← Back to Home
Privacy Policy
Last Updated: March 5, 2026
Spencer's Website ("we," "us," or "our") operates thespencerwebsite.com and thespencergamingwebsite.com. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Username — chosen by you during registration
- Password — stored as a one-way cryptographic hash (Argon2id); we cannot read your password
- Account role — your membership tier (Community, User, Contributor, Designer, Admin)
- Registration date and last login timestamp
1.2 Payment Information
We use Stripe as our payment processor. When you purchase a membership:
- Your credit card details are handled entirely by Stripe and never touch our servers
- We store: payment status, plan type, transaction timestamps, and Stripe session/subscription IDs
- We do not store your card number, CVV, or billing address
1.3 Device & Browser Information
For security and fraud prevention, we collect device fingerprint data, including:
| Data Point | Purpose |
|---|
| IP address | Rate limiting, fraud detection, session tracking |
| Browser user agent | Session validation, analytics |
| Screen resolution | Device fingerprinting for fraud prevention |
| GPU/WebGL renderer | Device fingerprinting for fraud prevention |
| Canvas fingerprint hash | Device fingerprinting for fraud prevention |
| Installed fonts hash | Device fingerprinting for fraud prevention |
| Timezone & language | Device fingerprinting, localization |
| Platform (OS) | Device fingerprinting for fraud prevention |
This data is used to detect account sharing, prevent unauthorized access, and identify banned users who attempt to create new accounts.
1.4 Usage Data
We automatically collect:
- Page views — which pages you visit and when (server-side tracking via
includes/track_pageview.php)
- Session data — session ID, current page, page view count, session duration
- Game analytics — which games you play and for how long
- Feature usage — which site features you interact with
- Performance metrics — page load times
1.5 AI Chat Data
If you use the AI Assistant panel, we store:
- Your messages and the AI's responses
- The AI persona selected
- Timestamps of conversations
AI conversations are processed by Groq (third-party AI provider). Messages are sent to Groq's API for response generation. Groq's privacy policy applies to their processing of this data.
1.6 Chat Messages (Yaps)
Messages sent in the Yaps chat system are stored with your username, role, and timestamp. Chat messages are visible to other logged-in users.
1.7 Feedback & Support Tickets
If you submit feedback or support tickets, the content you provide is stored along with your user ID and timestamps.
1.8 Profile Information
If you create or edit your user profile, we collect and store:
- Nickname — An optional display name shown across the site instead of your username
- Description — A short one-liner about yourself (max 500 characters)
- About section — A longer bio (max 2000 characters)
- Profile picture URL — A link to your profile image. Profile pictures are set to "pending" status and must be approved by an administrator before they become visible to other users.
Your profile information is visible to all logged-in users (except community-role accounts). You can edit or remove this information at any time from your profile page.
1.9 Smail (Internal Messages)
If you use the Smail internal messaging system, we store:
- Message sender and recipient IDs
- Message title and body content
- Color and urgency settings you choose
- Read status and timestamps
Smail messages are private between sender and recipient. Administrators may access message data for moderation and safety purposes. Community-role accounts cannot use Smail.
1.10 Live Threat Detection & IP Tracking
To protect the security of all users, we implement automated threat detection that monitors:
- Failed login attempts — IP address, timestamp, and frequency of failed logins
- Rate limiting data — Request counts per IP address per endpoint
- Automated IP blocking — IPs with 5 or more failed login attempts within 10 minutes are temporarily blocked for 30 minutes
Blocked IP records are stored in a blocked_ips table and automatically expire. Administrators can manually unblock IPs. This data is used solely for security purposes and is not shared with third parties.
1.11 AI Chat History
If you use the AI Assistant, we store:
- Your messages and the AI's responses
- The AI persona/model used for each conversation
- Chat folders, starred messages, and pinned conversations
- Context memory preferences (whether the AI remembers your site-specific information)
AI chat data is stored in your account and is accessible only to you. Administrators may review AI chat histories for moderation purposes — for example, to detect misuse of the AI system or violations of the Terms of Service.
1.12 Support Ticket Data
When you submit support tickets or game reports, we store the content of your submission along with your user ID, timestamps, and ticket status. This data is accessible to you and site administrators. Extra ticket grants issued by administrators are also recorded.
2. How We Use Your Information
We use your information to:
- Provide and maintain your account and membership
- Process payments and manage subscriptions
- Detect and prevent fraud, abuse, and unauthorized access
- Enforce our Terms of Service and community guidelines
- Improve site performance and user experience
- Respond to support requests
- Send critical account notifications (e.g., suspension, subscription expiry)
We do not sell, rent, or share your personal information with third parties for marketing purposes.
