Privacy Policy

Short version: We collect the minimum we need to run the game, process your subscription, and stop abuse. We don't sell your data. We don't share it except with the service providers listed below. You can request your data or have it deleted any time using the form at the bottom of this page.

1. Who we are

SnapIT Software operates HackerQuest (hackerquest.net for marketing content and hackerquest.online for the game). Contact us using the contact form. For privacy-specific requests, use the form below.

2. Who this policy applies to

You. Everyone who visits hackerquest.net, plays HackerQuest, subscribes to our mailing list, or submits a form on this site. HackerQuest is rated M (17+) and billing is gated to users 18 and older; we do not knowingly collect information from anyone under 18.

3. What we collect

We collect several categories of information. For each we explain what and why.

Account data

• Email address — for login, password reset, billing receipts, service announcements. Required if you create an account.
• Handle — your in-game name. Public by design.
• Password (hashed) — managed by Amazon Cognito. We never see your password in plaintext.
• Optional OAuth identity — if you sign in with Google, we receive your email and basic profile info from Google.

Game state

• Characters, inventory, progress, faction reputation, skills, mission history, chat history, PvP records — everything your character does.
• Stored in Amazon DynamoDB in the HackerQuest table. Tied to your Cognito user ID or — for guest sessions — a client-generated 128-bit UUID stored in a cookie and in your browser's localStorage.

Billing data

• Your Stripe customer ID, subscription status, plan tier, renewal dates.
• We never see or store your card number, CVV, or bank details. Stripe handles all of that on their own PCI-DSS-compliant infrastructure. See Stripe's privacy policy.

Technical data

• IP address — for rate-limiting, fraud detection, abuse investigation, and coarse geolocation (country / region) used by the game's region feature.
• User agent string — for bug triage and compatibility diagnostics.
• Request timestamps and a limited application log — retained 30 days for security and debugging.

Cookies and local storage

• hq_guest — guest user UUID cookie (365 days). Lets guest saves persist across browser restarts without an account.
• hq_guestId, hq_state, hq_current_user — browser localStorage keys the game client uses for session and state.
• Authentication tokens — Cognito JWT tokens stored in memory and/or localStorage for signed-in players. These expire.
• We do not use advertising cookies. We do not run third-party ad networks.

Chat and user-generated content

• In-game chat messages (global, faction, regional, org, whispers).
• Player-created content inside the game (handles, character biographies, market listings).
• Retained for 90 days in the chat log; indefinitely in public contexts (handles on leaderboards, for example).

Marketing and support submissions

• Email address + optional name for the mailing list. Stored in a separate DynamoDB table (HackerQuestMarketing) that is never joined with your player data.
• Support, contact, privacy, and legal form submissions — email, message body, topic, IP, user agent, timestamp.

4. Why we collect each thing

We only collect on lawful bases (GDPR terminology): contract performance (to run your account and deliver the game you signed up for), legitimate interests (preventing abuse, maintaining the service, understanding aggregate performance), and consent (for marketing emails, which you explicitly opt into).

5. Who we share it with

We share data only with these service providers, each with a scoped role:

• Amazon Web Services — hosting, databases, email delivery (SES), authentication (Cognito). Data processed in us-east-1.
• Stripe — payment processing. Governed by Stripe's privacy policy.
• Web3Forms — transactional email delivery for contact and support forms. They see the form contents you submit because we forward them for delivery. They do not train AI on your submissions.
• SnapIT Analytics — our own lightweight first-party analytics (page views, aggregate metrics). No cross-site tracking. No advertising.
• Google OAuth — only if you choose to sign in with Google.

We do not sell your data. We do not rent or trade the mailing list. We do not share data with advertisers or data brokers. We disclose data only to the providers above or when we are legally compelled by valid process (and we will try to notify you if we are legally allowed to).

6. How long we keep it

• Game state: as long as your account is active. If you request deletion, we purge within 30 days.
• Payment records: 7 years, as required by tax and financial record-keeping laws.
• Chat logs: 90 days.
• Application and access logs: 30 days.
• Mailing list: until you unsubscribe, then 90 days for suppression (so we don't accidentally re-add you).
• Support tickets: 3 years after resolution for quality control.

7. Your rights

Regardless of where you live, you can:

• Access the personal data we hold about you.
• Correct data that is wrong.
• Delete your account and associated personal data. (We retain billing records for tax-law purposes; everything else goes.)
• Port your data (we will export your game state as JSON).
• Object to specific uses.
• Withdraw consent for marketing at any time via unsubscribe link.

If you are in the EU/UK (GDPR), California (CCPA/CPRA), or Virginia/Colorado/Connecticut/Utah (state laws), all of these rights apply to you specifically. Use the form below to exercise any right. We will respond within 30 days (45 for complex requests).

8. Children

HackerQuest is rated M (17+). Account creation and paid subscriptions require you to be 18 or older. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data from a minor, email us via the form below; we will delete it without delay.

9. Security

We use HTTPS everywhere, hashed passwords (Cognito, not visible to us), API-Gateway-level request validation, IAM-scoped Lambda permissions, SSM Parameter Store for secrets, and SES DKIM/SPF/DMARC for email authenticity. No system is perfectly secure; if you believe your account has been compromised, contact support immediately.

10. International transfers

Our infrastructure is in the United States. If you are in the EU/UK, you acknowledge that your data is transferred to and processed in the US under Standard Contractual Clauses with AWS and Stripe.

11. Changes to this policy

We will post material changes at least 30 days before they take effect and notify subscribers via email.

12. Privacy requests

Use this form to request access, correction, deletion, portability, or to raise any privacy concern. We respond within 30 days.

Website (leave empty)

Your email (the one on your account if you have one) *

Your name or handle

Request type * Select a request Access my data Correct my data Delete my account and data Port (export) my data Opt out of processing Other privacy concern

Details *

SUBMIT REQUEST