PRIVACY POLICY
Effective 28 April 2026. This policy explains what personal data we process when you play
Timeline Blastar at timelineblastar.com and timelineblaster.com, on which legal basis,
and what rights you have under the GDPR.
1. Data controller
McGrinsey UG (haftungsbeschränkt)
Klein Glien 25, 14806 Bad Belzig, Germany
Email: john@mcgrinsey.com
Managing Director: Johannes Jähnke
Full company information: see our Imprint.
2. What data we process
2.1 Server log files (Art. 6(1)(f) GDPR — legitimate interest)
When you visit the site, our server (Hetzner Cloud, Germany) automatically logs technical data needed to deliver the site and protect it from abuse:
- IP address (truncated)
- User agent (browser + OS)
- Referrer URL
- Timestamp + requested URL + HTTP status
Retention: server access logs are kept for up to 14 days for security analysis, then deleted.
2.2 X (Twitter) account data — when you connect your X account (Art. 6(1)(b) GDPR — contract)
If you choose to log in via X, we receive from X — strictly within the scope you authorise via the OAuth consent screen:
- Public X user ID, username, display name, avatar URL
- OAuth access + refresh tokens (used to act on your behalf)
- Tweets you choose to load into the game (your home timeline, custom handles you blast, etc.)
- Posts you write through the game (replies, comments, likes, video shares)
2.3 Game profile + wallet (Art. 6(1)(b) GDPR)
To run the game and the in-game economy we keep:
- Display name, optional bio, optional custom avatar URL, optional links to other social accounts
- Lifetime statistics (sessions, blasts, hits, kills, ranks)
- Per-session game scores
- COIN balance + the ledger of every credit (purchase) and debit (paid feature use)
- Records of videos you posted to X through the game (for retention metrics + dispute resolution)
- Multiplayer match history
2.4 Payment data (Art. 6(1)(b) GDPR)
COIN purchases are processed by Stripe Payments Europe Limited (Ireland). We do not see or store your card data — Stripe handles it directly. We only receive a payment-success webhook with transaction ID, the amount, and which COIN pack was bought, so we can credit your wallet and issue an invoice.
For VAT-compliant invoicing we keep transaction metadata (no card data) for the statutory retention period (10 years per German § 147 AO).
2.5 Cookies + local storage
We use the following local-storage / cookie items:
| Name | Purpose | Type |
|---|---|---|
tb2_* | Game settings (music mute, video bitrate, recent handles, sound prefs) | Strictly necessary |
| X session cookie | Keep you logged in via X OAuth | Strictly necessary |
| Stripe checkout cookies | Set on Stripe's domain during payment | Strictly necessary |
tb2_consent | Remember your cookie-consent choice | Strictly necessary |
| Google Consent Mode v2 | Analytics is currently disabled. If we add it later, it runs only after you opt in. | Optional |
You manage your choice via the cookie banner shown on first visit, or by clearing your browser's local storage for this site.
3. Third-party processors
| Service | Purpose | Country / Region |
|---|---|---|
| Hetzner Online GmbH | Hosting (server, IP logs) | Germany / EU |
| X Corp. | OAuth login, timeline reads, posting on your behalf | USA (with EU SCCs) |
| Stripe Payments Europe Ltd. | Payment processing for COIN purchases | Ireland / EU |
| OpenRouter (Cloud) | AI image generation for monster sprites — server-side, no user PII sent | USA (with SCCs) |
| Resend | Transactional email (purchase receipts) — only when you buy | USA (with SCCs) |
4. Your rights under the GDPR
You have the right, at any time and free of charge, to:
- Access a copy of the personal data we hold about you (Art. 15 GDPR)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten", Art. 17 — see § 5 below)
- Restrict processing (Art. 18)
- Data portability — receive your data in a machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, with no effect on past lawful processing (Art. 7(3))
- Complain to a supervisory authority — for us this is the Brandenburg State Commissioner: https://www.lda.brandenburg.de/
To exercise any of these rights, email john@mcgrinsey.com with the subject "GDPR request". We answer within one calendar month.
5. Account deletion + X data deletion
Under our agreement with X (Twitter) Developer Policy we are required to honour data deletion requests promptly:
- Disconnect X: open the game, go to Player Menu → User Account → "Disconnect X". This invalidates our stored OAuth tokens immediately.
- Delete account: email john@mcgrinsey.com with subject "Delete my account". We delete your profile, wallet history, scores, multiplayer match log, and any cached X data we hold within 30 days. Statutory financial records (VAT invoices) are retained for the legally mandated 10 years and cannot be deleted earlier.
- X content removed on X: if you delete a tweet on X, our cached copy is removed on its next refresh and at most within 24 hours of our seeing the deletion.
- We do not use X data for advertising targeting, sell it to data brokers, or share it with third parties beyond the processors listed in § 3.
6. International transfers
Some processors are located outside the EU/EEA. Where this is the case, transfers are protected by the EU Standard Contractual Clauses (SCCs) and, where applicable, by adequacy decisions of the European Commission.
7. Children
The game is not directed at children under 16. If you are under 16, please do not create an account or connect an X account without verifiable parental consent.
8. Changes to this policy
We may update this policy as the game evolves. Material changes will be announced in-game on the title screen and via email if you are a paying customer.
Last updated: 28 April 2026.