Skip to main content
CipherChronicle
fr — Français en — English
Sign in

CipherChronicle

Privacy Policy (GDPR)

CipherChronicle Privacy Policy: data collected, purposes, recipients, retention periods, security measures, cookie management and how to exercise your GDPR rights.

Last updated: April 26, 2026

1. In short

CipherChronicle is designed to be privacy-first: nearly all processing (encryption, decryption, grid validation) happens in your browser. No puzzle solution, no workshop input, no answer is ever sent to a server. The only data leaving your device are the details required to create an account (email, username) and, with your consent, anonymised audience-measurement signals.

2. Data controller

The controller for personal data collected via the Site is:

  • Challenge My Project — Société par Actions Simplifiée (SAS)
  • Registered office: 90 B rue de Fougères, 35700 Rennes, France
  • SIREN: 880 614 110 — Rennes Trade & Companies Register
  • Publication director: David Patiashvili
  • Contact: [email protected]

Full publisher details are available on the Legal notice page.

3. Data collected and purposes

The table below lists the categories of data processed, the purpose, the legal basis invoked, and the retention period.

Category Data Purpose Legal basis Retention
User account Email address, password (hashed by Firebase), username, optional avatar, internal Firebase identifier (UID). Account creation and management; authentication; tying created grids to their author. Performance of the contract (art. 6.1.b GDPR). For as long as the account is active. Deletion on request or after 24 months of inactivity.
User content Created grids (title, metadata, cipher parameters), SHA-256 hash of the solution (never the plaintext), solving progress. Publishing and sharing grids; tracking your progress; client-side validation of attempts. Performance of the contract (art. 6.1.b GDPR). For as long as the account is active or the grid is published.
Technical local storage theme (display preference), cipherchronicle:cookies (consent choice memorisation). Remember your preferences across visits; respect your GDPR choice without re-asking. Legitimate interest — exempted from consent (CNIL: strictly necessary). Persistent until manually cleared.
Audience measurement Cookies _ga, _ga_<ID>; pages viewed, workshop events, traffic source, truncated IP address. Understand site usage (most-visited pages, most-tried methods) to improve the service. Consent (art. 6.1.a GDPR), gathered via the cookie banner. No loading before acceptance. 13 months maximum on the Google Analytics side.
Communications Content of the emails you send us (address, subject, message). Reply to your requests (support, exercise of rights, abuse report, takedown). Legitimate interest (art. 6.1.f GDPR) or legal obligation, depending on the request. 3 years from the last exchange, unless a longer legal obligation applies.

No data entered into the workshop (/encrypt, /decrypt) is sent to any server. Everything stays in your browser; the publisher never sees it.

4. Recipients

Data is never sold or transferred for commercial purposes. It is accessible to a limited number of technical providers, strictly within the scope of their assignments and under contractual confidentiality obligations.

  • Authorised Challenge My Project staff — service administration and user support.
  • Google Ireland Limited (Firebase Authentication, Firestore, Storage) — Gordon House, Barrow Street, Dublin 4, Ireland. Sub-processor hosting accounts, grids and user content. GDPR compliance via the European Commission's Standard Contractual Clauses (SCCs) for any transfer outside the EU.
  • Google Ireland Limited (Google Analytics 4) — audience measurement, only after consent, with IP anonymisation. Policy: policies.google.com/privacy .
  • Scaleway SAS — 8 rue de la Ville l'Évêque, 75008 Paris, France. Host of the Site's static bundle (FR-PAR region).
  • Amazon Web Services EMEA SARL — 38 avenue John F. Kennedy, L-1855 Luxembourg. CDN (Amazon CloudFront) and object storage (Amazon S3) for delivering the Site.
  • Public authorities — only upon valid judicial or administrative request.

No sharing with ad networks, data brokers, or third-party profiling tools. No Facebook, TikTok or LinkedIn pixel; no fingerprinting tool.

5. Cookies and trackers

On your first visit, a consent banner asks for your choice before any audience-measurement script is loaded. Until you respond, no Google script runs and no network call is sent to googletagmanager.com.

  • Technical local storage (always active, exempt from consent) — keys theme and cipherchronicle:cookies; never leave your device.
  • Anonymised audience measurement (Google Analytics 4) — loaded only after acceptance. Cookies _ga and _ga_<ID>, maximum lifetime 13 months. anonymize_ip is enabled by default (last IP octet truncated).

You can change your mind any time via the “Manage cookies” button in the footer, or block cookies through your browser settings.

6. Security measures

We apply technical and organisational measures proportionate to the risk, in line with article 32 GDPR.

  • Encrypted transport: the entire Site is served over HTTPS using TLS 1.2+ (AWS Certificate Manager). HSTS is enabled at the CloudFront layer.
  • Non-recoverable passwords: account passwords are hashed and salted by Firebase Authentication (scrypt). They are never stored in clear, and never accessible to the publisher.
  • Puzzle solutions never stored in clear: only a cryptographic SHA-256(normalised solution + puzzleId) hash, computed in your browser, is stored. Attempt validation also happens client-side: the server never sees the original text.
  • Front-only architecture: business logic (encryption, decryption, validation) runs in the browser. Workshop ciphertext never leaves your device.
  • Firestore security rules: write access to grids is restricted to their author (request.auth.uid == resource.data.ownerUid). Personal progress is accessible only to the matching authenticated user.
  • Two-factor authentication (TOTP) enabled on Firebase and AWS administrative accounts.
  • Provider isolation: the static bundle (no personal data) is served via AWS S3 + CloudFront; user data lives only on Firebase. The two never mix.
  • Security updates: regular dependency audits (npm audit, patch updates), security headers configured (CSP, X-Content-Type-Options, Referrer-Policy).
  • Backups: Firestore retains daily Google-managed backups; the publisher keeps no local copy.
  • Breach procedure: in the event of an incident likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay, in accordance with articles 33 and 34 GDPR.

7. Your rights

Under articles 15 to 22 GDPR and the amended French Data Protection Act, you have the following rights over your data:

  • Right of access to your data and a copy of it.
  • Right of rectification of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”), in particular by deleting your account.
  • Right to restriction of processing.
  • Right to object to processing, in particular to audience measurement.
  • Right to portability of your data in a structured, machine-readable format.
  • Right to withdraw consent at any time, in particular via the “Manage cookies” button.
  • Right to define directives on the fate of your data after your death.

8. How to contact us

To exercise your rights, ask a question about your data, or report an incident, several channels are available:

  • By email (recommended): [email protected].
  • Via the form on the Contact us page.
  • By postal mail: Challenge My Project — 90 B rue de Fougères, 35700 Rennes, France. Mark the envelope “GDPR”.

For security reasons, we may ask you for proof of identity before acting on an access, rectification or erasure request, to prevent a third party from exercising your rights on your behalf. We commit to replying within one month, extendable by two months in case of a complex request (art. 12 GDPR).

9. Lodging a complaint with the CNIL

If, after contacting us, you believe your rights are not being respected, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data-protection authority:

  • 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France
  • Website: cnil.fr

10. Transfers outside the European Union

Firebase and Google Analytics, operated by Google Ireland Limited, may involve transfers to the United States. These transfers are governed by the Standard Contractual Clauses approved by the European Commission (decision 2021/914) and by Google's commitments under the EU-U.S. Data Privacy Framework. Other providers (Scaleway, AWS EMEA for bundle delivery) operate from within the European Union.

11. Changes to this policy

This policy may be updated to reflect changes in the Site, applicable regulation or our service providers. The last-updated date appears at the top of this page. In case of a substantial change, we will notify you through a banner on the Site or by email if you have an account.