Join the guessing game. Upload stumpers. Climb the boards.
or
Already have an account? Log in

Privacy Policy

Effective Date: 15 May 2026

This Privacy Policy explains how WotsThat.com collects, uses, stores, and protects your personal information. It applies to all users of the Site. By using WotsThat you agree to the collection and use of information as described in this policy.

We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

WotsThat.com is the data controller for personal information collected through this Site. For data protection enquiries, contact: Wots@wotsthat.com

2. What Information We Collect

2a. Information You Provide

  • Account registration details: email address, username, password (stored encrypted)
  • Profile information: display name, avatar preferences
  • Images you upload to the Site
  • Guesses and theory text you submit
  • Reports you submit about other content
  • Communications you send us directly

2b. Information Collected Automatically

  • IP address and approximate location (country/region level)
  • Browser type, device type, and operating system
  • Pages visited, time spent on pages, and navigation patterns
  • Game activity: guesses submitted, solve times, points earned, challenges viewed
  • Referral data: if you arrived via a challenge share link

2c. Information from Third Parties

  • If you sign in with Google or X (Twitter), we receive your email address and public profile information from those services as permitted by your settings with them

3. How We Use Your Information

  • To create and manage your account
  • To operate the game, including processing guesses, awarding points, and maintaining leaderboards
  • To moderate uploaded content using automated AI systems and manual review
  • To generate Community Verdicts for Mystery Zone images using AI analysis of submitted theories
  • To detect and prevent fraud, abuse, and violations of our Terms of Service
  • To send you notifications about your account, challenges you have uploaded, and referral activity (where you have opted in)
  • To improve the Site and understand how users interact with it
  • To comply with legal obligations

4. Legal Basis for Processing (UK GDPR)

  • Contract: processing necessary to provide the service you have signed up for
  • Legitimate interests: fraud prevention, security, improving the Site, and referral tracking
  • Consent: email marketing communications (you may withdraw consent at any time)
  • Legal obligation: where we are required to process data to comply with applicable law

5. Uploaded Images

Images you upload are stored on Supabase cloud storage. All user-uploaded images are processed by an automated AI moderation system (Anthropic Claude) to check for prohibited content before publication. The image and moderation result are logged for safety purposes.

If you upload an image to the Mystery Zone, submitted theories from other users are aggregated and sent to an AI system to generate a Community Verdict. Individual theory texts may be included in this processing but are not attributed to individual users in the published verdict.

You may request deletion of your uploaded images at any time by contacting us or using the delete function in your account settings. Deleted images are removed from public display and from storage within 30 days.

6. Cookies and Tracking

  • Essential cookies: required for login sessions and security
  • Functional storage: localStorage is used to remember your install prompt preference and referral data from challenge share links
  • Analytics: we may use privacy-respecting analytics to understand Site usage in aggregate

We do not use advertising cookies or sell your data to advertisers. You can control cookies through your browser settings, though disabling essential cookies will prevent you from logging in.

7. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers: Supabase (database and file storage), fal.ai (AI image generation), Anthropic (content moderation and verdict generation). These providers process data only as instructed by us and are contractually bound to protect it
  • Legal requirements: where we are required to disclose data by law, court order, or regulatory authority
  • Business transfer: if WotsThat is acquired or merged, your data may be transferred as part of that transaction, subject to the same privacy protections

8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where we are required to retain it for legal purposes (such as moderation logs related to content violations, which we retain for 12 months).

Anonymised and aggregated data (such as total guess counts and leaderboard history) may be retained indefinitely as it cannot be used to identify you.

9. Your Rights (UK GDPR)

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate personal data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restriction: request that we limit how we process your data in certain circumstances
  • Right to data portability: request your data in a machine-readable format
  • Right to object: object to processing based on legitimate interests
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at Wots@wotsthat.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encrypted password storage
  • HTTPS encryption for all data in transit
  • Access controls limiting which staff and systems can access personal data
  • Row-level security on our database preventing users from accessing other users' data

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Children's Privacy

WotsThat is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has created an account, we will delete their information promptly. If you believe a child under 13 has registered, please contact us at Wots@wotsthat.com.

12. International Transfers

WotsThat is operated from the United Kingdom. Our third-party service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, including standard contractual clauses where applicable.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post any changes on this page with an updated effective date. For significant changes, we will notify registered users by email or in-app notification. Continued use of the Site after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

For any privacy-related questions or to exercise your rights, contact:
Email: Wots@wotsthat.com