🪿

Bot Bot Goose

← home

What we keep, what we don't.

Updated 2026-06-14

In short

We keep the smallest amount of information that lets the game work: enough to remember your streak, your lines, and that you're you on this device. Nothing more.

No analytics. No third-party trackers. No advertising IDs. No fingerprinting. No microphone, camera, or location access. No social-login plug-ins.

Cookies

Two small cookies, both made by us, both needed for the game to work. Neither tracks you across sites. Neither needs a consent banner because they only keep the game functioning.

  • bbg_dev_v1 (lasts about a year). A random ID that tells our server "you, on this device." It carries no personal information. It never leaves our server.
  • bbg_csrf_v1 (lasts a week). A small safety token that stops other websites from submitting forms on your behalf. It carries no identity.

What we store on our server

Linked to the device cookie above:

  • An anonymous account, identified only by an internal ID until you choose to sign in.
  • Your handle, if you set one.
  • Your email address, only if you signed in. We use it so we can recognize you on a different phone. We never share it, and the only message we'll ever send you is a one-tap sign-in link when you ask for it.
  • Your plays: which puzzles you completed and your scores.
  • Your streak.
  • Your lines: the answers you wrote for prompts.
  • Your rank among the Originals, calculated from how well your lines do.

If you contributed during the launch campaign:

  • The answers you submitted, attached to the prompt each was for.
  • Your IP address, briefly, to block spam.

For safety:

  • Records that a sign-in link was requested, kept briefly while it's active and for a short audit window after.
  • Your IP address in spam-rate-limit memory.
  • Your browser's user-agent string, used only to debug access patterns.

What we don't store

  • Your email address inside our sign-in records. Only a one-way fingerprint of it is kept while a sign-in link is alive, so a database leak alone reveals no addresses.
  • Passwords. We don't use any. Sign-in is by emailed link only.
  • Your location. We never ask for it.
  • Any identifying information inside the grid you share.
  • Analytics events. There are none.

Third parties

  • Resend delivers our sign-in emails. They see your email address (they have to, to deliver the message) and keep their own delivery logs, as their privacy policy explains. We don't use anything else from Resend.
  • DigitalOcean hosts our server, our database, and our cache. Their staff don't access your data day-to-day, but the data lives on their hardware, so their policies apply at the infrastructure layer.
  • Cloudflare sits in front of our server as DigitalOcean's edge. They see your IP address, browser identity (user-agent), and the URL you requested in transit, used to terminate TLS and block abusive traffic. We don't use any Cloudflare analytics or marketing features.

That's the whole list.

How long we keep things

Device cookie One year of inactivity
Sign-in link 15 minutes active, brief audit record after
Launch-campaign IPs Until the campaign closes
Plays, lines, leaderboards Until you ask us to delete

We don't auto-purge yet. Email us any time and we'll delete your account by hand.

Identifying yourself

Before we act on a request to access or delete your data, we need to be reasonably sure it's really you.

  • If you signed in with email. We send a verification link to your address. Click it. Same flow as signing in.
  • If you've only played anonymously. The cookie in your browser is the only way we know who you are. The cleanest path is to sign in with magic-link from that same device first (this attaches your anonymous activity to the new account) and then use the signed-in flow above.

If you've cleared the cookie, used incognito, or lost the device, we genuinely can't find you in our database. We don't keep a secondary lookup that would let us undo your anonymity, on purpose. Anonymous play is anonymous.

Your rights

Once you've verified yourself, you can:

  • Ask what we have on you. Send us the request below and we'll send back a copy of every record tied to your verified account.
  • Ask us to delete your account. We'll delete your account record, your lines, your plays, your streak, and your rank. We'll also unlink any anonymous activity the same device produced before you signed in.
  • Sign out of every device. The "Sign out everywhere" button on /me handles this on its own. It doesn't delete data, it just kicks open sessions.

When this page changes

If we add a third party, change what we store, or change how long we keep something, we update this page and note the change in the project changelog.

Contact

For privacy questions, data requests, or anything else, email [email protected].

You don't have an active session on this device. If you're writing about a specific account, open this page on the device you played on so we can show you the account ID to include.

For security issues, please file a private report on GitHub Security Advisories.