SmellsLikeCodfish
> OVERVIEW
SmellsLikeCodfish is a non-commercial digital archive and catalogue dedicated to documenting video games developed in Portugal and by Portuguese creators. This Privacy Policy explains what information we collect when you visit the site, why we collect it, how it is used, and the rights you have over it under the EU General Data Protection Regulation (GDPR / RGPD) and Portuguese data protection law.
> DATA CONTROLLER
The SmellsLikeCodfish project, operating from Portugal, is the controller of any personal data processed through this site. For any privacy request you can reach us at the email address listed at the bottom of this page.
> INFORMATION COLLECTED FROM VISITORS
You can browse the entire catalogue, the developers directory, the statistics page, the about page, and the changelog without creating an account and without us collecting any personal data about you. We do not run analytics, advertising, or tracking scripts. Standard server-side request logs (such as IP address, browser user-agent, requested URL, and timestamp) may be processed transiently by our hosting provider for the sole purpose of delivering the page and protecting against abuse, and are retained only for as long as is necessary for those purposes.
> INFORMATION COLLECTED FROM REGISTERED USERS
If you choose to create an account, we collect and store: • your email address (required for sign-in and account recovery) • a unique user identifier generated automatically • a hashed version of your password (we never see the password in plain text) • the timestamp of your account creation • an optional username that you may set on the profile page We do not collect names, postal addresses, phone numbers, payment data, or any demographic information. The only personal field that is mandatory is the email address.
> COOKIES
We use only strictly necessary cookies. No advertising, analytics, fingerprinting, or third-party tracking cookies are used, so no cookie consent banner is required under EU rules. • NEXT_LOCALE — remembers the language (English or Portuguese) you have selected. Lifetime: up to one year. • Supabase authentication cookies (sb-*) — issued only after you sign in to keep you logged in across requests. They contain a session token and refresh token. Lifetime: until you log out or the session expires. All cookies are flagged Secure and SameSite where applicable.
> BROWSER LOCAL STORAGE
We store one preference key in your browser's local storage: • pref_scanlines — remembers whether you have toggled the CRT scanlines effect on or off in the customization section of your profile. Local storage data never leaves your device and is not transmitted to our servers.
> THIRD-PARTY SERVICES
We rely on a small number of carefully chosen processors to operate the site: • Supabase — provides our database, authentication, and session storage. When you create an account or sign in, your email and password are processed by Supabase on our behalf. Data is stored on Supabase infrastructure under their security and privacy terms. • Our hosting provider — serves the site and handles HTTPS termination and request routing. Standard transient server logs may be generated. • YouTube (Google Ireland Ltd.) — game trailers are embedded as YouTube players. The embed loads only after you click "play_trailer.yt" on a game page. Once the embed loads, YouTube may set its own cookies and receive your IP address and the URL of the page you are on. We do not control or have access to that data. • External image and store URLs — game cover art and store links point to third-party domains (such as Steam, itch.io, or publisher websites). Loading those images or following those links is governed by the respective third party's privacy policy. We never sell, rent, or share personal data with third parties for marketing.
> LEGAL BASIS FOR PROCESSING
Under Article 6 of the GDPR our lawful bases are: • Performance of a contract — to create and operate your account when you sign up (Art. 6(1)(b)). • Legitimate interests — to keep the site secure, prevent abuse, and operate basic server logs (Art. 6(1)(f)). • Consent — for any optional features you explicitly enable; you can withdraw consent at any time without affecting the lawfulness of past processing (Art. 6(1)(a)).
> DATA RETENTION
Account data (email, user ID, hashed password, optional username) is kept for as long as your account exists. If you delete your account, all associated profile data is removed from our active database. Backups, where they exist, are rotated and overwritten on a normal operational schedule. Server-side request logs are kept only for the short period required to protect the service.
> DATA SHARING & INTERNATIONAL TRANSFERS
We do not sell or share your personal data with third parties, except for the processors listed above (which act strictly under our instructions). Some of these processors operate globally; where data is transferred outside the European Economic Area, the transfer is covered by Standard Contractual Clauses or an equivalent safeguard recognised under the GDPR.
> SECURITY
We protect the site with HTTPS and HSTS, modern security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy), and Supabase row-level security so that each authenticated user can only read and modify their own profile row. Passwords are stored hashed by Supabase Auth — we never have access to them in plain text. No system is perfectly secure; we encourage you to use a strong, unique password.
> YOUR RIGHTS UNDER GDPR / RGPD
You have the right to: • access the personal data we hold about you; • request correction of inaccurate or incomplete data; • request deletion of your data ("right to be forgotten"); • request restriction of processing or object to processing; • request portability of your data in a machine-readable format; • withdraw any consent you previously gave; • lodge a complaint with the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), or any other competent EU data protection authority. To exercise any of these rights, write to us at the contact email below. We will respond within one month.
> CHILDREN
The site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
> CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in the site's functionality or in applicable law. The "Last updated" date at the top of the page indicates when the policy was last revised. Substantive changes will be announced on the changelog page.
> CONTACT
For any privacy-related question or to exercise the rights described above, write to: contact@smellslikecodfish.com