// PRIVACY POLICY

Privacy Policy

Last updated: April 17, 2026

simulated.be is a free, anonymous poll with one question and no accounts. This document explains what happens to the small amount of data that flows through the site, why, and what rights you have over it. We've tried to write it in plain English. If anything's unclear, reach out — our contact is at the bottom.

Who we are

simulated.be is operated as a personal side project, not a registered company. The site is built and maintained independently.

Contact: privacy@simulated.be

What data we process

An important distinction: “process” means we handle data momentarily; “store” means we keep it. We process very little and store almost nothing identifiable.

Your IP address

Used only at the moment your request arrives, to determine a 2-letter country code (e.g., “RO” for Romania) so your vote colors the correct country on the map. Your actual IP is never stored in plain form in our systems — only a short-lived, irreversible SHA-256 hash is kept for up to 60 seconds for rate limiting (see below). The IP itself is never logged or sent to third parties by us. Our hosting provider (Vercel) may maintain its own infrastructure logs per their privacy policy.

Your vote choice

Stored in your browser's localStorage only — never sent to us associated with any identifier. The key is sv:vote:v1and it contains your chosen option (yes, no, maybe, or I don't know) and a timestamp.

Aggregated counters

We store sums per country and per option (e.g., “Romania: 892 Yes votes”). These are not personal data — they don't identify any individual.

Rate-limit tokens

A SHA-256 hash of your IP address combined with a secret salt, used only to throttle spam. The hash is stored in Redis for up to 60 seconds (the rate-limit window) and auto-expires. Your actual IP address is never stored in Redis.

Why we process it (legal basis)

IP → country resolution at edge: Legitimate interest (GDPR Article 6(1)(f)). Providing the geographic feature the user expects, with no storage, means minimal privacy impact.
Rate limiting: Legitimate interest. Fraud and abuse prevention is explicitly named in GDPR Recital 47.
Advertising cookies: Consent (GDPR Article 6(1)(a)), obtained via the consent banner before any tracking cookie is set.

What we don't do

Store your IP address in identifiable form — only a short-lived, irreversible SHA-256 hash is kept for rate limiting (up to 60 seconds). We do not collect or store names, emails, phone numbers, physical addresses, device IDs, or any other personally identifiable information.
Use cookies for analytics, authentication, tracking, or any purpose of our own — localStorage for your vote is the only first-party storage.
Require accounts, signups, or logins.
Sell any data. There is no data to sell.
Transfer personal data internationally — because we don't have personal data to transfer.
Profile users or serve them personalized content based on behavior.
Use Google Analytics or any cookie-based analytics.

Cookies and tracking

Our site itself uses no cookies. First-party localStorage is used only to remember your vote.

If you see ads, those are served by Google AdSense via their consent management platform. Ads may drop cookies with your consent. See our Cookie Policy for a full breakdown.

Third parties we work with

Vercel (hosting) — privacy policy
Upstash (Redis for aggregated counters) — privacy policy
Google AdSense (advertising) — ad technology, privacy policy

No advertising happens without your consent in the EU/EEA/UK/Switzerland.

Your rights under GDPR and CCPA

Under GDPR, you have the right to access, rectification, erasure, restriction, portability, objection, and withdrawing consent at any time.

Practical caveat:since we don't store personal data about you, most of these rights are trivially satisfied — there's nothing to access, rectify, or erase. Clearing your browser's localStoragefor this site deletes everything we have that's associated with you.

For California residents: we do not sell or share personal information as defined under the California Consumer Privacy Act (CCPA).

To exercise any rights, email privacy@simulated.be.

International transfers

Upstash hosts data in AWS regions you did not select, and Vercel operates globally. However, no personal data crosses borders because we don't have personal data to transfer. The aggregated counters stored in Redis are not personal data under any jurisdiction.

Data retention

Aggregated vote counters: indefinite (non-personal data).
Rate-limit tokens: up to 60-second TTL, auto-deleted.
localStorage: controlled by you, cleared whenever you clear browser data.
There is no user-level data to retain or delete anywhere.

Children

This site is not directed at children under 13 (or 16 in the EU). Voting is voluntary and anonymous; we don't knowingly collect data from children.

Changes to this policy

We'll update the “Last updated” date when we change anything meaningful. The current policy is effective as of the last updated date shown at the top of this page.

Contact

Email: privacy@simulated.be

You can also reach out about anything else from the About page.