Privacy Policy
At Gameping we take your privacy seriously. This policy explains what data we collect, how we use it, and what your rights are.
Privacy Policy
Effective date: 1 July 2026 Last updated: 1 July 2026 Version: 1.0
Gameping ("we", "us", "the service") is committed to protecting the personal data of everyone who uses gamepingtest.com. This Privacy Policy explains, in detail, what data we collect through our ping measurement and comparison service, why we collect it, on which legal basis, and how you can exercise your rights.
This notice fulfils the transparency obligations in Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) and Regulation 2018/1725 where applicable. For visitors located in Türkiye it also serves as the disclosure required under Article 10 of the Turkish Personal Data Protection Law (KVKK).
1. Data Controller
Gameping is currently operated by an individual proprietor. The data controller for all processing described in this notice is the owner of the gamepingtest.com domain. You can reach us at:
- Service name: Gameping
- Domain: gamepingtest.com
- Privacy and data protection queries: [email protected]
- Legal notices: [email protected]
Because Gameping is not established in the European Union but offers services to EU residents, an EU representative under GDPR Article 27 will be designated as our audience there grows; the appointment will be published in this section.
2. Scope
This policy applies to gamepingtest.com and its sub-paths, API endpoints and shared result pages. It does not extend to third-party websites you may reach through links (game publishers, social platforms, community sites); those services operate under their own privacy policies.
3. What We Collect
Our service does not require registration or identification. To make the product work and to prevent abuse we must nevertheless process a small amount of technical data.
3.1 Automatically collected technical data
| Category | Content | Point of collection |
|---|---|---|
| IP address (hashed) | Your IPv4 or IPv6 address transformed into an irreversible SHA-256 digest using a server-side secret salt | On every HTTP request |
| User-Agent | Browser and operating system string (full text held only in transient memory; hashed in persistent logs) | On every HTTP request |
| Referrer URL | Which page you arrived from | On first page view |
| Request timestamp | UTC timestamp of the request | On every request |
| WebSocket RTT samples | Round-trip time, jitter and packet loss estimate against our probe servers | Only when you press "Start test" |
| Language preference | Chosen interface language (tr/en) | When you change languages |
Your raw IP address is never written to a database. In our Nginx access logs the IP is masked at the application layer before the log line is emitted; persistent storage sees only the hash.
3.2 Data you actively provide
- Result sharing: When you press "Share result", the chosen game, region, measurement metrics (ping, jitter, loss), locale and an auto-generated slug (
valorant-eu-west-x7f9a2) are stored in our database. The generated page is publicly reachable and search-engine indexable by default. - Contact e-mails: If you write to [email protected] or [email protected], we process the e-mail address and message content for as long as needed to handle your request.
- Erasure requests: To remove a shared result you may need to provide the sharing link or its creation date so we can verify your control over it.
3.3 Data we do not collect
We think it is equally important to say what we do not collect:
- Name, national identifier, tax number or similar identity data
- Payment or billing information
- Location (GPS, geolocation API)
- Microphone, camera or sensor data
- Social profile data unless you actively share content
- Cross-site tracking data for advertising profiles
4. Purposes of Processing
Every piece of data has a defined, explicit and legitimate purpose. We do not collect data "just in case".
- Service provision — running the WebSocket RTT test against our regional probes.
- Abuse prevention — rate-limiting requests that share the same hashed IP to protect service quality.
- Security response — investigating DDoS, automated scraping or malicious API use.
- Product improvement — building aggregated, anonymous statistics of which games are tested and from which regions. No individual can be re-identified from these aggregates.
- SEO share pages — turning results you consciously share into public, search-friendly pages.
- Legal compliance — producing log records when compelled by a court, prosecutor or competent authority.
5. Legal Bases
Each purpose is anchored to a specific legal basis under GDPR Article 6 and, where applicable, KVKK Article 5.
| Activity | GDPR basis | KVKK basis |
|---|---|---|
| IP-hash rate limiting | Art. 6(1)(f) — Legitimate interest | Art. 5/2-f |
| WebSocket measurement | Art. 6(1)(b) — Contract performance | Art. 5/2-c |
| Public share page | Art. 6(1)(a) — Consent | Art. 5/1 — Explicit consent |
| Analytics cookies (if enabled) | Art. 6(1)(a) — Consent | Art. 5/1 |
| Strictly necessary cookies | Art. 6(1)(b) — Contract | Art. 5/2-c |
| Security logs | Art. 6(1)(f) — Legitimate interest | Art. 5/2-f |
| Response to authorities | Art. 6(1)(c) — Legal obligation | Art. 5/2-ç |
For processing based on legitimate interest we have performed a balancing test. Because we minimise collection (hashing, short retention, no identity linkage), our interest in a functional and abuse-free service does not override your rights and freedoms.
6. Retention Periods
We store data no longer than necessary. Automated deletion (cron and Redis TTL) runs daily.
| Data | Retention | Removal mechanism |
|---|---|---|
| IP hash (rate limit) | 30 days | Redis TTL + daily cron |
| User-Agent hash | 30 days | Redis TTL |
| Nginx access logs | 30 days | logrotate |
| Shared test result | Until you remove it | On request, immediately |
| Un-shared result | Never persisted | Stays only in your browser |
| Sentry error events | 90 days | Sentry retention |
| Security / audit logs | 90 days | Automated cron |
| Support e-mails | 12 months after case closure | Manual purge |
Where a dispute or investigation arises, retention may be extended solely for that matter and the extension is recorded.
