General Data Protection Regulation (GDPR) compliance

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. GDPR was passed in the UK in 2016 and came into force after a two-year preparation period on 25 May 2018.

The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. For more information see the Wikipedia entry on GDPR.

Purpose of collection

xyzzy! search engine: In the case of the xyzzy! search engine, no registration is required, no login is required, no personal data is collected other than the date and time of requests made to the server, the IP Address making the request, the words used in the request and the number of matches found for the request. The date and time and the IP address are recorded in the Apache server log; the words used in the request are stored in a text log.

The purpose of recording the date and time and the IP address is solely to allow us to detect any server errors and identify any malicious attacks or threats to our web service, to protect us and to protect our visitors. The purpose of recording the words used in the request and the number of matches found for the request is solely to enable us to see what topics are popular and which requests are met with few or no matching search results. This enables us to add more, tailored material to the search engine, to improve the service for our users.

In the case of the xyzzy! search engine, we do not use any means (such as cookies) to track users, nor do we pass any information on to any other party, unless required to do so by law enforcement agencies or by the law.

Text adventure: In the case of the text adventure, registration and login is required to play the game, because the nature of the game requires an identifiable player, and continuation of the game (which cannot be completed in one sitting) requires keeping track of a player's progress (eg locations they have visited, objects they have taken or used; etc). This involves collecting and keeping a minimum of data in the form of a username for the player (which may be a pseudonym or may be a person's real life name); an email address; and a password. We also store upto 255 characters of biography, which any other logged-in player can see, if the player chooses to provide this.

For technical reasons only, we need to collect and store a username to identify a player by that username. For technical and security reasons only, we need to collect and record a valid email address to send an activation code in an email to the player before they can use their account and play the game. For technical and security reasons only, we need to also collect and record a password that only they know. They are specifically asked to use a strong password and to not use a password they use for any other site, especially not for financial purposes. For security purposes we also log the IP Address of the web user or player.

The primary reason for collecting this data is so that the player can log in and actually play the game, request a password reset or change their password, or so that — if it is necessary for technical or security purposes — we may contact the player.

No contact will be made unless it is necessary or unless the player initiates an email conversation or signals that they require assistance. The email address will not be used for marketing purposes.

In the case of the text adventure, we do not use any means (such as cookies) to track users, nor do we pass any information on to any other party, unless required to do so by law enforcement agencies or by the law.

This data will be held as long as the player continues with the game. Should they choose to leave the game, their account may be deleted, along with any data it contains) by contacting the Data controller or Data Protection Officer (detailed below).

We log in-game requests made to the server, but these logs are only kept for seven days for debugging, enhancement and security / abuse-detection purposes. We do not log or keep the content of in-game chat (made to all occupants of the current location) or messages (sent privately to another player). Chat and messages are real-time only; the contents do not persist in a database.

Data sharing

The server is based in the UK, and no data (except search results or in-game play) is shared outside the UK, nor do we pass any information on to any other party, unless required to do so by law enforcement agencies or by the law.

Automated decision-making

No automated decision-making (“profiling”) takes place using the data.

A user's access to their data

Users are free at any time to request copies of any data held on them, by contacting the Data controller or Data Protection Officer (detailed below). We have no automated way of providing these details, so such requests will have to be answered manually, by a human being. For security purposes, data will only be made available when a written request is made from the email address associated with the user's account.

Database security

We take security very seriously. Important keys or secrets that are used by the adventure application are locked in an encrypted digital vault. Access to this vault is controlled by the user who launches the adventure application, and requires that person to manually input a strong password to open the vault. That strong password is stored only on a removable hard drive or removal memory stick that goes wherever that person goes; the device is never left on the premises with the server.

This means that the key to the vault cannot be found by an attacker rummaging through the configuration files or other files on the server; the keys and secrets that the vault contains are all encrypted; and the data that these keys and secrets unlock remains strongly encrypted.

Details of the email server used by the adventure application are encrypted in the digital vault. This will help reduce the risk of spam emails being sent to users / players using these credentials.

The strong cipher key used for encryption and decryption purposes in the adventure application is also encrypted in the digital vault. The database holding user details requires this strong cipher key to encrypt and decrypt a player's email address, as this is required to send emails to a user such as for activation purposes after registration, or to respond to a password reset request. The email address is securely encrypted (salted for additonal security, so that every time it is stored it has a different value). Where possible, we use a secure, one-way hash digest to identify and compare an email address provided by the user with one stored in the database.

Encryption is not used to secure a player's password, as it is safer to use a secure, one-way hash (salted for additonal security, so that every time it is stored it has a different value). Nobody, even us, can decrypt a player's password; all we can do is compare it with the password provided by the player at log-in, and nobody else could bypass the regular system to log-in using the un-decrypted password.

Additional security measures

Addition security measures are in place on the web server and the adventure game server.

All web content, websocket communications and sockjs fallback communications are made over secure, encrypted HTTPS/TLS connections with a valid security certificate signed by the Certificate Authority (CA) Let's Encrypt, and valid only for the sherpoint.uk domain.

Email contact agreement

In the case of the text adventure, it is wholly necessary for technical and security reasons for you to agree to allow us to contact you by email, so that we can send you an activation code after registration, and necessary for you to request a password reset or to change your email address, or to email you in response to a request for technical assistance. If you do not agree, then sadly you will be unable to use the text adventure. We will not contact you for any other reason unless it is necessary for your continued use of the game or if you request a reply from us.

Data controller

The Data Controller for the sherpoint.uk web site is Eric Twose. He can be contacted by email at eric.twose AT btinternet DOT com. Replace “ AT ” with “@” and “ DOT ” with “.”. He may also be contacted using the in-game facility to report a bug, or issue, or suggest an enhancement, or by sending a private message to Eric Twose at Facebook.

Data Protection Officer

The Data Protection Officer for the sherpoint.uk web site is Eric Twose. He can be contacted by email at eric.twose AT btinternet DOT com. Replace “ AT ” with “@” and “ DOT ” with “.”. He may also be contacted using the in-game facility to report a bug, or issue, or suggest an enhancement, or by sending a private message to Eric Twose at Facebook.