🔒 Privacy Policy
Last updated: June 2026
1. Introduction
DinoVara (“we”, “our”, “us”) is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you visit our website, in compliance with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
DinoVara is designed as an educational resource about dinosaurs and prehistoric life. We collect minimal personal data — only what is necessary to provide our services.
2. Data Controller
The data controller is the operator of DinoVara. For privacy-related inquiries, please visit our Contact page.
3. What Data We Collect
3.1 Information You Provide
- Account data: If you create an account, we store your username, email address, and a hashed password (we never see your plain-text password).
- User-generated content: Dinosaur collections you create, fun facts you submit, and votes you cast in head-to-head comparisons.
- Game scores: Your quiz scores, linked to your account if logged in.
3.2 Information Collected Automatically
- Anonymous analytics: We use Plausible Analytics, a privacy-first analytics service that does NOT use cookies and does NOT track individuals. It collects: page URL, referrer, browser type, device type, and country (from IP, not stored). No personal data is collected.
- Local storage: We store your theme preference, language preference, unit system preference, and cookie consent choices in your browser's localStorage. These are not sent to our servers.
- Mapbox GL JS: Our interactive map uses Mapbox. Mapbox may set a localStorage key for caching. See Mapbox's privacy policy for details.
3.3 What We Do NOT Collect
- We do not use advertising cookies or tracking pixels.
- We do not build user profiles for marketing.
- We do not sell, rent, or trade your personal data to anyone.
- We do not use Google Analytics or any third-party ad networks.
4. Legal Basis for Processing
Under GDPR, we process your data on the following legal bases:
- Consent (Art. 6(1)(a)): For optional analytics and Mapbox map features. You can withdraw consent at any time via the cookie banner or browser settings.
- Contractual necessity (Art. 6(1)(b)): To provide account features you have requested (collections, voting, game scores).
- Legitimate interest (Art. 6(1)(f)): To maintain site security and prevent abuse of our submission systems.
5. How We Use Your Data
- To provide and maintain your account.
- To display your public profile, collections, and leaderboard rankings (only if you choose to make them public).
- To moderate user-submitted fun facts and prevent spam.
- To improve our website based on anonymous aggregate analytics.
6. Data Retention
- Account data: Retained until you delete your account.
- Votes and game scores: Retained indefinitely in anonymized or pseudonymized form for leaderboard integrity. On account deletion, your username is replaced with “Deleted User”.
- Fun fact submissions: Retained based on approval status. Rejected submissions are deleted after 30 days.
- Analytics data: Plausible retains aggregated data indefinitely (no personal identifiers).
- Server logs: Retained for a maximum of 30 days for security purposes.
7. Your Rights Under GDPR
As a user in the EU/EEA or UK, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data.
- Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
- Right to restriction (Art. 18): Limit how we process your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time via the cookie banner.
To exercise any of these rights, contact us via the Contact page. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Children's Privacy (COPPA)
DinoVara is a family-friendly educational site, but account creation is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account, please contact us and we will promptly delete it.
9. Cookies and Local Storage
We use browser localStorage (not traditional cookies) for the following purposes:
| Key | Purpose | Category |
|---|
| dino-cookie-consent | Stores your cookie preferences | Necessary |
| dino_theme | Dark/light mode preference | Necessary |
| dino-lang | Language preference | Necessary |
| dino-units | Metric/imperial preference | Necessary |
| dino-auth-token | Authentication (if logged in) | Necessary |
| mapbox.eventData | Mapbox map cache | Functional |
Most browsers allow you to clear localStorage and block it entirely via settings. Note that blocking necessary localStorage will degrade your experience (theme, language, and login will not persist across sessions).
10. Third-Party Services
- Plausible Analytics: Self-hosted or EU-hosted privacy-first analytics. No cookies. No personal data. Plausible Privacy Policy.
- Mapbox: Provides the interactive map on our Map page. Mapbox may process your IP address to serve map tiles. Mapbox Privacy Policy.
11. Data Security
We implement appropriate technical and organizational measures to protect your data: passwords are hashed with bcrypt; API communications use HTTPS; database access is restricted. No system is 100% secure, but we take reasonable precautions.
12. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated via a notice on the site. Continued use after changes constitutes acceptance.
13. Contact
For privacy-related requests (access, deletion, portability, complaints), please use our Contact page or email the address listed there.