12 May 2026

Privacy Policy

Last updated 2026-05-08 · mrtdoku.com · operated as a personal project

1. Summary

MRTdoku is a daily 3×3 station puzzle on the Singapore MRT/LRT network. We try to collect as little personal data as the game can function with. Today, MRTdoku stores your game progress only in your browser's local storage — no account, no cookies, no third-party trackers. We may add anonymous server-side data collection in the future (for example, to compute how rare your guess was compared to other solvers); when we do, it will be tied to a random session identifier rather than to you, and we will update this page before any new collection starts.

This policy is written to satisfy Singapore's Personal Data Protection Act 2012 (“PDPA”) and is GDPR-aware for EU visitors.

2. What we collect

  • Anonymous game state. Your in-progress puzzle, the solved/unsolved status of each cell, your rules-modal-seen flag, and a randomly-generated session_id (UUID v4). All stored in your browser's localStorage; not sent to our servers.
  • Edge access logs. Standard hosting logs at Vercel capture your IP address, user-agent, request timestamp, and referrer for every page load. We do not query, export, or analyse these logs except to investigate abuse or operational incidents.
  • Browser-reported timezone. Used only at render-time on your device to display the daily-puzzle clock; never transmitted.
  • Anonymous answer events (planned future feature; not collected today). (puzzle_date, cell, station_code, is_correct, created_at) tied to your session_id. These will power rarity scoring (“your guess matched 8% of solvers”) and aggregate statistics. The session_id is not linked to any name, email, account, or device fingerprint.

3. Why we collect it

  • Game functionality. Saving your in-progress puzzle so you can return to it.
  • Rarity scoring (planned future feature). Aggregating anonymous answer events to compute “your answer matched X% of solvers” for each cell.
  • Abuse rate-limiting. Limiting bot-driven or automated submissions that would distort rarity scores.
  • Operational integrity. Investigating outages, errors, and reasonable-use violations.

We never sell, lease, or share data with third parties for advertising, profiling, or marketing. We do not run an advertising network.

4. Retention

  • Browser localStorage persists until you clear it. Clearing site data in your browser removes all of it.
  • Edge access logs follow Vercel's retention schedule (see Vercel's privacy policy linked in §6).
  • Raw answer events, once rarity scoring is enabled, will be retained for 90 days, then deleted. Aggregate statistics derived from these events (per-puzzle solve rates, station rarity) contain no personal data and will be retained indefinitely.
  • Account data, if user accounts are introduced in the future, will be retained until you delete your account. On deletion, all linked rows will be purged within 30 days.

5. Who we share it with

We do not transfer personal data to any third party as a data controller. The processors below provide the infrastructure that runs MRTdoku and act as data processors under their respective Data Processing Agreements.

ProcessorRoleRegionStatus
Vercel Inc.Web hosting; edge access logs (IP, user-agent, timestamp); first-party Speed Insights (Web Vitals).Singapore (sin1) primary; global edge.In use today.
SupabaseDatabase for puzzle definitions, anonymous answer events, and aggregates.Singapore.Not in use today; planned for future rarity-scoring features.

6. Your rights under PDPA

Singapore's PDPA grants you the rights of access, correction, withdrawal of consent, and deletion. You may also lodge a complaint with the Personal Data Protection Commission of Singapore.

How to exercise these rights. Today, email the operator at mrtdokugames@gmail.com from the address you wish to identify with, and quote your session_id (you can find it in your browser's DevTools → Application → Local Storage → key mrtdoku.session) so we can match the request to your data. If user accounts are introduced in the future, the same flows will additionally be surfaced in-app.

We respond to access and deletion requests within 30 days. We may ask for additional information solely to verify the request (e.g., a fresh session_id from the device you wish to be identified with).

7. Singapore PDPA specifics

  • Privacy contact. MRTdoku is run by an individual maintainer who serves as the privacy contact, reachable at mrtdokugames@gmail.com. There is no separate corporate Data Protection Officer because the site is operated as a personal project, not a registered legal entity.
  • Access requests. Acknowledged within 7 days, substantively answered within 30 days.
  • Notifiable breach. If a breach meets the PDPA notification threshold, we will notify the PDPC within 72 hours and affected users without undue delay.
  • Withdrawal of consent. You can stop using the service at any time and clear your browser storage to erase your local game state. If user accounts are introduced in the future, you will additionally be able to delete any account-linked records via an in-app flow or by writing to mrtdokugames@gmail.com.

8. GDPR addendum (EU/EEA visitors)

If you visit MRTdoku from the European Union, European Economic Area, or the United Kingdom, the following supplements §6.

  • Lawful basis. Anonymous in-browser game state is processed on the basis of strictly necessary functionality. If we later collect anonymous server-side answer events for rarity scoring, those will be processed under our legitimate interest in producing aggregate puzzle statistics. We do not place any persistent third-party identifier on your device, so consent under the EU ePrivacy Directive is not required.
  • Your rights. In addition to the PDPA rights above, you have the GDPR rights of access, rectification, erasure, restriction, portability, and objection. Email mrtdokugames@gmail.com to exercise any of these.
  • International transfers. Vercel may process certain operational data outside the EU/EEA under its Standard Contractual Clauses (SCCs); see its privacy policy linked in §5. Supabase processing for MRTdoku occurs in the Singapore region.
  • Supervisory authority. You may lodge a complaint with your local data-protection authority.

9. Cookies and tracking

MRTdoku does not set any cookies. We use only browser localStorage for game state and the anonymous session_id. We embed no third-party scripts, pixels, or fingerprinting. If we add product analytics in the future, we will either restrict them to fully anonymous server-side aggregates or add a region-aware consent banner — and we will update this policy with at least 14 days' notice before any such change becomes active.

10. Children

MRTdoku is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided personal data to us, contact mrtdokugames@gmail.com and we will delete it.

11. Changes to this policy

We will post any changes to this page with an updated “last updated” date at the top. Material changes will additionally be surfaced via an in-app banner on the next visit. The current version is dated 2026-05-08.

12. Trademarks and affiliation

Not affiliated with, endorsed by, or sponsored by the Land Transport Authority of Singapore, SMRT Trains Ltd, or SBS Transit Ltd. “MRT”, line names, and line colors are referenced under fair-use principles for an educational fan puzzle. Station data and its license are described on the credits page.

13. Contact

MRTdoku is operated as a personal project at mrtdoku.com from Singapore. There is no registered company; an individual maintainer is responsible for the site and for handling privacy requests.

Contact: mrtdokugames@gmail.com
Terms of use: /terms.