Privacy Policy

Last updated: 2 May 2026

Hi — I'm Daniela, the person behind Kapybara Fun. This policy explains what data I collect, why I collect it, and what your rights are. I've tried to keep it readable, but if anything is unclear, email me at support@kapybara.fun and I'll explain.

Who's responsible for your data

Kapybara Fun is operated by Daniela Braierová, based in the Czech Republic. I'm the data controller for personal data processed through this service, which means I decide how and why your data is used.

For questions about your data or to exercise your rights under GDPR, contact support@kapybara.fun.

What data I collect

Account data. When you sign up, I collect your email address and a password (stored as a secure hash — I never see your actual password). If you sign in via a third-party provider, I receive your email and basic profile info from them.

Purchase data. When you buy tokens or subscribe, Stripe handles the payment. I receive the transaction ID, amount, currency, and your country (for tax purposes), but I never see or store your full card details. Stripe is the data controller for the payment itself — see Stripe's privacy policy for how they handle it.

Usage data. Information about how you use the service: which puzzles you generate, your token balance and history, settings and preferences, files you create. This is what makes the service work.

Technical data. Standard server logs: IP address, browser type, pages visited, timestamps, error logs. This helps me keep the site running and debug problems.

Communications. If you email me, I keep our correspondence so I can follow up and reference it later if you contact me again.

Why I collect it (legal basis)

Under GDPR, I need a legal reason to process your data. Here's mine:

• To provide the service (contract): I need your account data and usage data to actually run Kapybara Fun for you. Without it, the service can't function.
• To process payments (contract + legal obligation): Stripe and I need transaction data to bill you, issue receipts, and meet tax and accounting requirements.
• To keep the service secure and working (legitimate interest): Server logs and technical data help me prevent abuse, debug issues, and protect the service from attack.
• To communicate with you (contract + legitimate interest): Service emails (purchase confirmations, password resets, important account notices) are necessary for the service. Marketing emails are sent only if you've opted in, and you can unsubscribe anytime.
• Legal compliance (legal obligation): Some data, like invoice records, I'm legally required to keep for tax purposes (10 years under Czech law).

Who I share your data with

I keep this list short on purpose. Your data goes only to providers I genuinely need to run the service:

• Stripe (payment processing) — for handling purchases and subscriptions
• Hostinger (hosting) — the servers your data sits on
• Anthropic (AI processing) — for generating word-based puzzles like crosswords; only the puzzle generation prompts are sent, not your account info
• Email provider — for sending service emails (e.g., purchase confirmations, password resets)

Each of these processes data under their own privacy policies and has agreed to GDPR-compliant data processing terms with me.

I don't sell your data. I don't share it with advertisers. I don't use it to train AI models.

If I ever need to add a new processor, I'll update this policy. If the change is material, I'll let you know directly.

Where your data is stored

Your data is hosted on servers in the European Union (via Hostinger). Some of my service providers — like Stripe and Anthropic — may process data outside the EU, including in the United States. When that happens, the transfer is covered by appropriate safeguards (Standard Contractual Clauses or equivalent mechanisms approved by the European Commission).

How long I keep it

• Account data: as long as your account is active. If you delete your account, I remove your personal data within 30 days, except where law requires me to keep it longer.
• Purchase records and invoices: 10 years, as required by Czech tax law.
• Server logs: typically 30–90 days, then automatically deleted.
• Email correspondence: up to 3 years after our last exchange, unless you ask me to delete it sooner.
• Generated puzzle books: as long as your account is active, or until you delete them.

Your rights

Under GDPR, you have the right to:

• Access the data I hold about you
• Correct anything that's wrong or out of date
• Delete your data (“right to be forgotten”) — except where I'm legally required to keep it
• Export your data in a portable format
• Restrict how I process your data
• Object to processing based on legitimate interest
• Withdraw consent at any time, where consent is the legal basis
• Lodge a complaint with the Czech Office for Personal Data Protection (uoou.cz) or your local EU data protection authority

To exercise any of these rights, email support@kapybara.fun. I'll respond within 30 days. There's no charge for reasonable requests.

Cookies and tracking

Kapybara Fun uses a small number of cookies, all strictly necessary for the service to work:

• Session cookies to keep you logged in
• Security cookies to prevent abuse and CSRF attacks
• Preference cookies to remember your settings

I don't use advertising cookies, third-party trackers, or analytics that build profiles about you across the web. If I add analytics in the future, it'll be a privacy-respecting option (like Plausible or self-hosted alternatives) and I'll update this policy first.

Children's privacy

Kapybara Fun is intended for adults (parents, teachers, creators). The service is not directed at children under 16, and I don't knowingly collect data from them. If you're a parent and believe your child has signed up, email me and I'll delete the account.

The puzzle books generated through the service are often made forchildren, but those puzzle books don't collect any data from the children who solve them.

Security

I take reasonable steps to protect your data: passwords are hashed, payments go through Stripe (PCI-compliant), the site runs over HTTPS, and access to the production environment is restricted. No system is perfectly secure, but I take it seriously and respond quickly if I learn of an issue. If a breach affects your data, I'll notify you and the relevant authorities as required by law.

Changes to this policy

I may update this policy as the service evolves. The “Last updated” date at the top tells you when. For material changes, I'll notify active users by email or with a notice on the site before they take effect.