Privacy Policy

This privacy policy explains how personal data is collected, processed, and used when you visit bitbi.ai (the "Website"). It applies to all pages of this website and covers obligations under the EU General Data Protection Regulation (GDPR) and the German Telecommunications Digital Services Data Protection Act (TDDDG).

Personal data is any information that can directly or indirectly identify you (e.g., name, IP address, email address). This website does not require you to provide personal data to browse its content; data is only collected as described in the sections below.

Stefan van Ark
Schwarzwaldstraße 20
78647 Trossingen
Germany

E-Mail: [email protected]

A data protection officer is not required under Art. 37 GDPR for this website.

GitHub Pages

This website is hosted on GitHub Pages, a service of GitHub, Inc. (a subsidiary of Microsoft Corporation, USA). When you access any page, GitHub automatically receives and stores technical connection data, including your IP address, browser type and version, operating system, referrer URL, and the date/time of the request.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and reliable provision of the website).

More info: GitHub Privacy Statement

Cloudflare (CDN, DNS, Security)

This website uses Cloudflare, Inc. (USA) as a content delivery network (CDN), DNS resolver, and for DDoS protection. All traffic to this website passes through Cloudflare's network. Cloudflare processes IP addresses, HTTP request headers, user agent strings, timestamps, and referrer data. Cloudflare may set a technically necessary cookie (__cf_bm) for bot detection.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security and performance); §25(2) Nr. 2 TDDDG (the cookie is strictly necessary for the service explicitly requested by the user).

More info: Cloudflare Privacy Policy

Both GitHub Pages and Cloudflare automatically collect and store information in server log files that your browser transmits when accessing the website:

• IP address (anonymized or full, depending on the provider)
• Browser type and version
• Operating system
• Referrer URL
• Requested page/resource
• Date and time of the request
• Amount of data transferred

This data is not merged with other data sources. It is used solely for technical operation and security of the website.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technically error-free and secure operation of the website).

Retention: Cloudflare retains logs for up to 72 hours; GitHub Pages retains logs for up to 30 days.

When you use the contact form, the following data is collected and processed:

• Required fields: Name, email address, message
• Optional field: Subject

The data you enter is transmitted via a Cloudflare Worker (Cloudflare, Inc., USA) to the email delivery service Resend, Inc. (USA), which sends the message to our mailbox. No data is stored permanently on the Worker; it acts only as a transit relay.

The form includes a hidden anti-spam field (honeypot). If this field is filled (typically by automated bots), the submission is silently discarded and no email is sent. A privacy notice is displayed directly above the submit button, informing you about the third-party processors involved.

Legal basis: For project-related or pre-contractual inquiries: Art. 6(1)(b) GDPR (processing necessary for pre-contractual measures at your request). For general inquiries: Art. 6(1)(f) GDPR (our legitimate interest in handling general inquiries and maintaining efficient communication).

Provision of the required fields is necessary to process your inquiry. If you do not provide this data, we cannot respond to your request (Art. 13(2)(e) GDPR).

Retention: Contact form submissions are retained for 6 months after final response, then deleted unless a legal obligation requires longer retention.

More info: Resend Privacy Policy

This website offers a free, optional user account. Registration unlocks additional content sections; all other content remains fully accessible without an account.

Data collected

When you register, the following data is collected and stored:

• Email address — used as your unique login identifier. The address is normalized (trimmed, lowercased) before storage.
• Password — never stored in plain text. Your password is hashed using PBKDF2-SHA-256 with 100,000 iterations and a cryptographically random 128-bit salt before it is written to the database. The original password is discarded immediately after hashing.

In addition, a registration timestamp and an account status field (default: “active”) are stored.

Session management

When you log in, a cryptographically random session token is generated. Only a SHA-256 hash of this token (combined with a server-side secret) is stored in the database — the token itself is never persisted on the server. The token is sent to your browser as a cookie:

• Cookie name: __Host-bitbi_session on the live HTTPS site (local non-HTTPS development may fall back to bitbi_session)
• Attributes: HttpOnly, Secure (HTTPS only), SameSite=Lax, Path=/
• Lifetime: 30 days (server-side expiration enforced)

The session record stores a “last seen” timestamp that is updated on each authenticated request. When you log out, the session record is deleted from the database and the cookie is cleared.

Storage and processing

Account and session data is stored in a Cloudflare D1 database (Cloudflare, Inc., USA) and processed by a Cloudflare Worker. No account data is shared with any other third party. The infrastructure is already described in § 3 of this policy.

Purpose

The data is processed for the following purposes: account creation and management, authentication, session persistence across page reloads, and access control for registered-only content.

Legal basis

Art. 6(1)(b) GDPR (processing necessary for the performance of a contract — provision of the user account service you requested). For the session cookie: §25(2) Nr. 2 TDDDG (the cookie is strictly necessary to provide the login service explicitly requested by the user).

Necessity of data provision

Providing your email address and choosing a password is required to create an account and use the login feature. If you do not provide this data, you cannot register, but you can continue to use the website without an account (Art. 13(2)(e) GDPR).

Account deletion

To request deletion of your account and all associated data, contact us at [email protected]. We will erase your account data without undue delay in accordance with Art. 17 GDPR.

Retention

Account data is retained for as long as your account exists. Session records expire automatically after 30 days and are deleted upon logout. When your account is deleted, all associated session records are also removed.

This website uses a custom cookie consent banner to manage your preferences for cookies and similar technologies (including localStorage access).

The banner is displayed to visitors in the European Economic Area (EEA) upon first visit. You can change or revoke your consent at any time via the "Cookie Settings" link in the footer.

