Wikiracer
Wikiracer

The encyclopedia racing game

Privacy Policy

Last updated: March 15, 2026

1. Introduction

Wikiracer ("we," "us," or "our") is operated by Aaron Smolyar. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at wikiracer.pro (the "Service"). By using the Service, you consent to the data practices described in this policy.

If you have questions or concerns about this policy, please contact us at aaron.smolyar@gmail.com.

2. Information We Collect

Account Information

  • Email address (provided during registration or via Google OAuth)
  • Username (chosen during profile setup, 3–20 characters)
  • Profile picture / avatar (uploaded by you or imported from Google)
  • Password (stored as a cryptographic hash; we never store plaintext passwords)

Google OAuth Data

If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

Game & Activity Data

  • Game rounds played, including articles visited, hop counts, times, and paths taken
  • Scores, ratings (Glicko-2), league/division rankings, and weekly points
  • Daily challenge completions and streak data
  • Multiplayer match results (Showdown and Party modes)
  • Daily mission progress and claimed rewards

Social Data

  • Friend connections and friend request history
  • Game invites sent and received
  • User reports submitted about other players

Technical Data

  • IP address — used transiently for rate limiting only; not stored persistently
  • Browser type, device information, and page view data — collected automatically by Vercel Analytics (anonymized via IP hashing)

3. How We Use Your Information

  • Provide, operate, and maintain the Service (gameplay, leaderboards, matchmaking)
  • Manage your account and authenticate your identity
  • Calculate rankings, ratings, and league standings
  • Enable social features (friends, invites, parties)
  • Moderate content for safety (avatars, usernames, user reports)
  • Monitor and analyze usage trends and performance (analytics)
  • Enforce our Terms of Service and protect against abuse
  • Communicate with you about your account or the Service

4. Cookies & Local Storage

We use the following cookies:

CookiePurposeDuration
sb-*-auth-tokenAuthentication session (managed by Supabase)1 hour (access) / 7 days (refresh)
profile_completeTracks whether your profile setup is finished1 year
ban_checkCaches account standing to reduce database queries5 minutes
has_warningIndicates an unread moderation notice1 hour

All cookies are essential to the operation of the Service. We do not use advertising or tracking cookies.

5. Third-Party Services

We use the following third-party services to operate Wikiracer. Each service may process your data according to its own privacy policy:

  • Supabase — Database hosting, user authentication, and file storage (avatar images). Supabase stores your account data, game records, and social connections in PostgreSQL.
  • Google OAuth — If you choose to sign in with Google, your authentication is processed through Google's OAuth 2.0 service. We receive your name, email, and profile picture.
  • Anthropic (Claude AI) — When you upload an avatar image, it is sent to Anthropic's API for automated content moderation. The image is analyzed for safety and is not stored by Anthropic beyond the API request.
  • Vercel — Website hosting and analytics. Vercel Analytics collects anonymized page view and performance data (IP addresses are hashed, not stored in raw form).
  • Upstash Redis — Server-side caching for performance optimization. Cached data includes Wikipedia article content (no personal data is cached).
  • Hetzner — Hosts our real-time multiplayer event bus (WebSocket server) and pathfinding API on a dedicated server in Germany. Game events and connection data are processed on this server.
  • Wikipedia API — We fetch Wikipedia article content for gameplay. No user data is sent to Wikipedia.
  • Adobe Fonts (Typekit) — Provides custom fonts for the website. Standard HTTP request data (IP, user agent) is sent when fonts are loaded.

6. Data Retention

  • Account & game data — Retained for as long as your account is active. If you delete your account, your profile data is permanently deleted. Game history records may be retained in anonymized form.
  • Authentication sessions — Access tokens expire after 1 hour; refresh tokens expire after 7 days.
  • Server logs — Retained for approximately 2 weeks through Vercel's logging infrastructure.
  • Rate limiting data — Stored in-memory only; cleared automatically within approximately 1 minute.
  • Real-time event data — Buffered for 30 seconds maximum, then discarded.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your personal data
  • Portability — Request your data in a machine-readable format
  • Objection — Object to processing of your data for certain purposes
  • Restriction — Request that we limit processing of your data

To exercise any of these rights, please contact us at aaron.smolyar@gmail.com. We will respond to your request within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of your personal information

We do not sell your personal information. To exercise your rights, contact us at aaron.smolyar@gmail.com.

9. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at aaron.smolyar@gmail.com.

10. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including encrypted connections (HTTPS/WSS), secure authentication tokens, and access controls. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: aaron.smolyar@gmail.com

See also: Terms of Service