Privacy Policy

This English translation is provided for convenience only. In case of any discrepancies or legal relevance, the German version of the Privacy Policy (“Datenschutzerklärung”) shall prevail.

The protection of your personal data is important to us. This Privacy Policy explains what data is processed when you use yucata.de, for what purposes, and what rights you have under the EU General Data Protection Regulation (GDPR).

Please note: Yucata is a privately operated, non-commercial hobby project. Users have no contractual rights to availability or functionality of the service.

1. Controller

Kay Wilke
Schlehenweg 13
21244 Buchholz in der Nordheide
Germany
E-mail: [email protected]

2. General Information on Data Processing

We only process personal data to the extent necessary for providing the website, the game functions, secure operation, and communication with users.

The processing is based on the following legal grounds (Art. 6 GDPR):

  • Art. 6(1)(b): Data required for providing game functionality and user accounts.
  • Art. 6(1)(a): Consent (e.g., YouTube videos, Gravatar images, optional e-mail notifications).
  • Art. 6(1)(c): Compliance with legal obligations (e.g., payment-related data).
  • Art. 6(1)(f): Legitimate interests such as platform security, fraud prevention, and moderation.

Where required, data processing agreements under Art. 28 GDPR have been concluded with external service providers.

3. Hosting, Server Logs and Cloudflare

The Yucata server is located in Germany.

We also use Cloudflare for DNS and Content Delivery Network (CDN) services. Technical data processed may include:

  • IP address
  • Date and time of access
  • Requested files or pages
  • Browser and operating system information
  • Security-related events (e.g., DDoS protection)

Legal basis: Art. 6(1)(f) GDPR (security and reliable operation of the service).

3.1 Cloudflare Information

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Data may be transferred to the United States. Cloudflare relies on EU Standard Contractual Clauses (SCCs) for such transfers.

Privacy Policy: https://www.cloudflare.com/privacypolicy/

4. User Accounts, Basic Data and Game Operations

When creating a user account, we store the following minimum data:

  • E-mail address
  • IP address and time of the last login

Additional profile information is optional and may be deleted at any time. No historical versions of optional data are stored.

For the game system to function, all game moves are stored, allowing the game history to show who moved at what time. These data are essential for online turn-based board games.

4.1 Automated Processes

  • Marking accounts as inactive after defined periods
  • Automatic deletion of inactive accounts
  • Automatic termination of inactive games

These automated routines do not constitute automated decision-making with legal effect under Art. 22 GDPR.

5. E-mail Communication (AWS)

E-mails are sent via Amazon Web Services (AWS).

5.1 Optional Notifications

You only receive optional notifications if you explicitly enable them in your profile. Legal basis: Art. 6(1)(a) GDPR.

5.2 Mandatory Messages

Legally or technically required information (e.g., changes to this Privacy Policy) may be sent regardless of user settings. Legal basis: Art. 6(1)(c) and Art. 6(1)(f) GDPR.

6. External Services

6.1 YouTube

YouTube videos are only loaded after you provide explicit consent. Only then may YouTube receive your IP address and set cookies.

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Data may be transferred to the US. Google relies on EU Standard Contractual Clauses (SCCs).

Privacy Policy: https://policies.google.com/privacy

6.2 Gravatar

If you consent, you may select a Gravatar image for your profile. Outside of the profile page, all Gravatar images are served through Yucata's servers, ensuring no data is transferred to Gravatar.

Provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

Gravatar may transfer data (e.g., a hashed e-mail) to the US. Automattic relies on SCCs.

Privacy Policy: https://automattic.com/privacy/

6.3 Stripe (Donations)

Stripe is used solely on the donation page. Stripe processes payment data independently.

Provider: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA.

Data may be transferred to the US. Stripe relies on SCCs.

Privacy Policy: https://stripe.com/privacy

6.4 AWS S3 Storage

User-uploaded content (e.g., images) is stored in an AWS S3 bucket located in Frankfurt, Germany.

Provider: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.

7. Chat, Forum and Blog Comments

Chat messages are transmitted in encrypted form but stored unencrypted. Administrators may review messages if there is a legitimate reason (e.g., suspected rule violations).

Forum posts and blog comments are public and may be translated automatically.

Legal basis: Art. 6(1)(b) GDPR (communication functions) and Art. 6(1)(f) GDPR (moderation, abuse prevention).

8. No Advertising, No Tracking

Yucata does not use tracking technologies, analytics tools, advertising networks, affiliate links or embedded third-party content (other than after explicit consent).

9. Cookies and Local Storage

Yucata uses only technically necessary cookies and local storage entries. These are required for login functionality, security, and basic user settings.

9.1 Cookies Used

  • Session cookie — required for login; expires when the browser is closed.
  • Security/CSRF tokens — protection against attacks.
  • Consent cookies — e.g., whether YouTube may be loaded.

9.2 Local Storage

  • User interface preferences
  • Game display options
  • Consent status for external content

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

10. Data Retention

Personal data is retained only as long as necessary for the purposes described or as required by law.

  • User accounts: until deletion or automatic removal after inactivity.
  • Game moves: as long as the game history is needed for gameplay.
  • Chat/forum/blog content: until removed by you or moderation.
  • Payment data (Stripe): according to legal retention periods.

11. Your Rights

You have the following rights under GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time (Art. 7(3))

You also have the right to lodge a complaint with a supervisory data protection authority.

12. Data Security

Data is typically transmitted securely using TLS/HTTPS. Appropriate technical and organizational measures are taken to protect your data.

13. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time. The current version is always available on this page.

© 2001-2025 Yucata | YST: 00:00:00 |