Privacy Policy
Introduction
This privacy policy informs you about the types of personal data (hereafter also "data") we process, for what purposes and to what extent, within our online offering Wortfuchs. Wortfuchs is a free, non-commercial word game that runs entirely in your browser. There are no user accounts, no sign-up and no advertising; we process as little data as possible.
Last updated: 14 June 2026.
Controller
Christian Götze, Rathenaustr. 3, 16761 Hennigsdorf, Deutschland
E-mail: wortfuchs@post.christiangoetze.de
Phone: +49 33022015238
Imprint: https://wortfuchs.cgoetze.de/en/impressum
A data protection officer is not legally required (§ 38 BDSG).
Overview of processing
The following overview summarises the types of data processed and the purposes of their processing.
Types of data processed: meta/communication data (e.g. anonymised IP addresses, access times, browser type); anonymous game usage data (game mode, result, number of guesses — with no personal reference); content data (only if you contact us by e-mail).
Categories of data subjects: users (visitors and players of this site); communication partners (people who write to us by e-mail).
Purposes of processing: provision of the online offering and web hosting; IT security; anonymous analytics and game statistics; responding to enquiries.
Relevant legal bases
We process personal data on the basis of the General Data Protection Regulation (GDPR); additionally, national requirements in Germany apply, in particular the Federal Data Protection Act (BDSG) and the Telecommunications-Digital-Services Data Protection Act (TDDDG).
Legitimate interests (Art. 6 (1) (f) GDPR): processing is necessary to safeguard our legitimate interests, provided the interests or fundamental rights and freedoms of the data subject do not override them.
Pre-contractual enquiries (Art. 6 (1) (b) GDPR): when responding to contact enquiries.
Security measures
In accordance with legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.
TLS encryption (https): to protect the data transmitted via our online offering we use TLS encryption, recognisable by the "https://" prefix in your browser's address bar.
Automated decision-making: to defend against attacks, IP addresses may be blocked automatically for a limited period (typically 24 to 96 hours; see "Provision of the online offering and web hosting"). A review of the block is possible on request. Otherwise, no automated decision-making takes place.
Transfer to recipients and processors
To operate this online offering we use a hosting provider that acts for us under a data processing agreement (Art. 28 GDPR; see below). In addition, IP addresses of detected attackers may be transmitted to CrowdSec SAS as part of our IT security measures; CrowdSec processes this data as an independent controller. No further transfer to third countries outside the EEA takes place; only in the course of DNS resolution can a transfer not be excluded (see below).
Provision of the online offering and web hosting
We operate this online offering on a server in a data centre in Falkenstein, Germany.
Collection of access data and log files: when our online offering is accessed, access data is recorded server-side in server log files (incl. IP address, date and time of the request, URL accessed, HTTP method, amount of data transferred, status message, browser type and version, referrer URL). This serves secure, fault-free operation, IT security and error analysis. The log files are stored exclusively on our own server in Germany and not transmitted to external providers. They are deleted as soon as they are no longer required for the above purposes, generally after 30 days.
Defence against attacks (intrusion detection): to detect and defend against attacks we use the open-source software CrowdSec. CrowdSec evaluates the above log files and can block suspicious IP addresses for a limited period (typically 24 to 96 hours). Under the standard configuration, information about detected attacks (in particular the attacker's IP address and the type of detection) is transmitted to the central CrowdSec API of CrowdSec SAS, 24 Rue Saint Lazare, 75009 Paris, France. The transfer is solely for IT security purposes and relates to IP addresses associated with an attack attempt, not to regular visitors. CrowdSec privacy policy: https://www.crowdsec.net/privacy-policy.
DNS resolution: the DNS zones of our domain are hosted with Amazon Route 53 (Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg). A transfer to the USA cannot be excluded during DNS resolution; AWS is certified under the EU-US Data Privacy Framework. Legal basis: legitimate interest in the reliable availability of our online offering (Art. 6 (1) (f) GDPR).
