Privacy Policy

Last updated: November 2025

This policy covers all services operated by bearcove SARL, including bearcove.eu, wat.rs, and fasterthanli.me.

The short version

  • We collect what we need to run the service and prevent abuse
  • We don't sell your data or show you ads
  • We're honest about what we collect (see below)
  • We have some cleanup work to do (also noted below)

What we collect and why

Account information

When you create an account, we store:

  • GitHub authentication: Your GitHub user ID, username, and avatar. We download and store your avatar on our servers.
  • Email authentication: Your email address (stored in plaintext), password (hashed), and verification status.
  • Twitch integration (optional): Your Twitch user ID, username, and OAuth tokens (encrypted).
  • Two-factor authentication (optional): TOTP secrets and hashed backup codes.
  • Passkeys (optional): WebAuthn credential IDs and public keys.

Why: To let you log in and identify your account across sessions.

Session and request data

For every session, we store:

  • Your IP address
  • Your country (derived from IP via local GeoIP database)
  • Your browser's user agent string

For quiz submissions, we additionally store:

  • Referrer header
  • Accept-language header
  • Time spent on page before submitting

Why: Fraud prevention and anti-cheat. We run a quiz platform where people can win prizes, and we need to detect bots, prevent account farming, and identify coordinated abuse.

Anti-cheat systems

We use several mechanisms to prevent abuse:

  • Proof-of-work challenges: Guest users must complete a computational challenge before joining. This deters automated bot accounts.
  • Risk scoring: We calculate a risk score based on account age, past rejection rates, IP history, time on page, and content analysis.
  • IP restrictions: We maintain a list of banned, flagged, and whitelisted IP addresses.
  • Rate limiting: We limit how fast you can create rooms, submit votes, and authenticate.

Why: To keep the platform fair for legitimate users and prevent abuse during live events.

Payment information

If you subscribe to a paid plan:

  • We store your Stripe customer ID and subscription ID
  • We store subscription status, billing periods, and tier information
  • We store full Stripe webhook payloads for debugging and audit purposes
  • We do NOT store your credit card number, CVV, or bank details—Stripe handles all payment processing

Logs and audit trails

Moderation logs: We log actions taken by moderators, including who did what and why. This is necessary for accountability and dispute resolution.

Sponsor information (fasterthanli.me)

If you're a sponsor via GitHub Sponsors or Patreon:

  • We store your platform user ID, display name, and avatar
  • We store your sponsorship tier and monthly amount
  • Sponsor names may be displayed publicly unless you opt out

What we don't collect

  • No analytics: We don't use Google Analytics, Umami, or any third-party analytics service.
  • No ads: We don't show ads or share data with advertisers.
  • No tracking pixels: We don't embed third-party trackers.

Data retention

Current state: Most data is retained indefinitely. We don't currently have automated cleanup jobs for IP addresses in session records or old player data. Sessions expire after 30 days, but the session records remain in the database.

What we're working on: Implementing retention policies for moderation logs (target: 90 days), anonymizing old IP addresses, and adding data export and deletion features.

Data location

Your data is stored on servers operated by Hetzner Online GmbH in Germany. Backups may be stored in other EU locations.

Your rights (GDPR)

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to processing

To exercise these rights, contact hi@bearcove.eu. We'll respond within 30 days.

Current limitations: We don't yet have automated self-service data export or deletion. We handle these requests manually.

Cookies

We use a single session cookie to keep you logged in. It's HttpOnly, Secure (in production), and SameSite=Lax. We don't use cookies for tracking or advertising.

Third-party services

We use: GitHub, Twitch, Discord (for OAuth), Stripe (payments), Hetzner (hosting), and MaxMind GeoLite2 (IP-to-country, runs locally).

Contact

Questions? Email hi@bearcove.eu.