This Privacy Policy describes how personal data is handled when you use howsitrun.com (the "Service"). Last updated: April 13, 2026.
1. Controller
Name: Dipl.-Ing. Thomas Koch Address: 1220 Vienna, Austria Email: switchgamedb@gmail.com
2. Data We Process
Anonymous Browsing
You can browse the public game database without creating an account. As with most websites, technical request data may be processed by the server or hosting provider, such as IP address, request time, requested URL, browser user agent, and error logs.
Game Submissions and Community Features
When you submit or review game performance information, we may process:
Game title, performance values, graphics modes, upgrade status, version information, notes, source type, and source links
Date and time of submission or review activity
Votes, notes, community sentiment entries, and edit history
Your account ID or username when you use these features while logged in
Approved game performance submissions and source links may be displayed publicly. Account email addresses are not displayed publicly.
Accounts
If you create an account, we process your username, email address, password hash, role, submission count, account creation time, and last login time. During registration we temporarily store a pending registration record and a hashed email verification token. For password resets we store a hashed reset token and request metadata.
Feedback
If you send feedback through the site, we store the message, the submission time, and the account that sent it. Login is required for feedback.
Security and Rate Limiting
To protect login, registration, password reset, and submission features, we use self-hosted ALTCHA proof-of-work verification and rate limiting. The rate limiter stores timestamps and hashed buckets derived from the action and requester IP address; the raw IP address is not stored in that rate-limit table.
Newsletter and Email
If you subscribe to the newsletter on the digest page, the email address and consent details you provide are submitted to Brevo. The digest page loads Brevo/Sibforms assets from Brevo-controlled domains to display and submit the form.
We also use Brevo to send transactional account emails such as registration verification and password reset emails. For those messages, Brevo receives the recipient email address, recipient name, subject, and email content needed to deliver the message.
Important: Most of the site can be browsed without an account, but optional account, voting, note, moderation, feedback, newsletter, and email features involve personal data.
3. Purposes and Legal Bases
Operating the public database: displaying and maintaining game performance data and source links
Moderation and security: preventing spam, abuse, unauthorized access, and duplicate or low-quality submissions
Communication: sending transactional account emails and, with your consent, newsletter emails
The legal bases may include performance of requested account functionality, consent for newsletter subscription, legitimate interests in operating and securing the Service, and legal obligations where applicable.
4. Cookies and Similar Technologies
We use an essential, HTTP-only session cookie for login sessions.
We do not use analytics, advertising, or tracking cookies in the application code reviewed for this notice.
The self-hosted ALTCHA widget does not require a third-party tracking cookie.
The newsletter digest page loads Brevo/Sibforms resources and submits the newsletter form to Brevo. Brevo may process technical request data when those resources are loaded or the form is submitted.
5. Recipients and Service Providers
Hosting provider: processes technical request data and stored application data as needed to operate the Service.
Brevo: processes newsletter subscriptions and transactional account emails.
Public visitors: may see approved game performance submissions, notes, source links, and public-facing activity that is part of the database.
Legal authorities: data may be disclosed if required by Austrian or EU law.
6. International Transfers
Some service providers may process data outside Austria or the European Economic Area. Where this applies, processing should be covered by appropriate safeguards such as an adequacy decision, standard contractual clauses, or another valid transfer mechanism provided by the relevant service provider.
7. Retention
Game performance data and source links may be retained indefinitely to preserve the integrity and history of the database.
Account data is retained while the account exists, unless deletion is required or requested and no overriding reason requires retention.
Pending registration data expires by default after 7 days and is deleted when cleanup runs.
Password reset tokens expire by default after 1 hour. Password reset request logs are retained for the configured rate-limit window, defaulting to 24 hours.
Auth rate-limit entries are retained only for the relevant rate-limit window, up to 1 hour by default.
Feedback messages, moderation notes, votes, and edit history are retained as long as needed to operate and moderate the Service.
Session data is retained only as needed to support active login sessions and server-side session cleanup.
8. Your Rights
Where GDPR applies, you may have the right to access, rectify, erase, restrict, object to processing, receive a copy of your data, and withdraw consent where processing is based on consent.
You can unsubscribe from newsletter emails using the unsubscribe link in the newsletter or by contacting us.
You can contact us for access, correction, deletion, or other data protection requests.
You may lodge a complaint with the Austrian Data Protection Authority.
9. Data Security
We use reasonable technical and organizational measures for the Service, including password hashing, signed server-side sessions, HTTPS-oriented production cookie settings, rate limiting, and minimal data collection where possible.
10. No Automated Decisions
We do not use personal data for automated decision-making or profiling within the meaning of GDPR Article 22.
11. Children's Privacy
The Service is not directed at children. Parents or guardians who believe a child has provided personal data may contact us.
12. Changes
We may update this Privacy Policy periodically. Changes will be posted on this page with an updated revision date.
13. Contact
For questions about this privacy policy or our data practices: