Privacy Policy
Last updated: May 24, 2026 | Effective: May 24, 2026
1. Who We Are
SquidWhipped.com is operated by EggBlox LLC ("we", "us", or "our"). We operate the following websites (collectively, the "Sites"):
- www.squidwhipped.com
- jeopardy.squidwhipped.com
- priceisright.squidwhipped.com
- wheeloffortune.squidwhipped.com
- pressyourluck.squidwhipped.com
- jokerswild.squidwhipped.com
Privacy inquiries: privacy@squidwhipped.com
2. What Data We Collect
We collect analytics data only when you explicitly consent. If you decline consent or do not interact with the consent prompt, no data is collected and nothing is written to your browser's local storage.
When you consent to analytics, the following pseudonymous data is collected:
| Field | Source | Example | Notes |
|---|---|---|---|
Session ID (sw_sid) | Generated in your browser | UUID | Random identifier stored in localStorage; no name or email attached |
| Country | CloudFront header (server-side) | US | ISO 3166-1 alpha-2; never trusted from client |
| Region / State | CloudFront header (server-side) | CA | State/province code only |
| Browser language | Your browser's reported language | en-US | Used to assess i18n opportunity |
| Timezone | Browser API | America/Chicago | Used for hourly activity heatmap |
| Device type | Screen width (derived) | desktop | Coarse: mobile / tablet / desktop |
| Browser family | User-Agent (derived) | Chrome | Only the derived label; raw User-Agent string is never stored |
| Operating system | User-Agent (derived) | Windows | Only the derived label; raw User-Agent string is never stored |
| Referrer origin | document.referrer (truncated) | https://www.google.com | Truncated to scheme + hostname only; no path or query string |
| Page path | Browser URL | /games | Path only; no query string that could contain tokens |
| Game events | Game code | GAME_START, GAME_END | Game start/end/abandon with anonymized statistics (player counts, scores, durations) |
What we do NOT collect: names, email addresses, phone numbers, payment information, IP addresses, precise location (GPS), raw User-Agent strings, full referrer URLs (paths and query strings are stripped), or any government-issued identifiers.
3. Legal Basis for Processing
We rely on the following legal bases under GDPR Article 6:
-
Consent (Art. 6(1)(a)) — For writing the session ID (
sw_sid) to your browser's localStorage and for sending analytics events. You can withdraw consent at any time using the "Clear My Analytics Data" link in the site footer. - Legitimate Interests (Art. 6(1)(f)) — For server-side derived data (country, region) that is stamped onto your request by our CDN infrastructure, which does not require writing anything to your device. Our legitimate interest is improving site performance and understanding aggregate audience demographics without collecting PII. This processing is proportionate, limited in scope, and does not override your fundamental rights.
Where the EU ePrivacy Directive or UK PECR applies (EU, EEA, and UK visitors), we obtain your explicit consent before any data is written to your browser's local storage.
4. How We Use Your Data
- Understanding which games are most popular and at what times
- Identifying whether a significant share of visitors use non-English browsers (to plan translations)
- Measuring game session duration and completion rates to improve game design
- Monitoring traffic source trends (referrer origins)
- Estimating infrastructure load (number of concurrent sessions)
We do not use your data for advertising, cross-site tracking, profiling, automated decision-making, or any purpose beyond site improvement and capacity planning. We do not sell your data to any third party.
5. Data Retention
| Data | Retention Period | Reason |
|---|---|---|
| Raw event records (analytics-events table) | 90 days (automatic TTL) | Short window sufficient for session-level analysis |
| Aggregated daily rollup (analytics-daily-rollup table) | Indefinite | Contains only aggregate counts — no session IDs or pseudonymous identifiers |
localStorage sw_sid | Until you clear your browser storage or request erasure | Persists your session preference across visits |
6. Third-Party Data Processors
We use Amazon Web Services (AWS) as our sole data processor. Specifically:
- Amazon CloudFront — CDN that delivers site content and stamps country/region headers
- AWS API Gateway — Receives analytics event batches from your browser
- AWS Lambda — Processes and stores analytics events
- Amazon DynamoDB — Stores analytics event records and rollup summaries
- AWS CloudWatch — Infrastructure monitoring and AppSync usage metrics
AWS processes data strictly under our instructions. All AWS infrastructure is governed by the AWS Service Terms and the AWS Data Processing Addendum accepted by EggBlox LLC in our AWS account.
We also use Microsoft Clarity for session analytics on the main SquidWhipped.com site, loaded only when you accept the cookie consent banner. Microsoft's privacy policy applies to data processed by Clarity: privacy.microsoft.com.
7. International Data Transfers
Our AWS infrastructure is located in the United States (us-east-1 and us-west-2 regions). If you access our sites from the European Union, European Economic Area, or United Kingdom, your data will be transferred to the United States.
AWS is certified under the EU–U.S. Data Privacy Framework (DPF, 2023) and the UK Extension to the DPF, which provides an adequate level of protection for personal data transferred to the United States. The AWS Data Processing Addendum incorporating Standard Contractual Clauses (SCCs) has been accepted by EggBlox LLC to further safeguard EU/UK personal data.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of data we hold about your session ID | Email privacy@squidwhipped.com with your sw_sid value from localStorage |
| Erasure | Delete all records linked to your session ID | Use the "Clear My Analytics Data" link in any page footer, or email us |
| Objection | Object to processing based on legitimate interests | Decline consent on first visit, or use the "Clear My Analytics Data" link |
| Restriction | Restrict processing while a dispute is pending | Email privacy@squidwhipped.com |
| Portability | Receive your data in a machine-readable format | Email privacy@squidwhipped.com |
| Withdraw consent | Revoke analytics consent at any time | Use the "Clear My Analytics Data" link in any page footer |
We will respond to rights requests within 30 days (GDPR) or 45 days (CCPA). We may need to verify
your identity before processing requests. Since we hold only pseudonymous session IDs (no names or
emails), verification will rely on you providing your sw_sid value from your browser's
localStorage.
EU/EEA residents also have the right to lodge a complaint with your national Data Protection Authority (DPA). UK residents may contact the UK Information Commissioner's Office (ICO).
9. Children's Privacy (COPPA)
SquidWhipped and all associated game sites are intended for users who are 13 years of age or older. We do not knowingly collect, use, or disclose personal information from children under 13.
In compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.), our analytics system includes an age verification step on every first-time visit. Visitors who indicate they are under 13 are excluded from all analytics data collection; no localStorage entry is written and no events are sent.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at privacy@squidwhipped.com and we will delete that information promptly.
10. California Privacy Rights (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know — You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete — You may request deletion of your personal information subject to certain exceptions.
- Right to Opt-Out of Sale — We do not sell your personal information to any third party.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.
To exercise these rights, use the "Clear My Analytics Data" link in any page footer or contact us at privacy@squidwhipped.com. We will respond within 45 days.
11. Cookies & Local Storage
We do not set any cookies. Our analytics system uses browser localStorage to store one item:
sw_sid— Your pseudonymous session identifier (a random UUID). Written only after you consent to analytics. Used to associate your page views and game events within a single session.sw_analytics_consent— Stores your consent decision (grantedordenied) so the consent prompt is not shown again on subsequent visits.
The EU ePrivacy Directive (Article 5(3)) and UK PECR apply to localStorage access. We obtain your explicit consent before writing either item for visitors from EU, EEA, UK, Canada, Brazil, and US states with applicable privacy laws. Our consent prompt is shown to all first-time visitors regardless of geography.
Additionally, Microsoft Clarity (loaded on the main SquidWhipped.com site only, and only after you accept the cookie consent banner) may set its own cookies. Please refer to Microsoft's privacy policy for details.
12. Security
We take reasonable technical and organizational measures to protect your data:
- All data in transit is encrypted using TLS 1.2 or higher (enforced by CloudFront and API Gateway)
- All data at rest is encrypted using AWS-managed keys (DynamoDB encryption at rest)
- API endpoints are protected by throttling and access key authentication
- Dashboard access is protected by HMAC-signed time-limited cookies via Lambda@Edge
- IAM roles follow the principle of least privilege
- Raw event data expires automatically after 90 days (DynamoDB TTL)
In the event of a data breach affecting raw analytics event records, we will notify the relevant supervisory authorities (DPAs) of affected EU/UK user countries within 72 hours as required by GDPR Article 33, and will notify affected California residents as required by California law.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. For material changes, we will update the effective date and, where technically feasible, notify users who have consented to analytics.
Continued use of the Sites after the effective date of a revised policy constitutes your acceptance of the changes.
14. Contact Us
For privacy questions, rights requests, or to report a concern, please contact: