Privacy Policy

Note: due to severe lack of time, this privacy statement is provided only in English until further notice.

Old version (stills applicable, but not GDPR compliant)


Neben der Logo-Konfiguration und deiner Flaggensammlung wird nur dein Managername, deine Team-ID und die CHPP-Tokens gespeichert. Diese Daten werden an niemanden weitergegeben (wobei genaugenommen die Mitarbeiter unseres Hosting-Anbieters Zugriff auf die Datenbank haben, das kann nicht verhindert werden). Um die Sitzung aufrechtzuerhalten ist ein Browser-Cookie notwendig. Dieses verfällt wenn der Browser geschlossen wird, Löschen des Cookies erfordert nur eine erneute Authentifizierung (außer der automatische Login ist gewählt und dessen persistentes Cookie wurde nicht mitelöscht). Der automatische Login verhindert, dass bei jedem Besuch eine erneute Authentifizierung (welche zu einer Nachricht im Spiel führt) notwendig ist. Dafür wird ein persistentes Cookie benötigt. Durch das Löschen dieses Cookies wird eine erneute Authentifizierung benötigt. Das Ckookie hat eine LEbenszeit von einem Monat, danach verfällt die automatische Anmeldung.

TL;DR Version

Legalese Version

This is a private website that offers helpful services for the online game Hattrick (hereinafter call HT). There is no interest in spying on you or collecting any data except those mandatory for the functionality of the offered services. Most of the stored data can hardly be considered personal, some of it however might be; for details see below.

Processing of personal data shall always be in line with the General Data Protection Regulation (GDPR), and in accordace with the country-specific data protection regulations applicable. By means of this data protection declaration, we would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

We have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed.
Since all personal data is fetched from HT via CHPP API, there is no way to submit data other than that.

1. Definitions

This data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our users.

In this data protection declaration, we use, inter alia, the following terms:

2. Name and Address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

The HT user mindw0rm

Email: [Note: HT mail is preferred! Use email only if your HT account is no longer accessible.]

3. Cookies

This website uses the following cookies to keep track of your session:

The session cookie is mandatory for the provided functionality (except for pages that are reachable without login). Deleting this cookie will log you out, but it will be automatically set again (with a different value) with your nest visit.
The autologin cookie is optional and will only be set if you explicitly choose so during login.

4. Collection of general data and information

Our website collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.
The server log files are managed and maintained by our webhosting provider Strato AG and cannot be prevented by us.
The IP address should be the only data considered personal information, and thet is deleted after at most seven days according to their info. The server and every other system that might get in contact with your data du to internal procedures of our hosting provider is located in Germany. None of the data is transfered to another country, except to your web browser when you access the pages.
An agreement with Strato for the outsourcing of data processing was concluded.

Except from the server logs, none of this data is processed by the website itself, with the exception of the user agent (to handle OS specific quirks) and the submitted form and URL data (aka GET and POST data). The submitted data is mandatory to ensure full functionality of the services. Most of the submitted data is also stored permanently until you change it or use the Optout functionality provided below.

5. Registration on our website

Registration/Login is handled via CHPP oAuth. For this purpose, you are redirected to the CHPP login page, where you log in with your HT credentials. After a successful submit, the CHPP page redirects back to us to provide us with oauth tokens, that can be used to access data via the CHPP API. The password entered on the CHPP site is never submitted to us.
Note that HT does not consider any of this data (including your username) as personal data, so they don't even mention CHPP in their privacy statement. While we can understand this viewpoint, we consider some of the data, namely your HT username, as personal data according to this privacy statement. This data is stored permanently, along with the latest oAuth tokens, untill you request a delete (see below). None of the data is shared with anythird party except of HT: we require both the oAuth tokens and you team ID(s) to fetch the data required to provide our services (namely the flag collection).

The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject contents or services that may only be offered to registered users due to the nature of the matter in question. Registered persons are free to have all data associated with them completely deleted from the data stock of the controller.

The data controller shall, at any time, provide information upon request to each data subject as to what personal data are stored about the data subject. In addition, the data controller shall correct or erase personal data at the request or indication of the data subject, insofar as there are no statutory storage obligations.

6. Routine erasure and blocking of personal data

There is no routine erasure/blocking implemented yet. If you want your data deleted, you need to request it manually (see below).

7. Rights of the data subject

8. Legal basis for the processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

9. The legitimate interests pursued by the controller or by a third party

Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to provide our services.

10. Period for which the personal data will be stored

Anydata will be stored until you explicitly request a delete. Even if your HT accound is no longer accessible, wh will still keep the data (there is no automation to check if an account is still accessible).

11. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data

We clarify that the provision of personal data is required to provide our services.

12. Existence of automated decision-making

We do not use automatic decision-making or profiling. We don't even use any access analysis.

This Privacy Policy is based of one that has been generated by the Privacy Policy Generator of the External Data Protection Officers that was developed in cooperation with the Media Law Lawyers from WBS-LAW. [but modified by us, since alas, we are no business. Any mistakes herein are made by us. Thanks for the service!]


Hierfür musst du angemeldet sein.

If you cannot login, because your HT account is no longer accessible, please send an email to If your account is indeed no longer accessible (i.e. shown as "a former user" in HT), we will delete all data associated with it. If Your name is still shown, we will ask a GM, if this account is indeed not accessible, but cannot guarantee that they will answer - afaik there is a strict 'no info on locked accounts' policy in HT, but maybe they make an exception in that case. It will be helpful if you send the mail from the email address that you used to register at HT. We will share your email address with the GM, but ask for your consent first.
If the given account still seems accessible, we will assume you are just trolling us, and deny your deletion request; except if you can provide some solid proof that this is indeed your account. We have no idea how this proof may look like.
Maybe contact HT and persuade them to forward the deletion request to us.