Privacy Policy
Last updated: 28 April 2026
Hi! Quick version: we keep just enough data to run the quiz, we don't sell anything, we don't track you around the web, your password is hashed so even we can't see it. The longer version below covers everything in plain English — if you live somewhere with privacy laws (UK, EU, most US states), the rights you'd expect are all here.
1. Who we are
It's just The Bodach Show, run from the UK. We're the ones responsible for your data — technically the "data controller" if anyone asks.
If you've got a privacy question, want a copy of your data, or want it deleted, drop us a line at the@bodach.show. We read every one.
2. What we collect
Whatever you give us when you sign up, plus the boring technical stuff needed to keep you signed in and stop bots.
2.1 Your account
- Email address — for verification, password resets, and the occasional account thing. If you went paranoid we don't get an email at all, just a username.
- Display name — the name other players see.
- YouTube name — only if you want to share it.
- Password — bcrypted. We genuinely cannot see it. If you forget it we can only mail you a code to reset it, not look it up.
2.2 Security stuff
- Your IP address — we hash it (SHA-256, one-way) so we can rate-limit logins without storing the raw value.
- Browser fingerprint — a hash of your User-Agent, language and encoding so we can spot if your session cookie ends up on a totally different browser. Also one-way hashed.
- Login timestamps — when you last signed in.
2.3 The quiz itself
- Your answers, votes and scores — needed to run the game, the scoreboards and the Hall of Fame.
- Prizes you've won — if any.
2.4 Cookies
- Session cookie — keeps you signed in for this visit.
- auth_token cookie — only set if you tick "Remember me", lasts up to a year so you don't have to log in every visit. Otherwise it disappears when you close your browser.
That's it. No ad cookies, no tracking, no analytics, no third-party anything. Just enough to keep the site working.
3. What we use it for
Running the quiz, keeping you signed in, stopping bots and abuse, and emailing you about your account when something needs your attention.
| What we do | What we use | Why we're allowed (UK/EU) |
|---|---|---|
| Manage your account | Email, display name, password hash | Contract |
| Verify your email / reset your password | Email, code or token | Contract |
| Keep you signed in | Session token, browser fingerprint hash | Contract |
| Run the quiz, score it | Answers, votes, display name | Contract |
| Show leaderboards / Hall of Fame | Display name, scores | Legitimate interest |
| Stop bots and brute-force | IP hash, honeypot fields | Legitimate interest |
| Spot stolen sessions | Browser fingerprint hash | Legitimate interest |
What we don't do: marketing, advertising, profiling, automated decisions about you, or selling anything to anyone.
4. Who we share it with
Nobody, in the "selling or trading" sense. Your data stays with us.
There are a few background helpers who have to touch it briefly to do their job:
- The company that hosts the site — needs to actually serve the database and pages.
- The email service — needs your email address to send you the verification code or password reset.
- Cloudflare (or similar) — sees the IP of the request to filter out attacks before it hits us.
They're all bound by data processing agreements and they can't use it for anything else.
The only exception is if a court legally orders us to hand something over — we'll comply but you'd be hard-pressed to find a reason that'd happen for a quiz site.
5. How long we keep it
- Your account — for as long as your account exists. Ask us to delete it and it's gone.
- Quiz history — sticks around so the leaderboards and Hall of Fame keep working. Goes when the account goes.
- Sessions — "Remember me" lasts a year, normal sessions a couple of hours. Expired ones are auto-cleaned.
- Rate-limit records (IP hashes) — auto-cleaned within an hour of inactivity.
- Reset / verification codes — expire in 15 mins (reset code) or 24 hrs (email verification).
When you delete your account, all the personal stuff is gone for good.
6. How we keep it safe
- Passwords go through bcrypt with a high cost factor — even if someone stole the database they couldn't read your password.
- IP addresses live in the database as SHA-256 hashes only. Raw IPs never get written to disk.
- Auth tokens are SHA-256 hashed too — the raw value only exists in your browser cookie.
- Cookies are set with HttpOnly + Secure + SameSite where applicable.
- Every form has CSRF protection.
- Everything goes over HTTPS in production.
We can't promise something is unhackable (nobody honestly can), but we follow the boring sensible defaults that mostly stop the bad guys.
