Privacy Policy
Last updated 2026-05-10
This Privacy Policy describes what data Where in Time (whereintime.ai) collects, why, and what we do with it. We try to collect as little as we can while still running a working multiplayer game with subscriptions.
What we collect
From everyone (anonymous play)
- Pageview analytics via Plausible — cookieless, no personal identifiers, no fingerprinting. We see aggregated counts (page, country, referrer, device type), not individuals.
- Game state — the scenes you've seen recently (so you don't get repeats), the rounds you've played, your scores and guesses. Stored in our Redis database keyed by a session ID, not by a personal identifier.
- An anonymous Casual-play counter stored in your browser's
localStorage (wit-casual-demo-used) used to enforce the free-play limit on the demo wall. It's a small integer with no link to your identity, never transmitted to our servers, and cleared when you clear your browser data.
- Server logs — IP addresses appear briefly in our hosting provider's request logs (Render). Used for rate-limiting and debugging. Not retained long-term, not sold, not shared.
If you sign in
- Email and authentication metadata via Clerk (our authentication provider). We see your email address; Clerk handles password storage if you use one. If you sign in with Google or another OAuth provider, we receive your email and a stable user ID from that provider — nothing else.
- Pseudonym — the display name you set on leaderboards. You choose this; it's public.
- Score history — your last 100 games, total games played, daily streak, current and best leaderboard positions.
If you subscribe to Pro
- Stripe customer ID and subscription state — we store the link between your account and your Stripe customer ID, plus the current state of your subscription (active, canceled, past due) and the period end date.
- Payment details — handled entirely by Stripe. We never see, touch, or store your card number, CVV, billing address, or any other payment data. Stripe's privacy policy: stripe.com/privacy.
Where it lives
| Service | What's stored there | Purpose |
| Render | Server logs, deploys | Hosting / compute |
| Cloudflare R2 | Panorama images, title-screen videos | Asset CDN |
| Upstash Redis | Game state, scores, pseudonyms, leaderboards, daily mode state, subscription cache | Database |
| Clerk | Account + auth (email, OAuth tokens, hashed password if used) | Authentication |
| Stripe | Payment data, customer + subscription records | Billing |
| Plausible | Aggregated, anonymized pageview events | Analytics |
Cookies and similar tech
We use a small number of cookies, all functional:
wit-pass — set if the site is behind the beta passcode gate. 1-year expiration. Stores the passcode value to skip the form on return visits.
- Clerk session cookies — set when you sign in. Required for authenticated features. See Clerk's privacy policy.
- Stripe cookies — set on Stripe-hosted Checkout / Customer Portal pages, not on whereintime.ai itself. See Stripe's privacy policy.
Free-play limits and UI preferences are stored in your browser's localStorage, not in cookies — see the "From everyone" section above.
We do not use Google Analytics, Facebook Pixel, advertising cookies, fingerprinting, or any third-party tracker. Plausible analytics are explicitly cookieless.
What we do with your data
- Run the game — match you to scenes you haven't seen, score your guesses, place you on leaderboards.
- Operate subscriptions — verify your Pro status when you play, send you billing receipts (via Stripe), let you cancel or update your card.
- Improve the product — aggregate, anonymized usage patterns from Plausible help us decide what to build next.
- Communicate with you — only if you contact support, or if there's a security incident or material change to these terms.
We do not sell, rent, or share your personal data with third parties for advertising. We do not use your data to train AI models.
Your rights
- Access — email support@whereintime.ai and we'll send you everything we have on you.
- Deletion — same email. We'll delete your account, scores, pseudonym, and Redis data within 30 days. Cancel any active subscription via the Customer Portal first; deletion does not auto-cancel billing.
- Correction — you can update your pseudonym in your account settings. For other data, email us.
- Export — same email. We'll send a JSON dump of your scores and profile.
If you are a resident of the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA. We honor those rights for everyone, regardless of residence.
Children
The Service is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe we have, contact us and we will delete it.
Changes to this Policy
The "Last updated" date at the top reflects the most recent change. Continued use of the Service after changes are posted constitutes acceptance. For material changes, we will make reasonable effort to notify active users.
Contact
Privacy questions, deletion requests, or complaints: support@whereintime.ai.