Privacy Policy for EMUHUB.NET

1. Introduction and Contact Information

2. Data Collection and Processing

2.1 Account Data

• Email address
• Password (stored securely using Auth0)
• Display name (optional)
• Profile picture (optional)
• IP address

2.2 Technical Data

• IP address (anonymized)
• Browser type and version
• Operating system
• Date and time of access
• Website from which you accessed our site
• Pages visited on our site

2.3 Game ROM Data

• File data (stored in your browser's local storage initially)
• Upload timestamp
• Associated metadata
• Technical file information (size, format, etc.)

3. Data Processing Purposes and Legal Basis

3.1 Account Management

• Purpose: User authentication and profile management
• Legal basis: Contract performance (Article 6(1)(b) GDPR)
• Storage duration: Until account deletion

3.2 ROM Storage and Management

• Purpose: Providing personal ROM storage service
• Legal basis: Contract performance (Article 6(1)(b) GDPR)
• Storage duration: Until account deletion

3.3 Website Analytics

• Purpose: Improving website performance and user experience
• Legal basis: Consent (Article 6(1)(a) GDPR)
• Storage duration: As per cookie lifetimes detailed in Section 5

4. Third-Party Service Providers

4.1 Auth0

• Purpose: User authentication and account management
• Data processed: Email, password (hashed), unique identifier
• Location: EU-2 Region
• Privacy policy: Auth0 Privacy Policy

4.2 Cloudflare

• Services used: Workers, D1 Database, KV Storage, R2 Storage, Turnstile
• Data processed: Technical data, stored ROMs, performance metrics
• Purpose: Website hosting and content delivery
• Privacy policy: Cloudflare Privacy Policy

4.3 Google Analytics

• Purpose: Website analytics
• Data processed: Usage data, user behavior (with consent mode)
• Privacy policy: Google Privacy Policy

5. Cookies and Tracking Technologies

5.1 Essential Cookies (always active)

These cookies are necessary for the website to function and cannot be switched off:

Auth0 Cookies:

• auth0.is.authenticated: Tracks authentication state
• auth0.middleware.session: Manages user sessions
• auth0_compat: Ensures authentication compatibility

Cloudflare Cookies:

• __cf_bm: Bot management and security (30 minutes)
• __cflb: Load balancing (24 hours)
• cf_turnstile: CAPTCHA verification

5.2 Analytics Cookies (optional)

These cookies are only set with your consent:

Google Analytics 4:

• _ga: Distinguishes unique users (2 years)
• _ga_[ID]: Maintains session state (2 years)
• _gat: Throttles request rate (1 minute)
• _gid: Stores and updates unique value for each page visit (24 hours)

5.3 Functional Cookies

• cookieChoiceMade: Stores your cookie preferences

6. Your Rights

Under GDPR, you have the following rights:

• Right to Access (Article 15 GDPR)
• Right to Rectification (Article 16 GDPR)
• Right to Erasure (Article 17 GDPR)
• Right to Restriction of Processing (Article 18 GDPR)
• Right to Data Portability (Article 20 GDPR)
• Right to Object (Article 21 GDPR)
• Right to Withdraw Consent (Article 7(3) GDPR)

To exercise these rights, please contact us at [email protected].

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• All data transmission is encrypted using SSL/TLS
• Authentication is handled through Auth0's secure infrastructure
• Data storage is distributed across secure Cloudflare services (D1, KV, R2)
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Employee training on data protection

8. International Data Transfers

Your data is primarily processed within the European Economic Area (EEA). However, some data may be transferred to third countries:

• Cloudflare: Protected by Standard Contractual Clauses (SCCs)
• Google Analytics: Protected by SCCs and additional safeguards

These transfers are necessary for providing our services and are protected by appropriate safeguards under GDPR Article 46

9. Data Retention

Account Data:

• Until you delete your account or request deletion
• Inactive accounts may be deleted after 12 months of inactivity

ROM Data:

• Until you delete your account or request deletion
• May be deleted earlier with prior notice
• Local storage data remains until cleared by user

Analytics Data:

• As per cookie durations specified in Section 5
• Maximum of 26 months in Google Analytics

10. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or for legal compliance. We will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify registered users of material changes via email
• Obtain new consent where required by law

11. Automated Decision Making and Profiling

We do not use automated decision-making or profiling systems. All content is displayed the same way to all users, with the only personalized content being your own uploaded ROMs.

12. Special Categories of Personal Data

We do not collect or process any special categories of personal data (such as details about your race, ethnicity, religious beliefs, health data, biometric data, or other sensitive information as defined in GDPR Article 9).

13. Data Protection Officer

Based on the nature and scale of our data processing activities, we are not required to appoint a Data Protection Officer under GDPR Article 37.

14. Response Times and Security Incidents

• We aim to respond to all data subject requests within 14 days
• In case of a data breach or security incident:
  • We will post a notice on our website within 72 hours
  • Affected users will be notified directly via email
  • Relevant supervisory authorities will be notified as required by law

15. Data Minimization and Review

We are committed to data minimization principles and maintaining only necessary data:

• We review stored data every six months to ensure compliance with data minimization principles
• Our systems are designed to collect only essential data required for service operation
• Technical measures are in place to prevent collection of unnecessary data

16. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. For Germany, this is: