Privacy Policy

Last updated: February 16, 2026

The Boardgame Librarian ("we", "us", "our") is a free, AI-powered question-answering service for board game rules. We are committed to protecting your privacy and being transparent about what data we collect and why.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at boardgamelibrarian.ai ("Web App") and our Telegram bot @TheBoardgameLibrarianBot ("Telegram Bot"), collectively referred to as the "Service".

1. Who We Are

The Boardgame Librarian is an independent, non-commercial project created and operated by an individual developer. This is a passion project built for the board gaming community — not a company or commercial entity.

Data Controller contact: admin@boardgamelibrarian.ai

2. What Data We Collect

We collect only the minimum data necessary to provide and improve the Service. Here is exactly what we collect, depending on how you use the Service.

2.1 Web App Users (boardgamelibrarian.ai)

When you register for a free account on the Web App, we collect:

• Account information: email address, display name, and a securely hashed password (we never store your password in plain text).
• Preferences: your chosen language, theme preference (light/dark), and favorite games list.
• Questions and answers: the board game questions you ask, the AI-generated answers you receive, the game you selected, and timestamps.
• Feedback: if you rate an answer as helpful or not helpful, we store that rating and any optional comment you provide.
• Session data: authentication tokens stored in secure, HTTP-only cookies transmitted exclusively over HTTPS to keep you logged in.

2.2 Telegram Bot Users

When you use the Telegram Bot, Telegram shares with us:

• Telegram profile data: your Telegram chat ID, username, first name, last name, and language preference. This is standard Telegram Bot API behavior — we do not request any additional permissions.
• Questions and answers: same as Web App — your questions, the AI answers, game context, and timestamps.
• Feedback: your helpful/not helpful ratings and optional comments.

We do not access your Telegram contacts, media, location, or any other Telegram data beyond what is listed above.

2.3 Automatically Collected Data

We do not use any third-party analytics services (no Google Analytics, no Facebook Pixel, no tracking scripts). We collect:

• Server logs: basic request logs (IP address, timestamp, requested URL, HTTP status code) retained for 7 days for security and debugging purposes.
• Performance metrics: aggregate, non-personal service performance data (response times, error rates) used to maintain service reliability.

We do not collect browser fingerprints, device identifiers, or advertising identifiers.

3. How We Use Your Data

We use your data exclusively for the following purposes:

• Providing the Service: processing your questions, generating AI answers from our indexed knowledge base, and displaying your conversation history.
• Account management: authenticating your identity, managing your preferences, and enabling features like conversation history and favorite games.
• Service improvement: analyzing aggregate, anonymized usage patterns to improve answer quality, identify commonly asked questions, and prioritize which games to add to our knowledge base.
• Security: protecting against unauthorized access, abuse, and ensuring service availability.

We do not use your data for advertising, profiling, automated decision-making, or any purpose other than those listed above.

4. AI Processing and Third-Party Services

To generate answers, your questions are processed by third-party AI providers through the OpenRouter API gateway. This means your question text (not your personal information) is sent to AI model providers, which may include:

• Anthropic (Claude)
• OpenAI (GPT models)
• Google (Gemini)
• Mistral AI

These providers process your question text solely to generate an answer and do not use your questions to train their models when accessed via API (per their respective API terms of service). We do not send your email address, name, Telegram ID, or any other personal identifier to these providers — only the question text and relevant knowledge base excerpts.

For full details on how each provider handles API data, please refer to their respective privacy policies.

5. Cookies

We use only strictly necessary cookies required for the Service to function. We do not use any marketing, advertising, or analytics cookies.

All cookies are:

• HTTP-only: not accessible to JavaScript, protecting against cross-site scripting (XSS) attacks.
• Secure: transmitted only over encrypted HTTPS connections.
• SameSite=Lax: providing additional protection against cross-site request forgery.

Because we use only strictly necessary cookies, no cookie consent banner is required under EU regulations (GDPR Recital 32, ePrivacy Directive Article 5(3)). You can disable cookies in your browser settings, but this will prevent you from using the Web App's authenticated features. The Telegram Bot does not use cookies.

6. Data Storage and Security

6.1 Where Your Data Is Stored

All data is stored on servers located in the European Union (Hetzner Cloud, Germany/Finland). Your data never leaves the EU except when question text is sent to AI providers for answer generation (see Section 4).

6.2 How We Protect Your Data

We implement the following security measures:

• Password protection: passwords are hashed using a strong cryptographic algorithm with a unique salt per user. We never store plain-text passwords.
• Encrypted connections: all data transmitted between your browser and our servers is encrypted using HTTPS/TLS. The Service is only accessible over HTTPS.
• Secure cookies: authentication cookies are HTTP-only (not accessible to JavaScript), marked Secure (transmitted only over HTTPS), and set with SameSite=Lax policy.
• Access control: role-based access control limits who can access user data. All services run on private networks not accessible from the internet.
• Login protection: after 5 failed login attempts, accounts are temporarily locked for 10 minutes.
• Regular backups: automated daily backups with 7-day retention to prevent data loss.
• No direct database exposure: all database services are internal-only, behind a reverse proxy. No database port is accessible from the internet.

7. Data Sharing

We do not sell, rent, trade, or share your personal data with any third party for their own purposes. Period.

The only circumstances where data may be shared:

• AI providers (see Section 4): your question text only (not personal data) is sent to generate answers.
• Legal obligations: if required by applicable law, court order, or government request.
• Future publisher analytics (planned): we may offer game publishers aggregated, anonymized insights about which rules confuse players most. This data will be statistical only (e.g., "42% of questions about Game X relate to scoring") and will never include any personal information or individual questions.

8. Data Retention

When your account is deleted, your personal data is removed from the active database. Backup copies are purged within 7 days as part of the regular backup rotation.

9. Your Rights (GDPR)

As our servers are in the EU and we process personal data of individuals, we respect the rights granted under the General Data Protection Regulation (GDPR), regardless of where you are located:

• Right of access: you can request a copy of all personal data we hold about you.
• Right to rectification: you can update your account information through the Web App, or contact us to correct inaccurate data.
• Right to erasure ("right to be forgotten"): you can request deletion of your account and all associated data by contacting us at admin@boardgamelibrarian.ai. For Telegram users, you may simply stop using the bot and request data deletion via the same email address.
• Right to data portability: you can request your data in a structured, machine-readable format.
• Right to restriction of processing: you can request that we limit how we use your data.
• Right to object: you can object to any processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at admin@boardgamelibrarian.ai. We will respond within 30 days.

Legal basis for processing: we process your data based on:

• Contract performance (Article 6(1)(b) GDPR): to provide the Service you signed up for.
• Legitimate interest (Article 6(1)(f) GDPR): for security, fraud prevention, and aggregate service improvement.

10. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at admin@boardgamelibrarian.ai and we will promptly delete it.

11. International Data Transfers

Your data is stored in the EU (see Section 6.1). When your question text is processed by AI providers (Section 4), it may be temporarily processed outside the EU. These transfers are governed by the AI providers' own data processing agreements and standard contractual clauses.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify registered Web App users via email for material changes.
• Post a notice on the Service.

We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices:

• Email: admin@boardgamelibrarian.ai
• Telegram: @TheBoardgameLibrarianBot (send /help)
• Web: boardgamelibrarian.ai/contact