← back to PAT-OS 2000

Privacy Notice

Short, honest version. The formal GDPR terms are below.

What we store

• A browser fingerprint (an approximate identifier derived from your browser — not strictly unique) used as a stand-in for an account.
• Your chosen display name.
• Content you publish: IRC messages, guestbook entries, paintings, wallpapers, game scores.
• A short activity log (events like "joined IRC", "frag", "published painting") for moderation and transparency.
• When content you posted is removed by a moderator, a copy is retained for 30 days in case of a law-enforcement inquiry, then deleted.

Optional: verified accounts (passkeys)

If — and only if — you click Upgrade to verified account in the Profile app, the server additionally stores:

• Your chosen handle (the nickname you are claiming).
• The browser fingerprint you had at the moment of registration (so your existing data ties to the verified identity).
• A public key generated by your device's passkey (WebAuthn). The matching private key is stored in your operating system's keychain / TPM / security key and never leaves your device. The server cannot sign as you, and cannot impersonate you.
• A signature counter used for anti-replay protection.

What we do not receive when you use Touch ID / Windows Hello: any biometric data. Those sensors only unlock the local private key on your device; the server never sees your fingerprint scan or face.

You can sign out at any time (this revokes your session token), or ask the operator to delete your verified account entirely (removes handle + public keys; the underlying fingerprint and its content are handled separately via the rules above).

What we do NOT store

• IP addresses in the application database.
• Email addresses or passwords (there are no traditional accounts).
• Biometric data — passkeys prove possession of a device, never a fingerprint or face.
• Any data used for advertising or shared with third parties.

Server logs

The web server (nginx) writes standard access logs that contain IP addresses like every web server does. These rotate and are used only for spotting abuse and rate limiting.

Your rights (GDPR)

You can ask the operator (mtcllf@gmail.com) to:

• show you what is stored about your fingerprint;
• delete any content you posted;
• remove your fingerprint from the bans list, if applicable.

You can also simply clear your browser data, which wipes your fingerprint and effectively makes you a new user.

Controller

Patrick Przystolik, contact mtcllf@gmail.com — see the Impressum for full details.

PAT-OS 2000 · Impressum · Privacy