Privacy policy
Press X to Doubt is a reference site for game controls. We collect as little personal data as we can get away with, and nothing here is sold or shared for anything other than running the site. This page is the full GDPR-required detail.
Who is responsible (controller)
Rasmus Söderström operates pressxtodoubt.net and is the data controller. Contact for anything privacy-related: [email protected].
What we process, why, and on what legal basis
- Account data — when you sign in with Discord, Google, or GitHub we receive your provider account ID, display name, avatar, and email address, and create a profile (display name, roles, reputation, your game library, contribution history). We never see or store passwords. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — this is what an account is.
- Contributions — edits, suggestions, and screenshots you submit are published under the CC-BY-SA 4.0 license and linked to your profile in the public revision history. Legal basis: contract (Art. 6(1)(b)); keeping takedown records is a legal obligation (Art. 6(1)(c)).
- Security — sign-in is gated by a Cloudflare Turnstile human check; API writes are rate-limited using a short-lived key derived from your connection. We also keep an authentication log (sign-in time, IP address, browser identifier) and an audit log of moderation-role and ban decisions; both are deleted after 90 days. Legal basis: legitimate interest in preventing abuse and securing accounts (Art. 6(1)(f)).
- Anonymous flags(“this binding looks wrong”) — stored only as aggregate counters, plus a hashed, short-lived dedup key (client + entry + day) that prevents double-counting and expires within days. It cannot be used to identify you. Legal basis: legitimate interest (Art. 6(1)(f)).
- Search misses— queries that return no results are logged as plain text so we know which games to add next. Don't type personal data into the search box. Legal basis: legitimate interest (Art. 6(1)(f)).
- Analytics — always-on measurement uses Cloudflare Web Analytics, which is cookieless and stores no identifier (legitimate interest, Art. 6(1)(f)). Google Analytics 4 with cookies runs only if you opt in via the banner (consent, Art. 6(1)(a)); without consent GA sends only cookieless, aggregate pings.
- Advertising — the site shows Google AdSense ads in a reserved frame. Without consent, ads are non-personalized and cookie-free (legitimate interest, Art. 6(1)(f)); personalized ads run only if you opt in (consent, Art. 6(1)(a)).
Who receives data (processors)
- Hetzner (Germany) — hosts the servers and database.
- Cloudflare — CDN in front of the site, cookieless analytics, Turnstile, and R2 file storage for screenshots.
- Google — Analytics and AdSense, to the extent you consented; consent-mode pings otherwise.
- Usercentrics (Cookiebot) (Denmark/Germany) — runs the cookie consent banner and stores proof of your consent choices.
- Your chosen sign-in provider (Discord, Google, or GitHub) — knows you authenticated here.
We do not sell personal data, and nobody else gets it.
International transfers
Hosting is in the EU (Germany). Cloudflare and Google are US companies certified under the EU-US Data Privacy Framework; transfers to them rely on that adequacy decision and standard contractual clauses.
How long we keep things
- Account and contribution data: until you ask us to delete your account. Published contributions stay (they're CC-BY-SA), but are unlinked from you.
- Sessions: 7 days. Turnstile pass: 10 minutes. Flag dedup keys: days.
- Database backups: rotated on a regular schedule; deleted data ages out of backups with that rotation.
- Google cookie lifetimes: see the cookie policy.
Your rights
Under the GDPR you can ask for access to your data, rectification, erasure, restriction of processing, data portability, and you can object to processing based on legitimate interest. Where processing is based on consent, you can withdraw it at any time — reopens the banner, and withdrawal is immediate. Email [email protected]for any of these; we'll respond within a month. You also have the right to lodge a complaint with your local supervisory authority (for us that's IMY, the Swedish Authority for Privacy Protection).
Cookies
The complete inventory — what's set, why, and for how long — is on the cookie policy page. Short version: strictly necessary cookies only, unless you opt in; declining keeps analytics cookieless and ads non-personalized.
Changes
If this policy changes materially, the date below changes with it. Last updated: 2026-07-08.