← Back to Word K.O.

Word K.O. — Privacy Policy

Last updated: 14 May 2026

This Privacy Policy describes how Eudamonia AS ("we", "us", "Eudamonia") collects, uses, and shares information about you when you use Word K.O. (the "Service") at wordko.io and any related native applications. We are the data controller under the EU General Data Protection Regulation (GDPR) and Norway's Personopplysningsloven.

1. Who we are

Eudamonia AS
Organisasjonsnummer: 991 784 098
Registered address: St. Marie gate 47, 1706 Sarpsborg
Contact: [email protected]

2. What information we collect

Information you provide

• Authentication data (when account features are enabled): your email address and any profile information you choose to share, handled by Firebase Authentication.
• Communications: anything you write to us at [email protected].

Information collected automatically

• Gameplay state: match outcomes, scores, found-words history, rating changes. Stored on our servers under an anonymous identifier (or your account ID if you are signed in).
• Device and connection data: IP address, browser type, operating system, screen size, language. Used for service operation, security, and fraud prevention. Held briefly in server logs.
• Local rating data: For visitors playing without an account, your skill rating is stored in your browser's local storage on your own device. We do not receive a copy.

Information from third parties

• Cloudflare: as our hosting and traffic delivery partner, Cloudflare receives standard request metadata (IP, request headers, etc.) before forwarding traffic to us. See Cloudflare's privacy policy.
• Google AdSense / Google AdMob (when advertising is enabled): Google may collect device identifiers and browsing data to serve relevant ads. See Google's advertising policy.
• Google Firebase: we use several Firebase services, each of which receives a distinct slice of data:
  • Firebase Authentication — manages your sign-in (anonymous, Google, or Apple). Stores a Firebase user ID and any provider profile info you authorized.
  • Firebase Analytics — receives gameplay events (match start/end, mode selected, badge unlocked, screen views) tagged with a non-identifying user pseudo-ID. Used for aggregate retention and feature-usage analysis. Each event includes the game name (chess or word) so dashboards stay separable.
  • Firebase Crashlytics (mobile apps only — not web): receives stack traces, device model, and OS version when the app crashes or hits an unhandled exception. Your user ID is attached so we can correlate crashes per-account, but no message contents or game state.
  • Firebase Cloud Messaging: receives the device push token + platform string so we can deliver daily-puzzle reminders, mission progress nudges, and rare service notifications. You can revoke at any time in your browser/OS settings.
  • Firebase Remote Config: the app fetches a small set of feature-flag and configuration values at startup. No personal data is sent; only your device's anonymous installation ID is logged by Google for delivery purposes.
  • Firebase App Check (when enabled): your browser or device produces an anti-abuse attestation token (reCAPTCHA on web, Play Integrity on Android, DeviceCheck on iOS). The token is short-lived and does not identify you personally.
  See Firebase's privacy summary and Google's privacy policy for full details.

3. How we use this information

• Operate the Service: serve game content, match players, calculate ratings, sync state across devices.
• Improve the Service: understand which features are used, diagnose bugs, balance gameplay.
• Communicate with you: respond to support requests, send service notifications.
• Protect the Service: detect cheating, abuse, and security threats.
• Monetize the Service: serve advertising (with your consent where required by law).
• Comply with legal obligations.

4. Legal basis for processing (GDPR)

• Performance of a contract: to operate the Service when you use it.
• Legitimate interests: to maintain service quality, prevent abuse, and improve the Service.
• Consent: for personalized advertising and certain analytics cookies. You can withdraw consent at any time via our cookie banner or by contacting us.
• Legal obligation: when required by Norwegian or EU law.

5. Who we share data with

We do not sell personal data. We share data only with service providers strictly necessary to operate Word K.O.:

• Hosting and CDN: Cloudflare, Hetzner (Germany)
• Authentication, push, analytics, crash reports, feature flags, anti-abuse attestation: Google Firebase (Authentication, Cloud Messaging, Analytics, Crashlytics, Remote Config, App Check)
• Advertising: Google (AdSense, AdMob), once enabled
• Payment processing: Apple App Store, Google Play Store (when subscriptions or IAP are enabled). We never receive your full payment card details.

6. Cookies and similar technologies

We use cookies and similar technologies to:

• Strictly necessary: keep you signed in, remember your preferences, secure the connection. These cannot be disabled.
• Analytics (with consent): understand aggregate usage patterns.
• Advertising (with consent): serve and measure ads via AdSense / AdMob.

You can manage your consent at any time through the cookie banner shown on first visit, or by clearing your browser's storage for wordko.io.

7. International data transfers

We are based in Norway, our servers are in Germany (Hetzner FSN1). Some service providers (Google, Cloudflare) operate globally, which may involve transfers of personal data to countries outside the European Economic Area. We rely on Standard Contractual Clauses and adequacy decisions where applicable.

8. How long we keep data

• Match history: 24 months from the match date, then anonymized.
• Account data (if you sign up): retained while your account is active. Deleted within 30 days of account deletion request.
• Server logs: 30 days for security and operations, then deleted.
• Tax / accounting records: 5 years, as required by Norwegian law.

9. Your rights

If you are in the EEA or UK, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Restrict or object to processing
• Data portability (receive a copy of your data in a machine-readable format)
• Withdraw consent at any time
• Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority

To exercise any of these rights, email [email protected]. We respond within 30 days.

10. Children

Word K.O. is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us information, please contact us and we will delete it.

11. Security

We use industry-standard measures to protect your data: TLS encryption in transit (Cloudflare + Caddy origin certs), server hardening (firewall, fail2ban), encrypted database connections, RAID-1 storage, off-site backups. No method is 100% secure, but we work to make it as close as practical.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified via the Service or by email if you have an account. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Questions or requests: [email protected]
Eudamonia AS, organisasjonsnummer 991 784 098, St. Marie gate 47, 1706 Sarpsborg, Norway.

← Back to Word K.O.  ·  Terms of Service