Privacy Policy

1. Introduction and data controller

Bustabyte is a personal side project created and run by a HackForums community member. It is not a company, registered business, or commercial entity. The website at bustabyte.com (the "Service") is a provably fair crash game that uses HackForums virtual currency known as "βytes". This Privacy Policy explains how your personal data is collected, used, stored, shared, and protected when you access or use the Service.

Throughout this policy, "I", "me", and "my" refer to the individual who operates Bustabyte. "You" and "your" refer to you, the user.

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and all applicable data protection legislation, the data controller responsible for your personal data is:

Jacob Riggs (known as Riggs on HackForums, UID 402384)

I am committed to protecting your privacy and handling your personal data in accordance with applicable data protection laws. Please read this Privacy Policy carefully so that you understand how your information is handled.

2. Personal data we collect

I collect and process several categories of personal data, depending on how you interact with the Service. Only personal data that is necessary for the purposes described in this policy is collected.

2.1 Account and identity data

When you authenticate with the Service via HackForums OAuth 2.0, the following information is received and stored from HackForums:

• Your HackForums user ID (UID) - a unique numerical identifier assigned by HackForums
• Your HackForums username - used as your display name on Bustabyte
• An OAuth 2.0 access token - a credential that authorises the Service to read your HackForums profile information and to process βyte transfers (deposits and withdrawals) on your behalf. This token is issued by HackForums and can be revoked by you at any time through the HackForums authorised applications settings.

Your HackForums password is never collected or stored at any point. Authentication is handled entirely through the HackForums OAuth 2.0 protocol, and your credentials are never transmitted to or through Bustabyte's servers.

2.2 Financial and transactional data

To operate the game and manage your virtual currency balance, the Service records:

• All bets placed, including the bet amount, any auto-cashout multiplier you set, the multiplier at which you cashed out (if applicable), and the resulting profit or loss
• All deposit transactions (βytes transferred from your HackForums wallet into your Bustabyte balance)
• All withdrawal transactions (βytes transferred from your Bustabyte balance back to your HackForums wallet)
• Your current internal balance and the complete history of balance changes, including the balance after each transaction

βytes are a virtual currency operated by HackForums. Bustabyte does not process any real-world monetary transactions, fiat currency, or cryptocurrency.

2.3 Technical and device data

When you access the Service, certain technical information is automatically collected:

• IP addresses - recorded at each login and used for security purposes, including login tracking, multi-account detection, and abuse prevention
• Browser user agent string - provides information about your browser type, version, and operating system
• Session identifiers - unique tokens used to maintain your authenticated session
• Timestamps - the date and time of each login, bet, transaction, and other interactions with the Service

2.4 Game data

The Service generates and stores data relating to each game round, including:

• Game identifiers, cryptographic hashes, crash points, and timing data
• The association between your bets and specific game rounds
• Aggregated statistics derived from your gameplay, such as total bets placed, total amount wagered, win rate, net profit or loss, and best multipliers achieved

2.5 Cookies and similar technologies

The Service uses a limited number of cookies that are necessary for its operation:

• Session cookie (PHPSESSID) - this is a strictly necessary cookie that maintains your authenticated session while you use the Service. It is deleted when you close your browser or when your session expires. Under GDPR, strictly necessary cookies do not require consent as they are essential for the Service to function.
• Cookie consent preference cookie (bb_consent) - this cookie records your cookie preferences as selected through our cookie consent banner. It is stored for 365 days.

Bustabyte does not use any advertising cookies, marketing cookies, social media tracking pixels, or third-party analytics services. There is no cross-site tracking of any kind.

3. Purposes and legal bases for processing

Under Article 6(1) of the GDPR, there must be a lawful basis for each processing activity. Below is each purpose for which your personal data is processed and the corresponding legal basis relied upon.

3.1 Performance of a contract (Article 6(1)(b) GDPR)

When you choose to use the Service, you enter into an agreement governed by its terms. The following processing activities are necessary to deliver that service:

• Authentication - verifying your identity through HackForums OAuth to create and maintain your account
• Game operation - processing your bets, calculating outcomes, executing cashouts, and settling results
• Balance management - maintaining your internal βyte balance, processing deposits from your HackForums wallet, and processing withdrawals back to your HackForums wallet
• Transaction records - recording all financial transactions for accuracy, dispute resolution, and accountability
• Provably fair verification - publishing game hashes after each round so that you and other users can independently verify that game outcomes were predetermined and not manipulated

3.2 Legitimate interests (Article 6(1)(f) GDPR)

Certain personal data is processed where it is necessary for legitimate interests, provided that those interests are not overridden by your fundamental rights and freedoms. A legitimate interest assessment has been considered for each of the following:

• Fraud prevention and platform integrity - IP addresses are logged and login patterns are analysed to detect multi-accounting, collusion, and other forms of abuse. The legitimate interest is protecting the fairness of the game for all users and safeguarding the virtual currency vault.
• Security monitoring - session tokens are validated on each request, administrative actions are logged, and suspicious activity is monitored. The legitimate interest is ensuring the security and availability of the Service.
• Leaderboards and public profiles - your username and aggregated gameplay statistics (such as total bets, win rate, and net profit) are displayed on public leaderboards and your user profile page. The legitimate interest is providing a competitive and transparent gaming environment. You may contact me if you wish to discuss the visibility of your profile.
• Service improvement - aggregated, non-identifying usage patterns may be analysed to understand how the Service is used and to identify areas for improvement. The legitimate interest is improving the quality and reliability of the Service.

