English

My Account

With Friends

Privacy policy

Privacy policy

Last updated: 25.06.2026

This Privacy Policy explains how City Code collects, uses, stores, and protects personal data when you use:

the City Code website at citycodegame.com;
the City Code game platform at game.citycodegame.com;
our online detective game Cases, accounts, purchase flows, support channels, and related services.

Together, these are referred to as the “Service”.

This Privacy Policy applies to users worldwide and is designed to comply with the EU General Data Protection Regulation (GDPR), Spanish data protection law, and other applicable privacy laws where relevant.

1. Who is responsible for your data

The data controller is:

Semen Petrov, self-employed sole trader (autónomo) established in Spain, trading as “City Code”
NIF/NIE: Z1415639V
Registered address: 08005, C MARIA AGUILO, 2-4 P03 4, BARCELONA, SPAIN
Contact email for privacy matters: contact@synquests.com

“City Code” is a trading name used by Semen Petrov.

2. What personal data we collect

We collect the following categories of personal data.

2.1 Account data

When you create an account or receive access to the game platform, we may collect and store:

your email address;
your login identifier;
your password in encrypted or hashed form only;
account creation date;
account status;
login history and basic account activity;
account-related settings.

We do not store your password in plain text.

Your email address remains stored in our platform for as long as your account is active or as long as we need it for the purposes described in this Privacy Policy, including account access, support, purchase verification, and legal compliance.

2.2 Authentication, session, role, and platform access data

The game platform uses cookies, local storage, session storage, or similar technologies to operate correctly.

This may include:

authentication tokens;
session tokens;
refresh tokens or persistent login identifiers;
user role information, such as player, host, administrator, team member, or other platform role;
permissions linked to your account;
language, locale, and interface preferences;
game access identifiers;
team, Case, or session access information.

This data is used to keep you logged in, provide access to the correct Cases, show the correct platform interface, maintain security, and ensure that the game works properly.

More information is available in our Cookie Policy.

2.3 Purchase and transaction data

When you purchase access to a Case, we may receive and store limited purchase-related information, including:

the email address used for the purchase;
the Case purchased;
purchase date and time;
transaction identifier;
Paddle customer or transaction reference;
purchase status;
refund or chargeback status, if applicable;
limited billing information provided by Paddle where necessary for support, access verification, accounting, or legal compliance.

We do not store your full payment card details. Payments are processed by Paddle, our payment provider and Merchant of Record.

2.4 Game and Case data

When you use the game platform, we may process data necessary to provide the game experience, including:

Cases assigned or purchased;
game session data;
team or participant access data;
progress through a Case;
attempts;
answers submitted;
results, scores, and completion status;
timestamps of game activity;
technical events needed to run, debug, or secure the game.

This data is required to provide access to the game, maintain progress, calculate results, and support users if something does not work correctly.

2.5 Technical and usage data

When you use the Service, we may collect technical and usage data, including:

IP address;
device type;
browser type and version;
operating system;
approximate location based on IP address;
pages visited;
clicks and interactions;
referring URLs;
date and time of access;
error logs;
security logs;
diagnostic and performance data.

Some of this data is collected automatically. Non-essential analytics and advertising cookies are used only where required consent has been obtained.

2.6 Communications and support data

When you contact us, we may process:

your email address;
phone number, if you provide it;
name, if you provide it;
company or team information, if you provide it;
the content of your message;
attachments, screenshots, or screen recordings you send us;
support history;
communication channel used, such as email, website form, WhatsApp, or social media.

We use this data to respond to you, provide support, investigate issues, and manage requests.

2.7 Marketing data

If you subscribe to marketing emails, request updates, or interact with our marketing campaigns, we may process:

your email address;
marketing consent status;
unsubscribe status;
email engagement data, such as whether an email was opened or a link was clicked, where this tracking is enabled and lawful;
advertising interaction data collected through consent-based marketing tools.

You can unsubscribe from marketing emails at any time.

2.8 Cookie and consent data

We may store information about your cookie choices, including:

whether you accepted, rejected, or configured cookies;
consent timestamp;
consent version;
selected cookie categories;
browser or device identifier needed to remember your choice.

More information is available in our Cookie Policy.

3. How we collect personal data

We collect personal data in the following ways:

3.1 Directly from you

For example, when you:

create an account;
enter your email address;
purchase a Case;
play a Case;
submit answers;
contact us;
request support;
subscribe to emails;
use a contact form or WhatsApp link.

