← Back to home

Privacy policy

Last updated: 2026-05-23 · v1.0

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:
suPlay BV
Enschede, The Netherlands · KvK 70176264 · BTW NL858175691B01
Email: info@suplay.nl

2. What we collect

The Beer Game is a small educational simulation. The data we hold falls into three groups:

• Instructor account data — your email, your chosen display name (optional), a salted password hash, your role (user/admin), timestamps for account creation, last login and Terms acceptance, and the verification / password-reset tokens you receive by email.
• Game data — the games you host: scenario key, decisions placed each week, an optional chat log between seated players, and aggregate statistics that the debrief renders. Games are linked to the instructor that created them.
• Player session data — players (your students) don't create accounts. They claim a role in a lobby with a one-shot opaque token, stored in their browser. The server keeps the seat name they typed and their submitted orders — no email, no IP profile.

3. Lawful basis

• Contract (Art. 6(1)(b) GDPR) — for processing tied to operating your instructor account and the games you host.
• Legitimate interest (Art. 6(1)(f)) — for server logs, abuse prevention, and account security (login-attempt throttling).
• Consent (Art. 6(1)(a)) — for any marketing or non-essential analytics. Today we send no marketing email and run no analytics scripts.

4. Retention

• Accounts are kept while active; you can delete yours from the dashboard at any time. Inactive accounts (no login for 24 months) are deleted automatically.
• Lobby games not started within 24 hours are pruned automatically (cron-driven).
• Finished games are kept indefinitely unless the host deletes them; for portfolio classroom use this is typically what you want.
• Email logs from transactional mail (verification, password reset) are kept 30 days for delivery troubleshooting then purged.

5. Cookies

We use only first-party functional cookies — the session cookie (PHPSESSID or equivalent) and, optionally, a "remember me" cookie if you tick the box at login. No analytics, no advertising, no third-party cookies.

6. Recipients and sub-processors

• Hosting — server01.purchasinggame.com, operated by suPlay BV.
• Outbound email — your configured Symfony Mailer transport (e.g. Resend, Sendgrid, or your own SMTP). Choose a GDPR-aligned provider; we don't read your messages.
• Font delivery — Google Fonts (Nunito). The CSS request transmits your IP to Google's font CDN; you can self-host the font in production to avoid this.

7. Your rights

Under GDPR you can request:

• Access (Art. 15) — a copy of the data we hold on you.
• Rectification (Art. 16) — correction of inaccurate data.
• Erasure (Art. 17) — deletion of your account and associated games.
• Restriction (Art. 18) and objection (Art. 21).
• Data portability (Art. 20) — your games as CSV (already available from the dashboard).

Email info@suplay.nl to exercise these. You also have a right to lodge a complaint with the Dutch DPA (Autoriteit Persoonsgegevens).

8. International transfers

Servers and storage are located in the EU/EEA. If you configure a non-EEA mail transport, data may be transferred to that provider; choose one with Standard Contractual Clauses in place.

9. Security

Passwords are stored as Argon2id/bcrypt hashes; verification + reset tokens are 32-byte cryptographically random and single-use; HTTPS terminates at the front proxy; session cookies are HttpOnly/SameSite-Lax/Secure-when-HTTPS; login attempts are throttled (5 per 15 minutes per IP).

10. Changes

We'll note changes in the "Last updated" date at the top. Material changes are sent to every active instructor's verified email.