Hosting provider used: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (servers in Falkenstein/Germany); privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz.
Analytics (Matomo)
For statistical analysis of the use of our online offering we use Matomo, an open-source web analytics software. Matomo runs exclusively on our own infrastructure at https://matomo.cgoetze.de; the data collected is processed solely on our own server in Germany and not transmitted to third parties. No transfer to third countries outside the EEA takes place.
Cookieless processing without consent: Matomo is configured in a privacy-friendly way. No cookies are set and no information already stored on your device is accessed. As no information within the meaning of § 25 (1) TDDDG is stored on or read from your device, neither consent nor a consent banner is required. Your IP address is anonymised before any storage (truncation of the last bytes). There is no cross-site tracking and no profiling; no individual user profiles are created and no user ID is used. The raw data collected for analytics is deleted automatically after 90 days.
Objection and "Do Not Track": our Matomo installation respects your browser's "Do Not Track" setting. If your browser sends a "Do Not Track" signal, you are not included in the analytics. You may also object to the processing at any time with effect for the future (Art. 21 GDPR).
Legal basis: legitimate interests (Art. 6 (1) (f) GDPR — interest in privacy-friendly statistical analysis and optimisation of the online offering).
Local storage and anonymous game statistics
Local storage in the browser (localStorage): your game progress, statistics and settings (e.g. light/dark mode) are stored solely in your browser ("localStorage") and never transmitted to us. This storage is strictly necessary under § 25 (2) no. 2 TDDDG to provide the game you requested and therefore takes place without consent. You can delete this data at any time by clearing this site's data in your browser.
Anonymous game statistics: when a game ends, the site sends an anonymous metric to our server (only: game mode, win/loss and number of guesses). This contains no personal data, no identifiers and no cookies, and serves solely the aggregated analysis of game usage. Legal basis: legitimate interests (Art. 6 (1) (f) GDPR).
Contact
If you contact us by e-mail, we process the information you provide to the extent necessary to respond to your enquiry. The information is deleted as soon as it is no longer required for the purpose, generally no later than 6 months after the enquiry has been dealt with, unless statutory retention obligations apply. Legal bases: pre-contractual enquiries (Art. 6 (1) (b) GDPR) and legitimate interest in answering enquiries (Art. 6 (1) (f) GDPR). No contact form or external e-mail dispatch service is used.
Cookies and similar technologies
Wortfuchs uses no cookies. Local browser storage (localStorage) is used solely for game progress, statistics and your settings and stays local in your browser (see "Local storage and anonymous game statistics"). Analytics via Matomo is cookieless and consent-free (see "Analytics (Matomo)"). No tracking in the sense of cross-device recognition or profiling takes place.
Deletion of data
The data we process is deleted in accordance with statutory requirements as soon as the permissions required for processing cease to apply (e.g. when the purpose of processing no longer applies). If data is not deleted because it is required for other legally permissible purposes, its processing is restricted to those purposes.
Changes and updates to this privacy policy
Please review the content of our privacy policy regularly. We adapt the privacy policy as soon as changes to the data processing we carry out make this necessary.
Rights of data subjects
Right to object (Art. 21 GDPR): you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (f) GDPR.
Right of access (Art. 15 GDPR): you have the right to obtain confirmation as to whether data concerning you is processed and to access that data.
Right to rectification (Art. 16 GDPR): you have the right to request the rectification or completion of data concerning you.
Right to erasure (Art. 17 GDPR) and to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR).
Complaint to a supervisory authority (Art. 77 GDPR): the authority responsible for us is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg, Stahnsdorfer Damm 77, 14532 Kleinmachnow; e-mail: poststelle@lda.brandenburg.de.
Definitions
Personal data: any information relating to an identified or identifiable natural person.
Controller: the natural or legal person that alone or jointly with others determines the purposes and means of processing personal data.
Processing: any operation involving personal data, whether collecting, analysing, storing, transmitting or deleting it.
Processor: a person that processes personal data on behalf of the controller (e.g. a hosting provider).