7. Recipients
We do not sell, rent or trade personal data with advertisers. A limited set of processors supports the operation:
- Contabo GmbH (Germany) — Physical hosting, servers located in Nuremberg / Frankfurt (EU territory). Processor under GDPR Article 28.
- Cloudflare, Inc. (US-headquartered, global edge) — CDN, WAF, DDoS protection. Data transferred to Cloudflare is protected by Standard Contractual Clauses and by our own upstream masking of IP before persistence.
- Sentry (self-hosted or EU region) — Error diagnostics. Reports may include hashed IP and browser version; they never contain names, e-mails, or form input.
- Plausible Analytics (EU — Germany, cookieless) — Aggregate visitor statistics. No individual tracking, no fingerprinting.
- Public authorities — Only on a lawful order, and only to the minimum extent required, after review by legal counsel.
8. International Transfers
Our servers reside in the European Union (Germany). Because Cloudflare operates a global edge, some request packets may transit non-EU nodes momentarily; this is covered by GDPR Article 46 Standard Contractual Clauses together with additional technical measures (encryption in transit, hashing before persistence).
Where transfers implicate Türkiye, KVKK Article 9 permits them either under the recognised exemptions or under explicit consent. Because we render IP data non-identifying before it leaves the primary EU perimeter, the strictest cross-border requirements do not apply, but our contractual safeguards remain in place.
9. Cookies and Similar Technologies
A complete listing of the cookies we use — names, purpose, duration, third parties, and opt-out steps — is available in the Cookie Policy. Our general approach:
- Strictly necessary (language, CSRF token, session): no consent required; technically indispensable.
- Analytics: Plausible is cookieless by design. Any additional cookie-based analytics is loaded only after explicit consent.
- Advertising / profiling: we do not use any.
10. Your Rights
Under GDPR Articles 15–22 and KVKK Article 11 you have the right to:
- Be informed whether we process your data.
- Access the data we hold about you.
- Learn the purpose of the processing and whether it matches that purpose.
- Know the recipients, including cross-border ones.
- Have inaccurate data rectified.
- Erasure ("right to be forgotten") once the conditions of GDPR Art. 17 / KVKK Art. 7 are met.
- Restriction of processing while a dispute or verification is pending.
- Object to processing that relies on legitimate interest.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time, effective going forward, without affecting past lawful processing.
- Compensation for damage suffered as a result of unlawful processing.
- Not be subject to a decision based solely on automated processing with significant effects on you.
Send requests to [email protected] or use our Data Request Form. We respond within 30 days (extendable by two further months for complex requests, as permitted by GDPR Art. 12(3); KVKK's 30-day limit applies for Türkiye residents). Responses are free of charge; excessive or manifestly unfounded requests may attract a reasonable fee.
Because we hash IPs irreversibly, we cannot always link a hash back to your identity. To help us find the right record we may ask for supporting information (share link, creation date).
11. Security Measures
Key technical and organisational safeguards include:
- Irreversible SHA-256 hashing of IP and User-Agent with a server-side salt held in an environment variable outside the code repository and outside log output.
- TLS 1.3 required, HSTS enabled, Content Security Policy to reduce XSS risk.
- Rate limiting to counter brute-force and scraping.
- Argon2id password hashing and TOTP-based 2FA for administrative accounts.
- MySQL access restricted to a local socket under a dedicated user; no wildcard host access.
- Automated deletion jobs (cron + Redis TTL).
- Log separation: application logs, access logs and security audit logs are kept in distinct locations; the salt never appears in any log.
Security controls are reviewed periodically and adjusted in response to the threat landscape.
12. Users Under 13
Gameping is not directed to children under 13 and we do not knowingly collect their data. If a parent or guardian believes that a child under 13 has provided us with personal data, please contact [email protected] and we will delete the relevant information promptly.
13. Automated Decision-Making
We do not carry out any solely-automated decision-making that produces legal or similarly significant effects concerning you. Rate limiting is a technical measure and does not create a profile.
14. Changes to This Policy
We may update this policy as the service evolves or the law changes. The updated version applies from the moment it is published; for material changes we display a banner on the home page for 30 days. The last updated field at the top of this page always reflects the current version.
15. Right to Lodge a Complaint
You may complain to a supervisory authority. Under GDPR you can contact the authority of your habitual residence, place of work or place of alleged infringement — for example the German BfDI (https://www.bfdi.bund.de) or your national DPA. Under KVKK, complaints go to the Personal Data Protection Board (https://www.kvkk.gov.tr) after you first apply to us and receive an unsatisfactory or no response within 30 days.
16. Contact
- Privacy / data protection: [email protected]
- Legal notices: [email protected]
- General: [email protected]
This policy is written in English; the Turkish version is available at /tr/gizlilik-politikasi. In the event of any inconsistency between the two, the Turkish version prevails for Turkish residents and this English version prevails for all other jurisdictions.