Privacy Policy
Last updated: February 2026
1. Data Controller
tradegame.org is operated by Adam Skrzymowski, established in Poland (EU). For any data protection inquiries, you can reach the data controller at admin@tradegame.org.
2. What Data We Collect
We collect only the minimum data necessary to operate the trading simulation:
Account data (provided by you)
- Username — visible on the leaderboard (if opted in) and your profile
- Email address — used for login and password reset only
- Password — stored as an irreversible Argon2id hash; we never store or see your plaintext password
Activity data (generated by usage)
- Trade history — buy/sell actions, amounts, prices, timestamps
- Portfolio state — virtual cash balance, cryptocurrency holdings
- Leaderboard snapshots — daily portfolio value rankings (only if you have not opted out)
Technical data (processed transiently)
- IP address — personal data processed transiently in memory for rate limiting; not persisted in any database or log file
- Session cookie — an HttpOnly JWT token for authentication (see Section 7)
Data we do NOT collect
- No analytics or tracking (no Google Analytics, no pixel trackers)
- No advertising identifiers
- No device fingerprinting
- No location data beyond IP-based rate limiting
- No real financial data — all trading is simulated with virtual currency
3. Purpose and Legal Basis
Under GDPR Article 6, we process your data on the following legal bases:
| Purpose | Data | Legal basis |
|---|---|---|
| Account creation and authentication | Email, username, password hash | Contract (Art. 6(1)(b)) |
| Trading simulation service | Trade history, portfolio | Contract (Art. 6(1)(b)) |
| Public leaderboard | Username, portfolio value | Legitimate interest (Art. 6(1)(f)) |
| Password reset emails | Email address | Contract (Art. 6(1)(b)) |
| Rate limiting and abuse prevention | IP address (transient) | Legitimate interest (Art. 6(1)(f)) |
4. Data Sharing and Third Parties
We do not sell, rent, or share your personal data with any third party. Specifically:
- No data is sent to advertisers, analytics providers, or data brokers
- No data is transferred to third-party processors
- The only external service accessed is CoinGecko (for market prices) — no user data is sent to CoinGecko
Publicly visible data: If you have leaderboard visibility enabled (the default), your username and portfolio value appear on the public leaderboard. You can opt out at any time from Settings. Your email address is never publicly displayed.
5. Data Retention
- Account data and activity: Retained as long as your account exists
- Password reset tokens: Expire after 15 minutes; deleted after use
- IP addresses: Held in-memory for rate limiting only; not persisted; cleared on service restart
- On account deletion: All data is permanently and immediately removed via cascading database deletion — account, portfolio, holdings, trades, leaderboard entries, and password reset tokens
6. Your Rights Under GDPR
If you are in the European Economic Area (EEA), you have the following rights:
- Right of access (Art. 15): Export all your data in JSON format from Settings → Export My Data
- Right to rectification (Art. 16): Change your username from Settings; for email changes, contact us
- Right to erasure (Art. 17): Delete your account and all data permanently from Settings → Danger Zone
- Right to data portability (Art. 20): Download your data as structured JSON via the export feature
- Right to object (Art. 21): You may object to public leaderboard inclusion at any time by disabling the leaderboard toggle in Settings, without deleting your account
- Right to lodge a complaint: You may file a complaint with your local Data Protection Authority (DPA)
To exercise any right not available through the Settings page, email admin@tradegame.org. We will respond within 30 days.
7. Cookies
We use a single strictly necessary cookie. No consent is required for strictly necessary cookies under the ePrivacy Directive.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| token | Authentication session (JWT) | HttpOnly, Secure, SameSite=Lax | 24 hours |
We do not use any tracking, analytics, advertising, or third-party cookies.
A localStorage key (tradegame_cookie_info) remembers whether you dismissed the cookie information banner. This is not a cookie and contains no personal data.
8. Security Measures
We implement the following technical and organizational measures to protect your data:
- Password hashing: Argon2id with per-user salts (industry-recommended algorithm)
- Transport encryption: All connections use HTTPS/TLS in production
- Cookie security: HttpOnly flag (prevents JavaScript access), Secure flag (HTTPS only), SameSite=Lax (CSRF protection)
- Rate limiting: Per-IP API rate limiting and per-user trade cooldowns prevent abuse
- Database isolation: PostgreSQL with parameterized queries (SQL injection prevention)
- Minimal data collection: We collect only what is necessary for the service to function
9. International Data Transfers
All data is stored and processed on servers within the European Economic Area (EEA). If infrastructure changes require data to be transferred outside the EEA in the future, appropriate safeguards such as adequacy decisions or standard contractual clauses will be used in accordance with GDPR Chapter V.
10. Children
tradegame.org is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account, please contact us at admin@tradegame.org and we will delete the account promptly.
11. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after changes indicates that you have been informed of the updated policy.
12. Contact
For any privacy-related questions, data protection requests, or to exercise your GDPR rights, contact us at: admin@tradegame.org