Short version: we don't want your data. We collect the minimum needed to keep the site working and fair, never sell it, and give you full rights to see, correct or erase whatever's tied to you.
Who we are
This site is operated by BAM.LI. For the purposes of UK GDPR and the EU GDPR we are the data controller. You can reach us at [email protected] or via the contact page.
What we collect — and why
BAM.LI works without any account. We don't have signup forms, profiles, or password resets. The data we touch is limited to the minimum needed to make the site fair, fast, and abuse-resistant.
| What | Why | How long |
|---|---|---|
| IP address (hashed) | To prevent abuse and apply per-visitor limits. We never store your raw IP — it is one-way hashed before any record is written, and only the hash is kept. | Up to 30 days for limit windows; permanent only as part of anonymised aggregate counts. |
| Country code | To assign your tap to a country leaderboard and credit a steal to a country. Two letters only (e.g. GB, US). |
Permanent on aggregated counts. |
| Anonymous browser identifier | A random identifier stored locally in your browser so we can apply per-visitor limits without a login. We never see your name or device. | Stays in your browser's local storage until you clear it. |
| Names / messages you submit | To display on the throne and in “previous holders”. You choose what to put here. | Permanent unless you ask us to remove a specific entry. |
| Aggregate click counts | Total taps per country, total taps globally. Pure numbers, no link to any one user. | Permanent. |
| Abuse-prevention signal | An invisible check used to confirm requests are coming from real browsers, not automated scripts. | Per-request only. Not stored. |
| Analytics signals | Aggregate visit data via Google Analytics 4 — pages viewed, approximate region, device type, referrer, session length. Used to understand usage patterns and improve the site. IP addresses are truncated by Google before storage. | Up to 14 months by default in Google's systems. |
| Ad-serving signals | If display ads are running on the page (via Google AdSense), Google may use cookies and similar to deliver, measure and personalise ads. We do not see your individual identity through this. | Per Google AdSense / Google's policies. |
What we don't collect
- Your real name, email, phone number, or address.
- Your contacts, photos, files, or any device permissions.
- Personally-identifiable information beyond what you choose to type into the throne.
- Browsing history outside BAM.LI (the analytics + ad providers above operate within their own networks under their own policies).
Cookies and similar storage
The site uses a small set of cookies and similar storage. The categories below describe what each is for. For users in regions that require explicit consent for non-essential cookies (UK, EEA, California, etc.), we will surface a consent banner on the page and respect Do Not Track / Global Privacy Control browser signals where supported.
- Strictly necessary (always on): a small amount of browser local storage to apply per-visitor limits and remember your country. Both are read only by our own pages and never sent to third parties.
- Abuse prevention: short-lived cookies may be set during invisible checks used to distinguish humans from automated scripts. Operational only.
- Analytics — Google Analytics 4 (active): Google sets cookies (e.g.
_ga,_ga_*) to measure aggregate site usage. We use IP-anonymisation; we do not enable Google Signals or cross-device tracking; we do not link analytics data to any other identity. Google's privacy policy: policies.google.com/privacy. Opt out via the Google Analytics opt-out browser add-on. - Advertising — Google AdSense: when display ads are served, Google may set advertising cookies (e.g.
NID,IDE) to deliver, measure and personalise ads. Google's ad-cookie practices and your controls (including ad personalisation off): policies.google.com/technologies/ads. EU/UK/California visitors see an explicit consent banner before any ad-personalisation cookies are set, and ads default to non-personalised under regional consent rules.
Legal basis (UK / EU GDPR)
- Legitimate interests — for the minimal hashed-identifier data needed to enforce fair play.
- Consent — for advertising and non-essential analytics cookies in regions where consent is required (UK, EEA, California, etc.). We surface a consent banner and respect your choice.
- Performance of a service — for the names, messages and country codes you submit, since they are the entire point of using the site.
Your rights (UK & EU residents)
Under UK GDPR and the EU GDPR, you have the right to:
- Access any data we hold that's identifiable to you.
- Correct inaccurate data we hold.
- Erase ("right to be forgotten") your data, including specific names or messages on the throne.
- Object to our processing on legitimate-interest grounds.
- Restrict processing while we resolve a dispute.
- Withdraw consent at any time, where consent was the basis.
- Lodge a complaint with the UK Information Commissioner's Office or your local EU supervisory authority.
Email [email protected] with the subject "Data request" and include enough detail to identify the entry (e.g. the exact name and approximate timestamp on the throne). We aim to respond within 30 days, free of charge.
Your rights (California residents — CCPA / CPRA)
If you live in California you have the right to:
- Know what personal information we collect, where it came from, why we collect it, and who we share it with.
- Delete personal information we hold about you (subject to legal exceptions).
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information — though for clarity, we do not sell or share personal information for cross-context behavioural advertising.
- Limit use of sensitive personal information — we do not collect any sensitive personal information as defined by the CPRA.
- Non-discrimination — we won't deny you the service or charge you differently for exercising any of these rights.
To exercise any California right, email [email protected]. We may need to verify the request matches activity originating from your IP / browser session.
International transfers
Our database is hosted within the EU. Static pages may be cached and served from a global edge network, including servers outside the UK / EEA. Any transfer outside the UK or EEA relies on Standard Contractual Clauses and adequacy frameworks where applicable.
Children
BAM.LI is suitable for general audiences but is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has submitted information, please email [email protected] and we will remove it.
Security
We use industry-standard transport encryption (HTTPS / TLS) and apply input validation and one-way hashing where appropriate. No system is perfectly secure — if you discover a vulnerability, please report it responsibly to [email protected].
Changes to this policy
If we materially change how we handle your data, we'll update the "last updated" date above and post a brief note at the top of this page for at least 14 days.
Contact
Email [email protected] for any privacy question, including data access, deletion, complaint, or general curiosity. We read every email.