2.1 Administrator Monitoring
Site administrators have access to the following data through the admin dashboard for security, moderation, and site management purposes:
- Login history — Your username, last login timestamp, IP address, and account status are visible to administrators
- Page visit analytics — Which pages you visit, how often, and when — aggregated into top-visited-pages reports
- Device fingerprints — Your device fingerprint data (screen resolution, platform, IP address) is visible to administrators for fraud detection
- AI chat conversations — If you use the AI Assistant, administrators can view your messages and AI responses for safety and moderation purposes
- Support tickets — Your submitted tickets and responses are visible to administrators
- Data clearing — Administrators may periodically clear aggregated analytics data (page views, performance metrics, interaction data). This removes the data permanently but does not affect your account or personal settings.
2.2 Data Access & Administration
The following administrative data access practices apply to this platform:
- Site administrators can read all private messages sent between users through the platform's internal messaging system (Smail).
- Site administrators can read all AI chat conversations conducted by users on the platform, including message content, selected personas, and conversation history.
- Profile pictures submitted by users are reviewed by administrators before being displayed publicly. Submitted profile pictures are retained in administrative records, including images that are declined.
- Administrators may restrict a user's access to specific areas of the platform at any time, with or without stated reason.
- All administrative access to user data is logged in an audit trail, including the administrator's identity, the action performed, and the timestamp.
3. Cookies & Local Storage
3.1 Session Cookies (Essential)
We use a PHP session cookie (PHPSESSID) to maintain your login state. This cookie is:
- Set with
HttpOnly, Secure, and SameSite=Lax flags
- Deleted when you close your browser (session lifetime = 0)
- Required for the site to function — you cannot use the site without it
3.2 Local Storage
We use browser Local Storage to save your preferences (theme, accent color, game settings). This data stays on your device and is never sent to our servers unless you have a paid account with server-synced settings enabled.
3.3 Third-Party Cookies
The following third-party services may set cookies on your device:
- Google reCAPTCHA v3 — CAPTCHA verification on login and registration forms. Google may set cookies for bot detection. See Google's Privacy Policy.
- Stripe — Payment processing. Stripe may set cookies during the checkout process. See Stripe's Privacy Policy.
4. Third-Party Services & Embedded Content
4.1 Embedded Games (Iframes)
Our game pages embed third-party HTML games via <iframe> elements. These games are hosted on external servers and may independently collect data such as cookies, analytics, or usage information. By playing these games, you interact directly with the third-party content provider. We do not control and are not responsible for the privacy practices of these embedded game providers.
4.2 CDN Resources
We load static resources (fonts, icons, JavaScript libraries) from the following content delivery networks:
- cdnjs.cloudflare.com — Font Awesome icons, JavaScript libraries
- cdn.jsdelivr.net — JavaScript libraries
- fonts.googleapis.com / fonts.gstatic.com — Web fonts
- challenges.cloudflare.com — Turnstile CAPTCHA widget
These CDN providers may log your IP address and browser information when serving resources. Their respective privacy policies apply.
4.3 Groq AI API
AI chat messages are sent to Groq for processing. Groq receives the text of your message and conversation context. See Groq's Privacy Policy.
4.4 Stripe Payment Processing
All payment processing is handled by Stripe, Inc. Your financial data is processed according to Stripe's Privacy Policy and PCI-DSS standards.
5. Data Retention
| Data Type | Retention Period |
|---|
| Account data (username, role, settings) | Until account deletion |
| Payment sessions (completed) | Indefinitely (for records) |
| Payment sessions (failed/expired) | 7 days, then auto-deleted |
| Payment nonces | Auto-deleted after expiry (15 minutes) |
| Webhook events (processed) | 90 days, then auto-deleted |
| Page views & analytics | Indefinitely (admin can clear) |
| Device fingerprints | Until manually removed by admin |
| AI chat history | Until manually removed by admin |
| Chat messages (Yaps) | Indefinitely |
| Rate limit records | Automatically cleaned by scheduled task |
| Session data | Until browser session ends |
6. Data Security
We implement the following security measures to protect your data:
- Encryption in transit — All connections are forced over HTTPS with HSTS
- Password hashing — Argon2id with memory_cost=65536, time_cost=4, threads=3
- CSRF protection — Session-based tokens on all forms and state-changing requests
- Rate limiting — IP-based and session-based rate limiting on sensitive endpoints
- Input sanitization — All user inputs are sanitized to prevent XSS and SQL injection
- Prepared statements — All database queries use PDO prepared statements
- Content Security Policy — CSP headers restrict script and resource loading
- Account lockout — Automatic lockout after 5 failed login attempts
7. Your Rights
You have the right to:
- Access your data — You can export your settings from the Settings page
- Delete your data — You can clear your browsing data from the Settings page. For full account deletion, contact the administrator
- Opt out of tracking — Device fingerprinting is used for security purposes and cannot be individually disabled, but you can request account deletion to remove all stored fingerprint data
To exercise any of these rights, contact us at spencerbuisness101@thespencerwebsite.com.
8. Children's Privacy
Our service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected data from a child under 13, we will promptly delete it. If you believe a child has provided us with personal information, please contact us.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the site after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, contact us at:
Email: spencerbuisness101@thespencerwebsite.com