Privacy Policy
Last updated: 21 May 2026
TL;DR
- No account, no email (unless you opt in via magic-link save)
- No name, no password, no profile
- Anonymous random session ID in a cookie — only identifier we have
- Photos: auto-delete after 30 days
- Cookieless analytics — no cross-site tracking
- We don't sell your data. We have nothing to sell.
1. What we collect
- Anonymous session cookie (mh_sid). A random UUID stored in an HttpOnly cookie when you first visit. Not connected to your name or email. Expires after 1 year of inactivity. Used for: attributing puzzles you create to "My Drops", blocking you from winning your own puzzle, rate-limiting abuse.
- Photos you upload. Stored up to 30 days, then auto-deleted. EXIF stripped on upload (GPS, camera serial removed). The original is never publicly served — only the composite is.
- Tap coordinates. Normalized (x, y) per tap, tied to puzzle and session. Used for hit/miss + anti-cheat (spray detection).
- IP + User-Agent. Logged by Cloudflare for 30 days. Used only for rate-limiting + anti-cheat + security incident response.
- Analytics events. Privacy-friendly tool (Cloudflare Web Analytics or Plausible — both cookieless). No cross-site tracking, no Facebook Pixel, no Google Analytics.
- Email (only if you opt-in). If you use the "Save your stash" magic-link feature, we store your email + link it to your session ID. We use it ONLY to send the verification link. No newsletters, no marketing.
2. What we don't collect
- No name, phone, location-beyond-IP, contact list, social graph, payment info, biometrics
- No facial recognition or image-content analysis (beyond simple composite processing)
- No browsing history outside MemeHunt
- No advertising cookies. Ever.
- No tracking pixels. Ever.
3. Cookies
- mh_sid — anonymous session, HttpOnly, Secure, SameSite=Lax. Strictly necessary for the service (anti-cheat, attribution). No consent banner required under GDPR Article 6(1)(f) legitimate interest.
- mh_tt_* — short-lived tap-tokens, 5 min TTL, HttpOnly. Anti-cheat measure for puzzle pages.
- No third-party cookies. No advertising cookies.
4. Where your data goes
- Cloudflare (USA + global edge) — hosts site, runs serverless functions, stores photos in R2, puzzle metadata in D1. Cloudflare DPA + SCCs apply.
- Resend (USA) — sends magic-link verification emails (only if you opt in to save your stash). Receives only your email address.
- No other sharing. We do not sell, rent, lease, or trade your data.
5. How long we keep data
- Original uploaded photos: 30 days, auto-deleted
- Composites: 30 days, auto-deleted
- Puzzle metadata (slug, hit region, anonymous session): until deleted or aggregated for analytics
- Session cookie: 1 year from last visit
- IP + UA logs (Cloudflare): 30 days
- Account email (if opted in): until you delete account via email request
6. Your rights (GDPR + similar)
- Access — email hello@memehunt.app with your session ID (from your
mh_sidcookie). We'll send everything we have. - Delete — (a) tap "Delete" in any puzzle's share-link footer, or (b) email us with session ID. Purged within 30 days.
- Object — email us. 30-day response.
- Complaint — your country's DPA (in Poland: UODO; in EU: your national authority). You don't need to contact us first.
7. Children
Not directed at children under 13. We don't knowingly process their data. If you're a parent and believe your child under 13 has used MemeHunt, email us — we delete immediately.
8. Security
HTTPS everywhere, HSTS-preloaded TLD, HttpOnly cookies, HMAC-signed tap tokens, EXIF stripping, rate-limiting, server-side hit-test. R2 encryption at rest (AES-256, Cloudflare default). No formal SOC 2 / ISO 27001 — we're an indie project. Treat photos you upload accordingly: don't upload anything you wouldn't want public if our security failed.
9. Automated decision-making
No profiling, no behavioral scoring. Only rate-limiting (10 uploads / IP / hour). That's a security measure, not profiling.
10. Third-party content disclaimer
Our meme library contains community-created cultural artifacts (rage comics, classic memes) used in transformative puzzle context under fair use. We are not the original creators of all memes shown. If you are a rights-holder and want your meme removed, email hello@memehunt.app — we remove within 48 hours, no questions. We assume no liability for third-party content claims arising from meme library usage.
11. International transfers
Cloudflare and Resend process data in the United States. For EU residents, transfers rely on the EU-US Data Privacy Framework or Standard Contractual Clauses.
12. Contact
Email: hello@memehunt.app
See also: Terms of Service