SpotMatch

Privacy Policy

Last updated: 11 April 2026

1. Who we are

SpotMatch (spotmatch.fostorial.co.uk) is operated as a personal project. For the purposes of UK GDPR and EU GDPR, the operator of this site is the data controller. You can contact us about privacy matters at fostorial@fostorial.co.uk.

2. What data we collect and why

2.1 Account data

When you register for an account we collect:

Legal basis: Contract (Article 6(1)(b) UK/EU GDPR) — processing is necessary to provide the account service you requested.

2.2 Deck and symbol data

When you create decks or upload symbols we store the deck title, description, configuration, symbol labels, and the PNG images you upload. This content is associated with your account.

Legal basis: Contract (Article 6(1)(b)).

2.3 Session data

We use a server-side session to keep you logged in. A session cookie (spotmatch.sid) is set in your browser. Sessions expire after 8 hours of inactivity. The cookie is HttpOnly, SameSite=Lax, and Secure on production.

Legal basis: Legitimate interests (Article 6(1)(f)) — session management is strictly necessary to operate the service.

2.4 Password-reset tokens

When you request a password reset we generate a one-time token (stored as a SHA-256 hash) that expires after 1 hour and is invalidated once used.

Legal basis: Contract (Article 6(1)(b)).

2.5 Multiplayer guest data

If you join a multiplayer game as a guest, the display name you choose is stored in your session only and is discarded when the session ends or the game closes.

2.6 Server logs

Our web server logs each HTTP request in standard "combined" format, which includes your IP address, the page requested, HTTP status code, browser type, and referring page. Logs are used solely for diagnosing errors and monitoring availability.

Legal basis: Legitimate interests (Article 6(1)(f)).

3. Analytics cookies (Google Analytics)

We use Google Analytics (ID: G-YMGD7QYPT6) to understand how the site is used in aggregate. Google Analytics sets cookies that track page views and interactions and sends this data to Google LLC (USA), which may process it outside the UK/EEA. This transfer is covered by Google's certification under the EU-US Data Privacy Framework and equivalent UK adequacy arrangements, providing appropriate safeguards under Article 46 UK/EU GDPR.

We only enable Google Analytics if you explicitly consent using the cookie banner shown on your first visit. You can withdraw consent at any time by clicking the button below.

Legal basis: Consent (Article 6(1)(a)).

For more information see Google's Privacy Policy.

4. Email delivery

Password-reset emails are sent via IONOS (1&1 IONOS SE), acting as a data processor on our behalf. Only your email address and the reset link are transmitted.

5. How long we keep your data

DataRetention
Account (username, email, password hash)Until you delete your account
Deck and symbol dataUntil you delete the deck or your account
Session records8 hours from last activity
Password-reset tokens1 hour, or immediately on use
Server logsRotated periodically; not archived long-term

6. Your rights

Under UK GDPR and EU GDPR you have the right to:

To exercise any of these rights, email us at fostorial@fostorial.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.

7. Cookies summary

CookiePurposeDurationEssential?
spotmatch.sid Keeps you logged in (server-side session) 8 hours Yes
Google Analytics cookies (_ga, _gid, etc.) Aggregate usage analytics Up to 2 years No — consent required

8. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the site after a change constitutes acceptance of the updated policy.