3.2 Automatically through the Service

For example, when:

the platform stores login tokens, session data, roles, or locale settings;
cookies or similar technologies are used;
logs are generated for security, debugging, analytics, or performance;
the Service records game progress or submitted answers.

3.3 From service providers

For example, we may receive limited information from:

Paddle, to confirm purchases, refunds, chargebacks, and billing status;
email delivery providers, to confirm delivery of transactional or marketing emails;
analytics and advertising tools, where you have given consent;
hosting and infrastructure providers, in the form of technical logs or service data.

4. Why we use your data and our legal bases

We process personal data only where we have a lawful basis.

PurposeExamples of data usedLegal basisCreate and manage your accountEmail address, login identifier, password hash, account statusPerformance of a contractProvide access to purchased or assigned CasesEmail address, purchase data, Case access data, game session dataPerformance of a contractKeep you logged in and operate the platformAuthentication tokens, session tokens, user roles, permissions, locale settingsPerformance of a contract / legitimate interestRun the game and save progressGame progress, attempts, answers, results, timestampsPerformance of a contractProcess and confirm purchasesPurchase data, Paddle transaction identifiers, billing statusPerformance of a contract / legal obligationSend transactional emailsAccount access emails, purchase confirmations, service notices, password reset emailsPerformance of a contract / legitimate interestProvide supportEmail, message content, screenshots, technical logs, account and purchase dataPerformance of a contract / legitimate interestMaintain security and prevent fraud or abuseIP address, security logs, authentication data, suspicious activity dataLegitimate interestDebug, maintain, and improve the ServiceError logs, diagnostic data, usage patterns, technical eventsLegitimate interestComply with legal, tax, and accounting dutiesTransaction records, invoices, tax-related dataLegal obligationSend marketing emailsEmail address, marketing consent, unsubscribe statusConsentMeasure analytics and advertising performanceCookie identifiers, analytics events, advertising events, usage dataConsentManage cookie choicesConsent status, consent timestamp, selected categoriesLegal obligation / legitimate interest

Where we rely on consent, you may withdraw consent at any time. Withdrawing consent does not affect processing carried out before withdrawal.

Where we rely on legitimate interest, we do so only where we consider that our interests are not overridden by your rights and freedoms.

5. Cookies, local storage, and similar technologies

The Service uses cookies, local storage, session storage, pixels, tags, and similar technologies.

Some of these technologies are strictly necessary for the website and game platform to work. For example, the platform may use storage technologies to keep you logged in, remember your locale, identify your role, and provide access to the correct Case or game session.

Other technologies, such as analytics and advertising cookies, are used only if you give consent.

More information is available in our Cookie Policy.

6. Who we share your data with

We do not sell your personal data.

We share personal data only where necessary to operate the Service, process purchases, communicate with you, comply with the law, or protect our rights.

We may share data with the following categories of service providers:

6.1 Payment provider

Paddle — payment processing, Merchant of Record services, billing, taxes, invoicing, refunds, chargebacks, and transaction support.

Paddle processes payment and billing data according to its own buyer terms and privacy information.

6.2 Hosting and infrastructure providers

DigitalOcean — hosting of the game platform, databases, and related infrastructure. Our core platform data is hosted in the European Union where configured.

Framer — hosting and operation of the marketing website.

6.3 Email and communications providers

Resend or similar email delivery providers — sending transactional emails, account emails, password reset emails, purchase-related emails, support emails, and marketing emails where applicable.

WhatsApp / Meta — communication with you when you contact us or request information through WhatsApp.

6.4 Analytics and advertising providers

Google Analytics 4 / Google Tag Manager — analytics and tag management, where consent has been given.

Meta Pixel — advertising measurement and campaign performance tracking, where consent has been given.

6.5 Legal and compliance recipients

We may disclose personal data where required by law, court order, public authority request, tax or accounting obligation, or where necessary to establish, exercise, or defend legal claims.

7. International transfers

Our core platform hosting is intended to be located in the European Union.

Some service providers, including Paddle, Google, Meta, Resend, and other infrastructure or communication providers, may process personal data outside the European Economic Area, including in the United States or the United Kingdom.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards where required, such as:

European Commission adequacy decisions;
Standard Contractual Clauses;
the EU–US Data Privacy Framework, where applicable;
additional technical and organisational safeguards where appropriate.

You may contact us for more information about international transfer safeguards.

