with Google, Apple, or an email address, we receive the minimum information required to identify you across devices:
- Google — a stable numeric user ID and whether your Google account email is verified. We do not receive your Google email address, profile photo, or contacts.
- Apple — a stable per-app user identifier. We do not receive your real Apple ID email (private relay or otherwise) unless you explicitly choose to share it.
- Email — the email address you provide for magic-link sign-in. Used only to deliver sign-in links and, if you opt in, marketing emails.
We do not receive your passwords, payment information, or any other data from these providers. Disconnecting a provider from Settings removes the link from our records but does not delete your game progress, scores, or Trainer Rating.
Email Marketing (opt-in only)
We may send occasional emails about new features, tournaments, and seasons. These emails are entirely optional — you will only receive them if you explicitly check the opt-in box when connecting your email address. You can unsubscribe at any time from the Settings menu inside the game or via the unsubscribe link at the bottom of any marketing email. Unsubscribing does not affect your game account or access to any feature. Transactional emails (sign-in links) are not affected by the marketing opt-in setting.
Account Deletion
You can delete your account at any time from Settings. Deletion works as follows:
- Anonymization — your display name is replaced with a random identifier, your email address and provider links are removed, and you are unsubscribed from all marketing. Leaderboard history entries are kept but displayed as an anonymous player.
- 30-day undo window — within 30 days of anonymization, you can email us to reverse the deletion if you change your mind.
- Nuclear delete — to have all records (including leaderboard entries) fully removed, email us at whosthatmon@gmail.com after anonymizing. Full removal is permanent and cannot be reversed.
Third-Party Data Processors
When you use account linking features, your data may pass through the following processors in addition to those listed elsewhere in this policy:
- Google LLC — OAuth 2.0 identity verification. Participant in the EU-U.S. Data Privacy Framework (DPF). Google receives only the data needed to confirm your identity; we do not send your game data to Google.
- Apple Inc. — Sign in with Apple identity verification. Participant in the EU-U.S. Data Privacy Framework (DPF). Apple receives only the data needed to confirm your identity; we do not send your game data to Apple.
- Resend — Transactional and marketing email delivery. Participant in the EU-U.S. Data Privacy Framework (DPF). Resend receives your email address and the content of emails we send you. Resend does not receive your game scores, Trainer Rating, or other gameplay data.
We do not sell your data to any of these processors or to any other party. PostHog (our analytics provider) does not receive your email address or provider subject identifiers.
Data Retention
- Active accounts — retained for the life of the account.
- Merged accounts — source account records are retained for 30 days after a merge to allow reversal, then the source row is anonymized automatically.
- Deleted (anonymized) accounts — personal identifiers are removed immediately on anonymization; a 30-day undo window applies. Leaderboard entries are retained in anonymized form.
- Merge audit rows — retained for 90 days after the reversibility window closes to support fraud investigations, then deleted.
- Rate limit records — IP-based rate limit records are retained for a rolling 24-hour window and automatically purged.
Analytics
We use PostHog to understand how the game is used and to identify bugs. PostHog collects:
- Page views and clicks — which pages you visit and how you interact with the game
- Performance data — page load times and web vitals
- Error reports — unhandled errors to help us fix bugs
- Session replays — anonymous recordings of how you navigate the game (all text inputs are masked)
Analytics data is processed by PostHog in the United States. We do not use this data for advertising or sell it to third parties.
Cookies & Local Storage
WhosThatMon uses a small number of cookies set by PostHog for analytics purposes (identifying returning visitors across sessions). Game state is stored in your browser's localStorage, which you can clear at any time through your browser settings.
Your Rights
You can:
- Clear local data— clear your browser's localStorage at any time
- Request data deletion — email us to have your server-side data removed
- Request data export — email us to receive a copy of your data
Children's Privacy
WhosThatMon is a casual game suitable for all ages. We do not knowingly collect personal information from children under 13. If you believe a child has provided us data, please contact us and we will delete it.
Changes
We may update this policy from time to time. Changes will be reflected on this page with an updated date.