Privacy Policy

timemachina.com is operated by inithouse.com s.r.o., a Czech limited liability company registered in the Prague Commercial Register. Address and registration number available on request to gdpr@inithouse.com.

We are the data controller for personal data processed through the timemachina.com service.

• Account data — email address (required for authentication), display name, optional avatar, language preference.
• Gameplay data — games you start, individual round guesses, scores, hints used.
• Travel requests — the place, year, and free-text prompt you submit, plus the resulting image metadata.
• Technical data — IP address (for rate limiting and abuse prevention), user-agent string, browser-set cookies (session, locale, guest token).
• Cookies and similar — see the cookies section below.

• Service delivery — running the game, generating panoramas, showing leaderboards. Lawful basis: contract (you’re using the service).
• Anti-abuse — rate limiting and bot detection. Lawful basis: legitimate interest.
• Cost control and reliability — error tracking and product analytics in a cookie-less, EU-hosted mode. Lawful basis: legitimate interest.
• Account communications — confirmation emails, password resets. Lawful basis: contract.

Only the providers below ever touch personal data — account identifiers, your gameplay history, the prompts you type, the email we send you. Each is engaged under a signed Data Processing Agreement. A current named list is held internally and shared on request to gdpr@inithouse.com.

• Database and authentication — your account, gameplay history, and travel requests. Hosted in the EU.
• Application hosting — runs the pages and the API. Sees signed-in session cookies and IP addresses inherent to any web request.
• Generative image provider — receives the prompt text we compose for Travel-mode requests and returns the rendered panorama. The prompt we send does not include your account identity.
• Anti-bot verification — checks that travel requests come from a human; sees a short-lived signal scoped to its own domain.
• Transactional email — delivers sign-in and password-reset messages to the email you registered with.
• Error reporting and product analytics — anonymised performance and crash data; personal identifiers are scrubbed before transmission. EU-hosted, cookie-less.

The generated panoramas themselves and the base-map tiles are public content served via a content-delivery network and a tile service respectively. Your browser fetches these like it would any image or font on the open web — they don’t hold your account data and they aren’t engaged as processors of your personal data.

We do not sell or rent your data. We do not run advertising tracking. We do not share your data with any party other than the processors listed above.

• Account and gameplay data: kept until you delete your account.
• IP addresses on travel requests and rate-limit counters: up to 30 days.
• Error reports: 90 days.
• Analytics events: 1 year.

When you delete your account, we soft-delete it immediately and hard-delete the data after a 14-day cool-off window. The cool-off lets you change your mind.

Under the GDPR, you have the right to:

• Access — get a copy of the data we hold. Use the JSON export at any time.
• Erasure — request deletion via the delete page.
• Rectification — fix incorrect data. Email gdpr@inithouse.com.
• Restriction — ask us to stop processing while a dispute is resolved.
• Objection — to processing based on legitimate interest.
• Data portability — the JSON export is machine-readable.
• Complaint — to the Czech Office for Personal Data Protection (www.uoou.cz).

We use only strictly-necessary cookies: an authentication session cookie, a language preference, and a guest token that lets you finish a game without signing in. No advertising cookies. Analytics runs in cookie-less mode. See the Cookie Policy for the full list.

TIMEMACHINA is not directed at children under 16. We don’t knowingly collect data from users under 16 — if you believe we have, contact us and we’ll delete it.

We’ll update this page when our processing changes materially and surface a notice at sign-in for at least 14 days.

Data protection enquiries: gdpr@inithouse.com. General contact: /contact.