Categories:

• Necessary (always active) — Storage of your consent preference (strictly necessary for consent management); the __Host-bitbi_session session cookie for authenticated users on the live HTTPS site (strictly necessary for the login service, see § 6; local non-HTTPS development may fall back to bitbi_session). On certain interactive pages, gameplay progress or highscores may additionally be stored locally in the browser where this is required for that specific game feature; this data is never transmitted to any server.
• Analytics — performance measurement (Cloudflare RUM)
• Marketing — embedded content (YouTube videos)

Your consent choice is stored in your browser's localStorage under the key bitbi_cookie_consent. No consent data is transmitted to third parties.

Legal basis for storing the consent preference: §25(2) Nr. 2 TDDDG (strictly necessary to provide the service explicitly requested by the user).

This website uses Cloudflare Real User Measurements (RUM) to measure and improve real-world performance (e.g., load times, Core Web Vitals, error rates).

Provider: Cloudflare, Inc. (USA). When activated, a JavaScript snippet collects performance and technical usage data (page URL, referrer, timestamp, device/browser information, performance metrics). Cloudflare may also process network data (including IP address) for providing the service and for security purposes.

This service is only activated after you give consent in the "Analytics" category of the cookie banner. As a defensive measure, our client-side code actively removes any Cloudflare RUM scripts that may be injected before consent is given and monitors for future injection attempts.

Legal basis: Art. 6(1)(a) GDPR (consent); §25(1) TDDDG (consent required for access to device information not strictly necessary).

You can withdraw your consent at any time with future effect via the "Cookie Settings" link in the footer (Art. 7(3) GDPR).

More info: Cloudflare Privacy Policy

Fonts (Self-Hosted)

All typefaces used on this website (Inter, Playfair Display, JetBrains Mono, and page-specific fonts) are self-hosted on our own servers. No connections to Google Fonts or other external font services are made. No personal data is transmitted to third parties for font loading.

JavaScript Libraries (Self-Hosted)

All JavaScript libraries used on this website (including A-Frame, aframe-extras, and Three.js) are self-hosted on our own servers. No connections to external CDNs (such as aframe.io, cdn.jsdelivr.net, or cdnjs.cloudflare.com) are made for loading these libraries. No personal data is transmitted to third parties for script loading.

YouTube videos are embedded using the privacy-enhanced mode (youtube-nocookie.com). Videos are only loaded after you give consent in the "Marketing" category of the cookie banner.

When loaded, a connection to YouTube/Google (Google Ireland Limited / Alphabet Inc., USA) is established and personal data (IP address, browser data) is transmitted. Cookies or similar identifiers may also be stored on your device.

Legal basis: Art. 6(1)(a) GDPR (consent); §25(1) TDDDG (consent required for non-essential device access).

You can withdraw your consent at any time with future effect via the "Cookie Settings" link in the footer (Art. 7(3) GDPR).

More info: Google Privacy Policy

The main page displays live cryptocurrency market data. This data is fetched server-side via a Cloudflare Worker proxy from the CoinGecko API. Your browser never contacts CoinGecko directly; all requests are routed through our proxy at api.bitbi.ai.

The proxy forwards no client headers or personal data to CoinGecko. Only aggregated market data (prices, market caps, sparkline charts) is returned to your browser.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing relevant market information to visitors).

More info: CoinGecko Privacy Policy

This website uses SSL/TLS encryption (HTTPS) for all connections, provided by Cloudflare. This protects the confidentiality of data transmitted between your browser and the website.

Some of the processors listed in this policy are based in the United States. The following safeguards ensure an adequate level of data protection for transfers to the USA:

• Cloudflare, Inc. — certified under the EU-U.S. Data Privacy Framework (DPF); additionally, Standard Contractual Clauses (SCCs) are in place.
• GitHub, Inc. / Microsoft Corp. — certified under the EU-U.S. Data Privacy Framework (DPF); SCCs apply.
• Google Ireland Limited / Alphabet Inc. — certified under the EU-U.S. Data Privacy Framework (DPF); SCCs apply for transfers to Alphabet Inc.
• Resend, Inc. — Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

More info on the DPF: dataprivacyframework.gov

We delete or anonymize personal data as soon as the purpose for its collection no longer applies, unless a legal retention obligation prevents deletion. Specific retention periods:

• Cloudflare server logs: up to 72 hours
• GitHub Pages server logs: up to 30 days
• Contact form submissions: 6 months after final response
• User account data: until you request deletion of your account (see § 6)
• Session records: 30 days (automatic expiry) or until logout, whichever comes first
• Consent preferences (localStorage): until you clear your browser data or revoke consent
• Game scores (localStorage): until you clear your browser data
• Cloudflare RUM data: retained by Cloudflare per their data retention policies

You have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected].

• Right of access (Art. 15 GDPR) — obtain confirmation and a copy of your stored data
• Right to rectification (Art. 16 GDPR) — correct inaccurate data
• Right to erasure (Art. 17 GDPR) — request deletion of your data
• Right to restriction (Art. 18 GDPR) — restrict processing under certain conditions
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
• Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal

Right to object (Art. 21 GDPR): Where we process your personal data based on legitimate interests (Art. 6(1)(f) GDPR), you have the right to object at any time on grounds relating to your particular situation. We will then no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. To object, send an email to [email protected].

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW)
Lautenschlagerstraße 20
70173 Stuttgart
Germany
Phone: +49 711 6155 41-0
Website: baden-wuerttemberg.datenschutz.de

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place on this website.

We may update this privacy policy to reflect changes in our data processing practices or legal requirements. The current version is always available on this page. We encourage you to review this policy periodically.

Last updated: 8 March 2026