Privacy Policy

Your guesses, results, statistics, and streaks are stored locally on your device (browser localStorage). This data never leaves your device unless you create an account and choose to sync your streak.

We also set two cookies that are strictly necessary for the game to function:

• dh_guess_token — a signed counter of today's guesses, used to enforce the 8-guess limit fairly. Expires within 48 hours.
• dh_anon_id — a random identifier (not linked to your name or email) used to count plays, help prevent abuse, and compute aggregate puzzle statistics such as average guesses per day.

If you create an account, we collect your email address and your streak record so they can follow you across devices. We use this data only to operate your account. We do not sell your email address, and we will not send you marketing without your consent.

Crew subscriptions are handled by a PCI-DSS-certified third-party payment processor. Your card details go directly to the processor and never touch our servers; we receive only your email address, your subscription status, and a customer reference so we can unlock your membership.

The free version of Daily Heist shows ads served by Google. Third-party vendors, including Google, use cookies or device identifiers to serve ads based on your prior visits to this and other websites, including personalized ads where permitted by law. Crew members see no ads.

You can opt out of personalized advertising in Google's Ads Settings and opt out of many other ad vendors' cookies at aboutads.info/choices (US) or youronlinechoices.eu (EEA/UK).

We rely on a small number of specialist providers for cloud hosting and content delivery, database and authentication infrastructure, payment processing, and advertising. Each processes data only as needed to provide its service to us and, where required, under a data processing agreement. Standard server logs (such as IP addresses) may be retained briefly for security and abuse prevention. We never sell your personal data to anyone.

Our providers may process data in countries other than your own, including the United States. Where the law requires it (for example, for transfers from the EEA, UK, or Switzerland), those transfers rely on appropriate safeguards such as adequacy decisions, the EU-US Data Privacy Framework, or Standard Contractual Clauses.

Local game data stays on your device until you clear it. The guess-limit cookie expires within 48 hours. Account data is kept while your account is active and deleted when you ask us to close it. Server and security logs are kept only briefly. Aggregate statistics that no longer identify anyone may be kept indefinitely.

Where the GDPR or UK GDPR applies, we process data: to perform our contract with you (running the game, your account, and your subscription); for our legitimate interests (securing the service, enforcing fair play, and measuring aggregate use); and with your consent where the law requires it (such as personalized advertising). You can withdraw consent at any time.

We use reasonable technical and organizational safeguards, including encryption in transit (HTTPS) and signed game cookies. No online service can guarantee perfect security, which is one more reason we collect as little data as possible — the safest data is the data we never hold.

• Play without an account — no email or name is ever required.
• Clear your browser data to erase local stats at any time.
• Email us to access, correct, delete, or receive a copy of any account data we hold about you, to restrict or object to our processing, or to withdraw consent. We'll respond within 30 days, or any shorter period the law requires, and we'll never treat you differently for exercising your rights.
• If you live in the EEA or UK, you also have the right to lodge a complaint with your data protection authority.
• If you live in California or another US state with a privacy law, you may have rights to know, correct, and delete your data, and to opt out of the “sale” or “sharing” of personal information. We don't sell your data for money; third-party advertising cookies may count as “sharing” under some of these laws, and you can opt out using the links in the Advertising section above.

Daily Heist is not directed at children under 13 (or the higher minimum age where local law sets one), and we do not knowingly collect personal information from them. If you believe a child has provided us personal data, contact us and we will delete it promptly.

If this policy changes, we'll post the new version here and update the date above. For material changes, we'll make reasonable efforts to notify account holders by email before the changes take effect.

Questions or requests: hello@yejidatalab.com