7. International transfers
Our servers live in the UK. If you log in from somewhere else, your data still rests on UK infrastructure — the protections don't change based on where you are.
If we ever have to move data outside the UK or EEA, we'd use the standard legal safeguards (Standard Contractual Clauses, or destinations the regulators have already cleared).
8. Your rights (UK and EU)
If you're in the UK or EU, the law gives you a bunch of rights and we're not going to argue with any of them:
- See it — ask for a copy of everything we hold on you.
- Fix it — spot something wrong, tell us.
- Delete it — "right to be forgotten". We'll wipe it unless we legally have to keep something.
- Restrict it — tell us to pause processing while you sort something out.
- Take it elsewhere — we'll export it in a normal machine-readable format.
- Object — especially to anything we do under "legitimate interest".
- Withdraw consent — for anything you said yes to.
Email the@bodach.show for any of these. We'll get back to you within a month.
If you're not happy with how we handle it, you can complain to:
- UK: the Information Commissioner's Office — ico.org.uk
- EU: your country's data protection authority.
9. Your rights (US states)
If you live in a US state with a privacy law, you've got pretty much the same rights as the UK/EU folks above. Loads of states have passed these now — California started it and most of them copy the same playbook:
- California (CCPA/CPRA)
- Virginia (VCDPA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Utah (UCPA)
- Texas (TDPSA)
- Oregon (OCPA)
- Montana (MTCDPA)
- Iowa (ICDPA)
- Indiana (INCDPA)
- Tennessee (TIPA)
- Florida (FDBR)
- Delaware (DPDPA)
- New Hampshire (NHPA)
- New Jersey (NJDPA)
- Nebraska (NDPA)
- Kentucky (KCDPA)
- Maryland (MODPA)
- Minnesota (MNCDPA)
- Rhode Island (RIDTPPA)
- + any newer ones we missed
9.1 What we collect (CCPA categories)
In CCPA terms, here's what falls into each bucket:
| Category | What that means here | We collect? |
|---|---|---|
| Identifiers | Email, display name, IP (hashed) | Yes |
| Internet activity | Browser type (hashed), login times | Yes |
| Login credentials | Email/username + password hash | Yes |
| Geolocation | — | No |
| Audio / visual | — | No |
| Job info | — | No |
| Biometric | — | No |
| Sensitive personal info | — | No |
9.2 Your rights
Depending on your state, some or all of these apply:
- Know what we have — ask, we'll tell you.
- Delete it — with a few legal exceptions.
- Correct it — if we've got something wrong.
- Take it elsewhere — in a portable format.
- Opt out of sale or sharing — we don't sell or share, so this is automatic. We've never sold any data, ever.
- Opt out of targeted ads — we don't do those either.
- Opt out of profiling — not doing it.
- Don't be punished for asking — we won't treat you any differently if you exercise these.
- Appeal — if we say no to something, you can ask us to look again. If we still say no, your state's Attorney General is the next step.
To use any of these, email the@bodach.show. We'll verify it's actually you (don't want to delete the wrong person's account) and reply within whatever your state's deadline is — usually 45 days.
9.3 Selling data
We don't. We never have. We won't.
9.4 Do Not Track / GPC signals
Since we don't track anyone in the first place, GPC signals don't change what we do — we already aren't tracking you.
9.5 Authorised agents
You can have someone act on your behalf. We'll need proof you actually authorised them and we may need to confirm your identity directly too.
9.6 Loyalty programmes
None. We don't reward you for sharing data and we don't penalise you for not.
10. Kids
This isn't aimed at kids under 13 (16 in some places). We don't knowingly collect anything from them. If you're a parent or guardian and reckon your kid signed up anyway, email us and we'll wipe the account.
11. Robots making decisions
Nope. Nothing automated decides anything about you that matters. Rate-limiting bots and adding up your quiz score is the closest we get and neither of those legally counts as "profiling".
12. If we change this
If we make a real change (not just a typo fix) we'll post a notice in the app and update the date at the top of this page. If it materially affects you we'll email you too.
Carrying on using the site after a change means you're OK with it. Don't agree? You can delete your account any time and we'll wipe everything.
13. Get in touch
Anything privacy-related — questions, complaints, requests — email the@bodach.show. We won't dodge the question.
If you're not happy with our reply, you've got an escalation path through your local supervisory authority (see sections 8 and 9).