3.3 Consent (Article 6(1)(a) GDPR)

Where consent is relied upon, it will always be obtained before processing begins. Currently, consent is relied upon for:

• Optional cookies - functionality and analytics cookies as presented through our cookie consent banner. You may withdraw your consent at any time by clicking the cookie settings icon in the bottom-left corner of any page and adjusting your preferences.

Where consent is the legal basis, you have the right to withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

3.4 Legal obligation (Article 6(1)(c) GDPR)

Your personal data may be processed where it is necessary to comply with a legal obligation, such as responding to lawful requests from law enforcement or regulatory authorities.

4. Data sharing and third-party recipients

Your personal data is never sold, rented, traded, or otherwise commercially shared with any third party. Personal data is shared only in the following limited circumstances:

4.1 HackForums (hackforums.net)

HackForums is the authentication provider and virtual currency platform that underpins the Service. When you use Bustabyte, the Service communicates with the HackForums API v2 to:

• Authenticate your identity during the OAuth login flow
• Read your HackForums profile information (such as your username and βyte balance)
• Process βyte deposits into the Bustabyte vault on your behalf
• Process βyte withdrawals from the Bustabyte vault back to your HackForums wallet

The data transmitted to HackForums includes your OAuth access token and βyte transfer instructions. HackForums processes this data in accordance with their own privacy policy and terms of service, which you are encouraged to review independently. I am not responsible for HackForums' data processing practices.

4.2 Google Fonts

The Service loads web fonts from Google's Content Delivery Network (CDN) to render typography. When your browser requests these fonts, Google may collect your IP address and certain technical information. Google processes this data in accordance with Google's Privacy Policy. No personal data is shared with Google by Bustabyte; any data collection occurs directly between your browser and Google's servers.

4.3 Hosting provider

The Service is hosted on infrastructure provided by OVH SAS, a hosting provider based in the European Union. The server is located in Europe. OVH provides the physical and network infrastructure but does not access or process your personal data beyond what is necessary to provide hosting services. OVH's privacy policy governs their handling of any data that passes through their infrastructure.

4.4 Law enforcement and legal requirements

Your personal data may be disclosed to law enforcement agencies, regulatory authorities, courts, or other public bodies if required to do so by law, by a court order, or if there is a reasonable belief that such disclosure is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of the Service
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

4.5 Publicly visible data

Please be aware that certain data is publicly visible to all users of the Service by design:

• Your username appears on leaderboards, in the live game bet list, and on your public profile page
• Your aggregated gameplay statistics (total bets, win rate, total wagered, net profit, best win, and best multiplier) are displayed on your public profile page
• Your recent bet history (bet amounts, cashout multipliers, crash points, and profit/loss) is visible on your profile page

5. International data transfers

The server infrastructure is located within the European Economic Area (EEA). However, when you interact with the Service, data may be transferred to:

• HackForums - which may process data on servers located outside the EEA. Any such transfer is necessary for the delivery of the Service (Article 49(1)(b) GDPR), as Bustabyte cannot function without communicating with the HackForums API.
• Google (for font delivery) - which may deliver fonts from servers located globally. Google participates in the EU-US Data Privacy Framework and maintains appropriate safeguards for international transfers.

Where personal data is transferred outside the EEA, it is done under specific derogations permitted by Article 49 GDPR (such as necessity for the performance of the service you requested).

6. Data retention

Your personal data is retained only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are:

• Account data (UID, username, OAuth token) - retained for as long as your account remains active on the Service. If you request account deletion, your account data will be removed within 30 days of the request being processed, subject to the exceptions noted below.
• Game and transaction records (bets, deposits, withdrawals, balance history) - retained indefinitely. This is necessary for the integrity of the provably fair verification system, which allows any user to verify the entire chain of game outcomes retrospectively. Removing individual game records would break the cryptographic chain and undermine the trust model that the Service is built upon.
• IP addresses and login records - retained for a configurable period as set by site administrators (default: 90 days), after which they are automatically and permanently deleted.
• Administrative audit logs - retained according to the site's configured audit log retention period, after which they are automatically purged.
• OAuth access tokens - retained until you revoke access via the HackForums authorised applications settings, until your account is deleted, or until the token expires or is invalidated by HackForums, whichever occurs first.
• Cookie consent preferences - retained for 365 days from the date you set them.