8. How long we keep your data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Data categoryRetention periodAccount dataFor as long as your account is active. After account closure, deletion request, or prolonged inactivity, we delete or anonymise it unless retention is required for legal, security, accounting, or dispute-resolution reasons.Email address linked to accountFor as long as your account is active or as long as needed to provide access, verify purchases, provide support, prevent abuse, or comply with legal obligations.Password hashFor as long as the account is active, unless reset or deleted earlier.Authentication/session tokensUntil logout, expiry, replacement, or deletion according to platform security settings.Role and permission dataFor as long as the account or relevant game access remains active.Locale and interface preferencesUntil changed by you, cleared from your browser, or deleted with your account/settings.Game progress, attempts, answers, results, and Case dataFor as long as needed to provide the game, maintain access history, support users, prevent abuse, and improve the Service. It may be deleted or anonymised after the account is closed or becomes inactive.Purchase and transaction recordsFor as long as required by accounting, tax, payment, and legal obligations. This is commonly between 4 and 6 years, depending on the applicable record.Support communicationsFor as long as needed to respond to your request and maintain a record of support, usually up to 3 years unless longer retention is needed for legal claims or disputes.Marketing dataUntil you unsubscribe, withdraw consent, or your contact becomes inactive according to our email management settings.Analytics dataFor the retention period configured in the relevant analytics tool.Security logsFor a limited period necessary for security, fraud prevention, debugging, and legal protection, unless longer retention is required for a specific incident.Cookie consent recordsUsually up to 12 months or until you update your cookie preferences.

If we no longer need data in identifiable form, we may anonymise it and use it for analytics, product improvement, statistics, or security purposes.

9. Your rights

Depending on your location and applicable law, you may have the right to:

access your personal data;
receive a copy of your personal data;
correct inaccurate or incomplete data;
request deletion of your personal data;
restrict certain processing;
object to processing based on legitimate interests;
withdraw consent at any time where processing is based on consent;
request data portability;
object to direct marketing;
lodge a complaint with a supervisory authority.

To exercise your rights, contact us at:

contact@synquests.com

We may need to verify your identity before responding to a request.

We will respond within the timeframes required by law.

Your rights may be limited in some cases, for example where we must keep certain data for legal, tax, accounting, security, fraud-prevention, or dispute-resolution reasons.

10. Supervisory authority

If you are in the European Union, you have the right to lodge a complaint with a data protection supervisory authority.

Because the data controller is established in Spain, the main supervisory authority is:

Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es

You may also contact the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

11. Marketing communications

We send marketing emails only where we have a lawful basis to do so, such as your consent or another basis permitted by applicable law.

You can unsubscribe at any time by using the unsubscribe link in the email or by contacting us at contact@synquests.com.

Service emails, such as account access emails, password reset emails, purchase confirmations, security notices, and important platform updates, are not marketing emails and may still be sent where necessary to provide the Service.

12. Children

The Service is intended for users aged 18 and over.

We do not knowingly collect personal data from children under 18.

If you believe that a person under 18 has provided personal data to us, contact us at contact@synquests.com and we will take appropriate steps to delete the data where required.

13. Security

We use reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include:

encrypted or hashed password storage;
access controls;
secure authentication;
role-based permissions;
hosting security measures;
technical logs;
backups;
monitoring and debugging tools;
limiting access to personal data to people and providers who need it.

No online service can be guaranteed to be completely secure. You are responsible for keeping your account credentials confidential and for using a secure password.

14. Automated decision-making

We do not use personal data for automated decision-making that produces legal or similarly significant effects on you.

We may use automated technical processes for security, fraud prevention, access control, analytics, and service operation, but these do not produce legal or similarly significant effects.

15. Users outside the European Union

The Service may be used by people outside the European Union.

If you are in the United Kingdom, you may have similar rights under the UK GDPR and may contact the UK Information Commissioner’s Office.

If you are in the United States or another country, local privacy rights may apply depending on your place of residence. You may contact us at contact@synquests.com to request access, correction, deletion, or other available privacy rights.

We do not sell personal data in the ordinary meaning of the word. Where analytics or advertising technologies are used, they are controlled through our cookie banner and Cookie Policy.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will take reasonable steps to notify users, for example by posting a notice on the Service or by email where appropriate.

The updated version will be published on this page with a new “Last updated” date.

17. Contact

For any questions about this Privacy Policy or your personal data, contact us at:

contact@synquests.com

Data controller: Semen Petrov, self-employed sole trader (autónomo), NIF/NIE Z1415639V, 08005, C MARIA AGUILO, 2-4 P03 4, BARCELONA, SPAIN.