PRIVACY POLICY

In short: To play on couch-games.com and in our apps you don't need an account; we use no cookies, trackers or advertising. During a multiplayer session your IP address, player name and inputs are transmitted between the players; beyond the session we store no game data. Playing via the third-party platform AirConsole is also subject to its terms (see below). Full details follow below.

This privacy policy applies to the Couch Games offering: the couch-games.com website, the web games provided through it (currently HexStacker at hexstacker.com), the Couch Games app (Android and iOS) and the associated TV apps (Android TV and Apple TV). It also covers future Couch Games titles insofar as they use the same infrastructure – regardless of the domain or subdomain under which they are provided. This infrastructure includes in particular the game and helper servers described below. Playing a game via a third-party platform is described separately under "Use via AirConsole".

Controller
The controller within the meaning of the GDPR is:
Tim Vogel
info@couch-games.com
Postal address: see Imprint
Data
IP addresses are processed by the web server when you access our websites. Web server access logs are stored for security and operational purposes for a maximum of 7 days and then automatically deleted.
During a multiplayer session, our game server processes your IP address and relays the messages between the devices. When you join via the Couch Games app, the scanned or entered room code is transmitted to the game server in order to find the corresponding game room. The data required for gameplay (e.g. your player name and your inputs) is then relayed via the game server to the other devices in the room (see "Gameplay"). The game server itself does not store any connection data. To the extent that infrastructure-side logs are generated at our processor for technical reasons, the information under "Hosting" applies.
For direct connections between game devices, a helper server (STUN server, see "Hosting") is additionally involved, which helps the devices establish the connection. No game data is transmitted via it, and it stores no data.
The TV apps open a game room and connect to the game server for this purpose, and – for direct controller connections – also to the helper server. As with any device, their IP address is processed in doing so. They do not access any website.
Besides the controller, the recipient of the connection data is the processor named under "Hosting", who may in turn engage sub-processors; these are contractually bound to the same level of data protection (Art. 28(4) GDPR). No further disclosure takes place. The processing is carried out on the basis of the legitimate interest in operating the service (Art. 6(1)(f) GDPR). Providing your IP address is technically necessary in order to access our websites and take part in the game; without this data, use of the service is not possible. There is no further statutory or contractual obligation to provide it.
Tracking and local storage
No cookies, no analytics or advertising services and no third-party trackers are used. Strictly necessary for game operation within the meaning of § 25(2) no. 2 TDDDG is the local storage of a few settings in the device's browser (e.g. the last entered player name, the chosen player colour, mute state, further display settings and a reconnection ID that applies only to the current game room). This local storage is not a tracking measure; it merely serves to retain these settings for the next session. The Couch Games app displays the game controller in an integrated browser (WebView); the browser storage described above therefore also applies when using the app. In addition, the app itself stores the last used player name locally on the device only, in order to suggest it at the next start. The last joined game room (room code and associated link), by contrast, is not stored permanently but only held temporarily in memory and automatically discarded after a short time or at the latest when the app is closed. This local storage is strictly necessary for operation (§ 25(2) no. 2 TDDDG) and does not serve tracking purposes. The TV apps store no data on the device at all: settings such as mute state exist only for the current session and are not stored permanently.
Camera and QR scan (App)
The Couch Games app can use your device's camera to scan the QR code of a game room shown on the TV or screen. The camera image is processed exclusively locally on the device; no images are stored or transmitted. Only the room link contained in the QR code is evaluated. Camera access occurs solely at your active initiative, when you tap the scan function. Before first access, the operating system asks for your permission to use the camera; you can revoke this permission at any time in the device settings. Since the camera image is only evaluated locally and is not stored or transmitted, no personal data is collected in the process. On iOS, scanning is performed via the operating system's camera interface (Apple AVFoundation); on Android it is performed directly in the app via an embedded scanning library (Google ML Kit) that recognises the QR code entirely locally on the device. Camera images are not transmitted to Google or any other third parties in doing so.
Gameplay
The data required for gameplay (e.g. player names and inputs) is transmitted between players via the game server during a session and is not stored beyond the session. To reduce input latency, individual inputs may, where technically possible, be transmitted directly between the participating devices; otherwise the transmission runs via the game server (which merely forwards the messages). In direct connection mode, the participating devices exchange their IP addresses for this purpose. The processing is carried out on the basis of the legitimate interest in operating the service (Art. 6(1)(f) GDPR).
App Stores
The Couch Games app and the TV apps are distributed via the Apple App Store and Google Play. When downloading and using them, these platforms process their own data (e.g. download and, where applicable, diagnostic data) on their own responsibility in accordance with their respective privacy policies. The apps themselves contain no analytics, advertising or tracking services, no crash reporting to third parties and no device or advertising identifiers.
Use via AirConsole
Some of our games (currently HexStacker) can also be played via the third-party platform AirConsole (N-Dream AG, Löwenstrasse 65, 8001 Zurich, Switzerland). When a game is played via AirConsole, the game connection does not run via our infrastructure but via AirConsole's platform. In this respect AirConsole is an independent controller. Using AirConsole is subject to its own requirements; in accordance with its own privacy policy, AirConsole processes the data arising from use of the platform (such as profile or account data including the name chosen there, connection data, usage statistics and, where applicable, advertising delivered via the AirConsole interface). For Switzerland, an adequacy decision of the EU Commission is in place. Our own processing of game data is likewise limited to what is necessary in this case (no storage beyond the session, data minimisation); no account with us is required for it. The AirConsole privacy policy applies in addition.
Hosting
The websites and the helper servers (including stun.hexstacker.com and stun.couch-games.com) are hosted on the controller's servers in Germany. The game servers used for multiplayer and room search (including ws.hexstacker.com and ws.couch-games.com) are operated for us by Fly.io, Inc. (Chicago, USA) as a processor pursuant to Art. 28 GDPR. Because the game servers run across multiple regions, data traffic may also be routed via locations outside the EEA; such transfers are safeguarded by the EU Standard Contractual Clauses (Decision (EU) 2021/914, Module 2 pursuant to Art. 46(2)(c) GDPR) as well as supplementary technical measures (TLS encryption in transit). Fly.io, Inc. is additionally certified under the EU-US Data Privacy Framework (adequacy decision (EU) 2023/1795). We provide a copy of the Standard Contractual Clauses on request.
Rights of data subjects
You have the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17) and restriction of processing (Art. 18). A right to data portability (Art. 20 GDPR) does not exist, as we do not store any data on the basis of consent or a contract. To exercise these rights, please contact the controller at the email address given above. Your separate right to object under Art. 21 GDPR is set out below. Automated decision-making, including profiling (Art. 22 GDPR), does not take place.
Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach.
www.lda.bayern.de

Right to object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is carried out on the basis of legitimate interest (Art. 6(1)(f) GDPR) (Art. 21(1) GDPR). An informal email to the address given in the Imprint is sufficient to exercise your right to object.