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

7. Data security

Appropriate technical measures are implemented to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption in transit - all connections between your browser and our servers are encrypted using HTTPS with TLS. Real-time WebSocket connections use the WSS (WebSocket Secure) protocol.
• Secure credential storage - database credentials, API secrets, and OAuth client secrets are stored server-side and are never exposed to client-side code or included in responses sent to your browser.
• Authentication security - session tokens are generated using cryptographically secure random number generators, validated on every request, and can be invalidated server-side to force re-authentication if suspicious activity is detected.
• Access controls - administrative access to the Service is restricted to authorised staff members. All administrative actions are recorded in an audit log that includes the action taken, the target user or resource, and the IP address of the administrator.
• Database security - our database uses parameterised queries (prepared statements) throughout to prevent SQL injection attacks. Balance modifications are performed within database transactions with row-level locking to prevent race conditions.
• Input validation - all user inputs are validated and sanitised on the server side to prevent cross-site scripting (XSS) and other injection attacks.

While reasonable steps are taken to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. Absolute security cannot be guaranteed, but I am committed to maintaining and improving security measures over time.

8. Your rights under GDPR

Under the GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exceptions as set out in the GDPR.

8.1 Right of access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request a copy of that data. Much of this information is already available to you directly through the Service: your profile page displays your gameplay statistics, and your bet and transaction history can be viewed within the game interface. For a complete copy of all personal data held about you, please contact me using the details in Section 13.

8.2 Right to rectification (Article 16)

You have the right to request the correction of inaccurate personal data. Your username on Bustabyte is sourced from your HackForums account; if your HackForums username changes, it will be updated on Bustabyte accordingly. For other corrections, please contact me.

8.3 Right to erasure (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. However, please note that it may not be possible to delete game and transaction records, as these are integral to the provably fair verification system. Deleting individual records would compromise the cryptographic hash chain, which serves as the public proof of fairness for all users. In such cases, your data will be anonymised by removing the link between your identity and the records, so that the records can no longer be attributed to you.

8.4 Right to restriction of processing (Article 18)

You have the right to request the restriction of processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing pending verification of whether legitimate interests override your rights.

8.5 Right to data portability (Article 20)

Where processing is based on consent or the performance of a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV).

8.6 Right to object (Article 21)

You have the right to object to the processing of your personal data where legitimate interests are relied upon as the legal basis. This includes the right to object to the public display of your username and statistics on leaderboards and your profile page. Upon receiving an objection, processing will cease unless there are compelling legitimate grounds that override your interests, rights, and freedoms.

8.7 Right to withdraw consent (Article 7(3))

Where consent is relied upon to process personal data (such as for optional cookies), you may withdraw that consent at any time by clicking the cookie settings icon on any page and updating your preferences. Withdrawal of consent does not affect the lawfulness of any processing that took place before the withdrawal.

8.8 Right to lodge a complaint

If you believe that the processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk. If you are located in the European Economic Area, you may contact the supervisory authority in your member state of habitual residence, place of work, or place of the alleged infringement.

8.9 Exercising your rights

To exercise any of the above rights, please contact me using the details provided in Section 13. I will respond to your request within one month of receipt. In complex cases, this period may be extended by a further two months, in which case you will be informed of the extension and the reasons for it within the first month. No fee will be charged for processing your request unless the request is manifestly unfounded or excessive.

I may need to verify your identity before processing your request. As Bustabyte authenticates users through HackForums OAuth, identity will typically be verified by asking you to confirm your HackForums UID or by requesting a private message from your HackForums account.

9. Automated decision-making and profiling

Bustabyte does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you, as defined in Article 22 of the GDPR. All game outcomes are determined by a provably fair cryptographic system and are not influenced by personal data or user profiles. Administrative actions such as account bans or restrictions are carried out manually and are not the result of automated processing.

10. Third-party services and links

The Service integrates with or links to the following third-party services. Each third party processes data in accordance with their own privacy policies, which we encourage you to review:

• HackForums (hackforums.net) - authentication provider and virtual currency platform. All OAuth interactions, βyte transfers, and profile data retrieval are processed through the HackForums API v2.
• Google Fonts (fonts.googleapis.com, fonts.gstatic.com) - web font delivery service. See Google's Privacy Policy and their Google Fonts privacy FAQ.

I am not responsible for the privacy practices of any third-party services. When you follow links to external websites or interact with third-party services, you are subject to their respective privacy policies.

11. Children and age restriction

The Service is not intended for, directed at, or designed to attract individuals under the age of 18. Personal data is not knowingly collected from anyone under the age of 18. If it becomes apparent that personal data has been collected from a person under 18, steps will be taken to delete that data as soon as reasonably practicable. If you are a parent or guardian and believe that your child has provided personal data to Bustabyte, please contact me immediately using the details in Section 13.

12. Changes to this Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in practices, the Service, or applicable laws. When changes are made, the "Last updated" date at the top of this page will be updated. If material changes are made that significantly affect how your personal data is processed, reasonable efforts will be made to notify you, such as by displaying a prominent notice on the Service.

You are encouraged to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acknowledgement of the changes.

13. Contact us

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, including if you wish to exercise any of your rights under Section 8, please contact me via:

• HackForums private message to Riggs (UID 402384)

I will aim to respond to all legitimate enquiries within one month. If your request is particularly complex, I may need up to three months to respond, but you will be notified of any extension within the first month.