Privacy Policy

Effective 5 May 2026

← back home

Who runs this site

Music Monsters Online is a small browser-based music game operated by an individual developer. Contact: quintupleagames@gmail.com.

What we store about you

If you create an account we keep one row in our database containing:

  • A user id and your chosen username.
  • For username/password accounts: a bcrypt hash of your password. We never see or store your raw password.
  • For accounts created via “Continue with Google”: your Google account id (an opaque numeric string Google calls sub) and the email address Google returned. We do not request or receive any other data from Google.
  • The timestamps of when your account was created and last used.

Cookies

We use two cookies, both HttpOnly:

  • mmo_token — a signed session token kept for 30 days so you stay logged in. Contains only your user id and username.
  • mmo_g_state— set only during a Google sign-in attempt and removed within 10 minutes. Used to confirm the OAuth round-trip wasn’t tampered with.

We do not use any analytics, advertising, or tracking cookies.

Game data you create

Monsters you build, banks you save, and other gameplay artefacts are stored either in your own browser (localStorage) or on our server tied to your account id. None of it is shared with anyone outside this site.

Interaction between users

Music Monsters Online does not include free-form messaging. The only ways players can interact with one another are:

  • Playing music together — the notes you play are heard by other players in the same zone.
  • A small fixed set of pre-defined in-game emotes.

There is no private messaging, no chat box, no voice chat, no image upload, no profile bio, and no way to share contact details through the game. This is a deliberate design choice: the game provides no channel that could be used to send personal messages to, or solicit information from, another user.

Third parties

  • Google— only when you click “Continue with Google.” Google’s own privacy policy applies to that interaction. We exchange the resulting code for the email and account id described above and store nothing else.
  • Hetzner Online GmbH hosts the server and receives standard request data (IP address, time, URL) at the network level. We do not log this beyond what is needed to rate-limit abusive clients (kept in memory, discarded on restart).

No other third parties receive your data.

How long we keep it

Your account row is kept until you ask us to delete it. Email the address above and we will remove it within a few days.

Security

Passwords are stored as bcrypt hashes. Session tokens are signed with a secret kept on the server and never sent to JavaScript. All traffic is served over HTTPS.

Children

The game itself — making music, building little monsters, and the emote-only interaction described above — is intended to be enjoyable and appropriate for a wide age range, including young children.

That said, account creation involves a username and (for Google sign-ins) an email address, so accounts for children under 13 should be created and managed by a parent or guardian. If you believe an account was created by a child without a parent’s involvement, contact us at the address above and we will remove it.

Changes

If we change how we handle data we will update this page and bump the effective date at the top.