Privacy Policy

Note: due to severe lack of time, this privacy statement is provided only in English until further notice.

Old version (stills applicable, but not GDPR compliant)


Besides your logo configuration and your flag collection, only your user name and team id and the CHPP tokens are stored. This data is not shared with anyone (well, technically employees of our hoster have access to the data and there is no way for us to prevent this). To keep you logged in a browser cookie is required. This will expire when you close your browser, deleting it will only force you to authenticate again (if you haven't chosen automatic login or deleted the persistent cookie), and your chosen language will be forgotten. The automatic login feature prevents that you have to authenticate at on every visit (which leads to an ingame message), therefore a persistent cookie is required. If this cookie is deleted, you'll have to authenticate again. The lifetime of this cookie is one month, after that the automatic login is no longer possible.

TL;DR Version

Legalese Version

This is a private website that offers helpful services for the online game Hattrick (hereinafter call HT). There is no interest in spying on you or collecting any data except those mandatory for the functionality of the offered services. Most of the stored data can hardly be considered personal, some of it however might be; for details see below.

Processing of personal data shall always be in line with the General Data Protection Regulation (GDPR), and in accordace with the country-specific data protection regulations applicable. By means of this data protection declaration, we would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

We have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed.
Since all personal data is fetched from HT via CHPP API, there is no way to submit data other than that.

1. Definitions

This data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our users.

In this data protection declaration, we use, inter alia, the following terms:

2. Name and Address of the controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

The HT user mindw0rm

Email: [Note: HT mail is preferred! Use email only if your HT account is no longer accessible.]

3. Cookies

This website uses the following cookies to keep track of your session:

The session cookie is mandatory for the provided functionality (except for pages that are reachable without login). Deleting this cookie will log you out, but it will be automatically set again (with a different value) with your nest visit.
The autologin cookie is optional and will only be set if you explicitly choose so during login.

4. Collection of general data and information

Our website collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) any other similar data and information that may be used in the event of attacks on our information technology systems.
The server log files are managed and maintained by our webhosting provider Strato AG and cannot be prevented by us.
The IP address should be the only data considered personal information, and thet is deleted after at most seven days according to their info. The server and every other system that might get in contact with your data du to internal procedures of our hosting provider is located in Germany. None of the data is transfered to another country, except to your web browser when you access the pages.
An agreement with Strato for the outsourcing of data processing was concluded.

Except from the server logs, none of this data is processed by the website itself, with the exception of the user agent (to handle OS specific quirks) and the submitted form and URL data (aka GET and POST data). The submitted data is mandatory to ensure full functionality of the services. Most of the submitted data is also stored permanently until you change it or use the Optout functionality provided below.

5. Registration on our website

Registration/Login is handled via CHPP oAuth. For this purpose, you are redirected to the CHPP login page, where you log in with your HT credentials. After a successful submit, the CHPP page redirects back to us to provide us with oauth tokens, that can be used to access data via the CHPP API. The password entered on the CHPP site is never submitted to us.
Note that HT does not consider any of this data (including your username) as personal data, so they don't even mention CHPP in their privacy statement. While we can understand this viewpoint, we consider some of the data, namely your HT username, as personal data according to this privacy statement. This data is stored permanently, along with the latest oAuth tokens, untill you request a delete (see below). None of the data is shared with anythird party except of HT: we require both the oAuth tokens and you team ID(s) to fetch the data required to provide our services (namely the flag collection).

The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject contents or services that may only be offered to registered users due to the nature of the matter in question. Registered persons are free to have all data associated with them completely deleted from the data stock of the controller.

The data controller shall, at any time, provide information upon request to each data subject as to what personal data are stored about the data subject. In addition, the data controller shall correct or erase personal data at the request or indication of the data subject, insofar as there are no statutory storage obligations.

6. Routine erasure and blocking of personal data

There is no routine erasure/blocking implemented yet. If you want your data deleted, you need to request it manually (see below).

7. Rights of the data subject

8. Legal basis for the processing

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

9. The legitimate interests pursued by the controller or by a third party

Where the processing of personal data is based on Article 6(1) lit. f GDPR our legitimate interest is to provide our services.

10. Period for which the personal data will be stored

Anydata will be stored until you explicitly request a delete. Even if your HT accound is no longer accessible, wh will still keep the data (there is no automation to check if an account is still accessible).

11. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal data; possible consequences of failure to provide such data

We clarify that the provision of personal data is required to provide our services.

12. Existence of automated decision-making

We do not use automatic decision-making or profiling. We don't even use any access analysis.

This Privacy Policy is based of one that has been generated by the Privacy Policy Generator of the External Data Protection Officers that was developed in cooperation with the Media Law Lawyers from WBS-LAW. [but modified by us, since alas, we are no business. Any mistakes herein are made by us. Thanks for the service!]


This feature requires that you are logged in.

If you cannot login, because your HT account is no longer accessible, please send an email to If your account is indeed no longer accessible (i.e. shown as "a former user" in HT), we will delete all data associated with it. If Your name is still shown, we will ask a GM, if this account is indeed not accessible, but cannot guarantee that they will answer - afaik there is a strict 'no info on locked accounts' policy in HT, but maybe they make an exception in that case. It will be helpful if you send the mail from the email address that you used to register at HT. We will share your email address with the GM, but ask for your consent first.
If the given account still seems accessible, we will assume you are just trolling us, and deny your deletion request; except if you can provide some solid proof that this is indeed your account. We have no idea how this proof may look like.
Maybe contact HT and persuade them to forward the deletion request to us.