> OVERVIEW
SmellsLikeCodfish is a non-commercial digital archive and catalogue dedicated to documenting video games developed in Portugal and by Portuguese creators. This Privacy Policy explains what information we collect when you visit the site, why we collect it, how it is used, and the rights you have over it under the EU General Data Protection Regulation (GDPR / RGPD) and Portuguese data protection law.
> DATA CONTROLLER
The SmellsLikeCodfish project, operating from Portugal, is the controller of any personal data processed through this site. For any privacy request you can reach us at the email address listed at the bottom of this page.
> INFORMATION COLLECTED FROM VISITORS
You can browse the entire catalogue, the developers directory, the statistics page, the about page, and the changelog without creating an account and without us collecting any personal data about you. We do not run analytics, advertising, or tracking scripts. Standard server-side request logs (such as IP address, browser user-agent, requested URL, and timestamp) may be processed transiently by our hosting provider for the sole purpose of delivering the page and protecting against abuse, and are retained only for as long as is necessary for those purposes.
> INFORMATION COLLECTED FROM REGISTERED USERS
If you choose to create an account, we collect and store: • your email address (required for sign-in and account recovery) • a unique user identifier generated automatically • a hashed version of your password (we never see the password in plain text) • the timestamp of your account creation • the timestamp of your last sign-in (recorded automatically by the authentication system; visible only to administrators for account-management purposes) • a username, chosen by you at signup, which is publicly displayed alongside any submission you make and on the profile pages of pages that reference you (3–32 characters, unique across the site) • a role assigned to your account (regular, moderator, or administrator) used solely to determine what site features you can access We do not collect names, postal addresses, phone numbers, payment data, or any demographic information. The mandatory personal fields are your email address and your chosen username; your username, your assigned role, the date you joined, and any contributions you have made that have been approved are shown publicly on your contributor page at /u/your-username; no other account data is shown publicly.
> USER-SUBMITTED CONTENT
Logged-in users can propose new games for the catalogue and suggest corrections to existing game entries. When you submit content we store: • the proposed payload (the fields you filled in, such as title, developer, year, descriptions, and any URLs) • your user identifier (so we can attribute the submission to your account and so you can track its status from your profile) • the timestamp of submission • if applicable, the identifier of the existing game your correction targets and the reason you provided • the review outcome (pending, approved, or rejected) and any notes left by a moderator or administrator during review Pending submissions and corrections are not shown publicly and are only visible to you and to staff while under review. Once a submission is approved, the proposed data becomes part of the public catalogue under the same terms as any other catalogue entry; the original submission record is retained internally for auditing purposes. Rejected submissions remain visible only to you (with the staff notes explaining the decision) and to staff. Do not submit personal data about other identifiable individuals, copyrighted text you do not have the right to share, or anything you would not want to appear publicly. You can ask us to remove a submission at any time using the contact email below.
> IN-APP NOTIFICATIONS
We store a short notification on your profile page when (a) a moderator or administrator approves or rejects one of your submissions, or (b) a new game is added to the catalogue (in this case every registered user receives the same notification). Each notification contains a title, an optional body, an optional link to the relevant page, and a read/unread flag. Notifications are visible only to you and are deleted automatically if you delete your account. We do not send any email about them and we do not share notification content with third parties.
> COOKIES
We use only strictly necessary cookies. No advertising, analytics, fingerprinting, or third-party tracking cookies are used, so no cookie consent banner is required under EU rules. • NEXT_LOCALE — remembers the language (English or Portuguese) you have selected. Lifetime: up to one year. • Supabase authentication cookies (sb-*) — issued only after you sign in to keep you logged in across requests. They contain a session token and refresh token. Lifetime: until you log out or the session expires. All cookies are flagged Secure and SameSite where applicable.
> BROWSER LOCAL STORAGE
We store one preference key in your browser's local storage: • pref_scanlines — remembers whether you have toggled the CRT scanlines effect on or off in the customization section of your profile. Local storage data never leaves your device and is not transmitted to our servers.
> THIRD-PARTY SERVICES
We rely on a small number of carefully chosen processors to operate the site: • Supabase — provides our database, authentication, and session storage. When you create an account or sign in, your email and password are processed by Supabase on our behalf. Data is stored on Supabase infrastructure under their security and privacy terms. • Our hosting provider — serves the site and handles HTTPS termination and request routing. Standard transient server logs may be generated. • YouTube (Google Ireland Ltd.) — game trailers are embedded as YouTube players. The embed loads only after you click "play_trailer.yt" on a game page. Once the embed loads, YouTube may set its own cookies and receive your IP address and the URL of the page you are on. We do not control or have access to that data. • External image and store URLs — game cover art and store links point to third-party domains (such as Steam, itch.io, or publisher websites). Loading those images or following those links is governed by the respective third party's privacy policy. We never sell, rent, or share personal data with third parties for marketing.
> LEGAL BASIS FOR PROCESSING
Under Article 6 of the GDPR our lawful bases are: • Performance of a contract — to create and operate your account when you sign up (Art. 6(1)(b)). • Legitimate interests — to keep the site secure, prevent abuse, and operate basic server logs (Art. 6(1)(f)). • Consent — for any optional features you explicitly enable; you can withdraw consent at any time without affecting the lawfulness of past processing (Art. 6(1)(a)).
> DATA RETENTION
Account data (email, user ID, hashed password, optional username) is kept for as long as your account exists. If you delete your account, all associated profile data is removed from our active database. Backups, where they exist, are rotated and overwritten on a normal operational schedule. Server-side request logs are kept only for the short period required to protect the service.
> DATA SHARING & INTERNATIONAL TRANSFERS
We do not sell or share your personal data with third parties, except for the processors listed above (which act strictly under our instructions). Some of these processors operate globally; where data is transferred outside the European Economic Area, the transfer is covered by Standard Contractual Clauses or an equivalent safeguard recognised under the GDPR.
> SECURITY
We protect the site with HTTPS and HSTS, modern security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy), and Supabase row-level security so that each authenticated user can only read and modify their own profile row. Passwords are stored hashed by Supabase Auth — we never have access to them in plain text. No system is perfectly secure; we encourage you to use a strong, unique password.
> YOUR RIGHTS UNDER GDPR / RGPD
You have the right to: • access the personal data we hold about you; • request correction of inaccurate or incomplete data; • request deletion of your data ("right to be forgotten"); • request restriction of processing or object to processing; • request portability of your data in a machine-readable format; • withdraw any consent you previously gave; • lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), or any other competent EU data protection authority. To exercise any of these rights, write to us at the contact email below. We will respond within one month.
> CHILDREN
The site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
> CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in the site's functionality or in applicable law. The "Last updated" date at the top of the page indicates when the policy was last revised. Substantive changes will be announced on the changelog page.
> CONTACT
For any privacy-related question or to exercise the rights described above, write to: contact@smellslikecodfish.com