Legal center

Privacy policy

How the Hanami website, Hanami Bot, osu!guessr, Companion prototype, and Map Analyzer process information.

Effective date
July 18, 2026
Last updated
July 18, 2026

1. Who operates Hanami

Hanami is an independent community project operated by Yorunoken from Türkiye. In this policy, “Hanami”, “we”, “us”, and “the operator” refer to the operator of the hosted Hanami services described below.

The operator is based in Türkiye. Hanami-controlled production infrastructure is hosted in Germany, so the operator’s location and the location of the servers are not the same.

Privacy and personal-data requests can be sent to [email protected]. The Discord community server is not an official privacy-request channel. Do not send passwords, session cookies, OAuth tokens, API keys, or backup codes.

2. Services covered

This policy is intended to cover the Hanami ecosystem operated by the controller: this website and account area, Hanami Bot on Discord, the separately hosted osu!guessr service, and networked features in the public Hanami Companion prototype.

Map Analyzer 0.2.9 is a separately distributed Rust library. The published crate parses local files and has no network client dependency or command-line binary. Broader CLI and dataset work exists only in an unpublished development worktree. Companion is public source but remains unreleased: local tracking and Hanami authentication are implemented, while play upload is unavailable because Hanami Web does not expose a production ingestion endpoint.

3. Data processed

Hanami website and Discord sign-in

  • Discord account ID, display name, avatar URL, provider scope, and an email address when Discord supplies one. For a phone-only Discord account, Hanami stores a stable non-deliverable address under the reserved .invalid domain required by the authentication schema; it is not treated as verified contact information or used for mail.
  • OAuth account records, which may include Discord access or refresh tokens when Better Auth receives them.
  • Web session token, session dates, IP address, and user-agent string stored by Better Auth.
  • Short-lived OAuth verification values used to complete authentication safely.
  • Bot-issued account links store the Discord ID, supplied name and avatar snapshot, a SHA-256 ticket hash, and creation, expiry, consumption, or invalidation dates. The URL token itself is not stored.
  • Ordinary request metadata processed by Cloudflare in front of the public sites, including IP address, request and device information, and security signals described in Cloudflare’s privacy policy.

osu! linking and public profile lookup

  • The osu! user ID returned by the osu! identify scope is stored against the Discord ID in the bot database.
  • The link-status page requests public osu! username, avatar URL, and global rank for display. Those public profile fields are not written by that route.
  • The one-time osu! authorization token is used to call /api/v2/me; the audited callback does not persist that token in Hanami’s bot database.
  • osu! authorization state is stored as a SHA-256 hash bound to the Hanami user and browser session, with creation, expiry, and consumption dates.

Immediate account deletion

  • A signed-in user may delete the website account and Discord-keyed Hanami Bot user data after a Discord sign-in from approximately the last 15 minutes and deliberate typed confirmation.
  • A short-lived reauthentication challenge stores the Hanami user ID, a SHA-256 hash of a random challenge token, creation and expiry dates, and reauthentication and consumption dates. OAuth tokens and session cookies are not stored in that record.
  • Successful deletion removes the Better Auth user, provider link and sessions, then removes the Hanami Bot user row keyed to the same Discord account. Separate osu!guessr profiles are not deleted by this action.

Hanami Bot

  • Discord user ID, linked osu! ID, and bot preferences: default game mode, score source, embed size, and embed style.
  • Discord guild ID, guild name, owner ID, join time, and custom command prefixes.
  • Cached beatmap and score records, including osu! user and map IDs, game mode, mods, score, accuracy, combo, grade, hit counts, state, completion time, and performance points where used by bot features.
  • Aggregate command counters keyed by command and invocation type. These database counters are not keyed to a user.
  • Operational log entries containing command name, Discord user ID and username, guild ID and name, timestamps, and error details.
  • On a prefix-command failure, message content and the user/guild/channel context may be sent to a configured private Discord error channel accessible to the operator and maintainers authorized to diagnose production errors.
  • Temporary Redis button state, including the initiating Discord user ID, with a one-hour code-defined lifetime; in-memory command cooldowns are shorter-lived.

osu!guessr

  • osu! user ID, username, and avatar URL received at sign-in, plus an authentication-session cookie.
  • Completed game records and derived statistics: mode, variant, points, streaks, totals, games played, achievements, and play times. Profiles and leaderboards make some of this information public.
  • Problem reports containing osu! user ID, mapset ID, report category, free-text description, status, and timestamps. Report content may also be sent to a configured Discord webhook.
  • API-key name, creation and last-used dates, and a SHA-256 hash of the key. The raw key is returned once to the user.
  • One-hour Redis game state containing the osu! user ID, current item, guesses, correctness, points, streaks, timing, and game progress; short Redis locks and rate-limit counters are also used.
  • Browser preferences in local storage, locale in local storage and a cookie, game-session identifiers in session storage, and theme storage supplied by next-themes.
  • Production pages load self-hosted Umami for aggregate analytics. Umami is configured to operate without analytics cookies. Request and device information may be processed to derive aggregate session and location metrics; raw IP addresses are not intended to be stored by the analytics service.

Hanami Companion prototype

  • Selected beatmap, live gameplay, and attempt-state information received from a local tosu instance. Recent attempts are retained in memory for the current application session and are not written to a Companion database.
  • Hanami sign-in opens the system browser and uses Authorization Code with PKCE through a temporary loopback listener. The access token remains in Rust memory and the refresh token is stored in the operating system credential store.
  • Authorization codes, PKCE verifiers, and tokens are not exposed to the React interface or written to Companion application files. Play upload is currently unavailable and no attempt is reported as successfully submitted.

Technical requests and external media

Account pages may load avatar images from Discord or osu! hosts. Those providers receive ordinary web-request data such as IP address, user agent, requested URL, and timing when the browser contacts them.

4. Purposes and legal bases

PurposeLegal basis
Authenticate users, keep sessions, link accounts, run games, answer commands, and save requested settings.Performance of a contract or steps requested by the user.
Prevent abuse, secure OAuth flows, rate-limit actions, diagnose failures, and maintain availability.Legitimate interests in operating and protecting the services.
Verify immediate account deletion and handle other privacy requests.Compliance with applicable legal obligations and legitimate interests in accurate, secure request handling.
Measure aggregate osu!guessr usage and service reliability.Legitimate interests in understanding and maintaining the service, subject to applicable law.
Meet binding legal obligations and respond to valid legal process.Compliance with legal obligations.

5. Third parties and international processing

Data is transmitted as needed to Discord for sign-in, bot operation, webhooks, and error reporting; to osu! for sign-in and API lookups; and to Cloudflare as the public sites’ proxy and network provider. Hanami-controlled application, database, Redis, and self-hosted Umami infrastructure is hosted in Germany.

The operator manages the services from Türkiye while Hanami-controlled production data is processed on infrastructure in Germany. Processing may also cross other national borders because Discord, osu!, and some service providers operate internationally. Third-party handling is governed by each provider’s own terms, privacy notice, and applicable transfer mechanisms. The public repositories do not establish the physical location of every provider request or the operator’s production-access roster.

See the providers’ own notices, including Discord’s privacy policy, osu!’s privacy policy, and Cloudflare’s privacy policy. Those notices do not replace Hanami’s responsibilities for its own processing.

6. Retention

  • Hanami web’s default Better Auth session lifetime is approximately seven days. Database session and OAuth verification records include expiry dates.
  • Bot file logging keeps at most 30 .log files in the configured directory and removes older named files when a new log file is selected. No repository-backed retention period was found for container, host, Cloudflare, Discord error-channel, or other operational logs.
  • Bot pagination state is configured for one hour. osu!guessr game state and item sets are configured for one hour; report rate limits for ten minutes; and API-key rate-limit counters for their code-defined window.
  • osu!guessr’s Auth.js session default is approximately 30 days. Its locale cookie is configured for about one year. Local-storage values remain until the user clears them or application code changes them; session storage normally lasts for the browser-tab session.
  • Companion recent-attempt data remains in memory until the application exits. Its stored refresh token remains in the operating system credential store until sign-out, token rejection, or removal through the operating system.
  • Account, provider-link, preference, guild, completed-game, report, and API-key metadata remain while the related account or feature is active, until the user deletes or revokes them where a control exists, or until Hanami no longer needs them for the service, security, or a legal obligation. Cached scores and maps are refreshed or overwritten as the services operate. The source does not define a general automatic deletion schedule for these database rows. The analytics service applies its configured retention settings.
  • Short-lived account-deletion reauthentication challenges expire after approximately 15 minutes.
  • Bot-issued account links expire after approximately five minutes; osu! authorization state expires after ten minutes.

7. Security

Hanami uses measures visible in the audited code, including HTTP-only same-site session cookies, hashed osu!guessr API keys, OAuth state or verification records, parameterized database queries, rate limits, and log redaction for common secret patterns. Application configuration expects secrets in environment variables, and the repositories instruct contributors not to commit production credentials. Repository inspection cannot verify every deployment control or guarantee absolute security.

8. Your choices and rights

Depending on where you live, you may be entitled to request access, correction, deletion, restriction, portability, or objection, and to withdraw consent where consent is used. This includes rights available under Türkiye’s Personal Data Protection Law and, where it applies, the GDPR. Hanami will respond without undue delay and normally within 30 days.

Signing out only ends a session. Disconnecting osu! only clears the Discord-to-osu! link. Signed-in users can immediately delete the website identity and Discord-keyed Hanami Bot account data from the account privacy area. Separate osu!guessr profiles and provider-side data are outside that action. See the data deletion page for details.

In-app deletion uses fresh Discord OAuth authentication bound to the signed-in Hanami user and a short-lived, single-use challenge. Users who cannot sign in or need deletion outside the immediate scope may email [email protected]. Public usernames or numeric provider IDs alone are not sufficient; proportionate additional verification may be required. Do not email government identity documents. Hanami will explain any additional information needed and normally respond within 30 days.

The privacy email is an operational contact channel. Under Türkiye’s formal KVKK application rules, an ordinary email qualifies only when it was previously provided to and recorded by the controller; the rules also permit written, KEP, secure-electronic-signature, mobile-signature, and purpose-built application routes. Formal KVKK applications must be made in Turkish and contain the information required by the applicable communiqué. Contact Hanami first if you need an appropriate formal route, and review the KVKK application procedure.

Some records may be anonymized rather than deleted, and justified security, abuse-prevention, or legal records may remain temporarily. No source-backed backup retention schedule was found. Discord and osu! independently control provider-side data, which must be managed through those providers.

9. Children and eligibility

You must be at least 13 and meet any higher minimum age imposed by the law or platform rules in your region. If you are old enough to use the services but not old enough to enter a binding agreement where you live, a parent or legal guardian must agree to these terms on your behalf. Hanami does not knowingly provide the services to anyone below the applicable minimum age.

10. Changes to this policy

Material changes will be posted on this page with a new effective date and, where appropriate, announced through the website or community server before they take effect. Changes required urgently for security or law may take effect sooner, with notice provided as soon as reasonably possible.

11. Contact and complaints

Privacy and personal-data requests: [email protected]. Hanami is operated from Türkiye and does not publish a separate postal office. The email can be used to obtain a suitable formal route; it does not replace the application methods required by law. You may also complain to the Turkish Personal Data Protection Authority or another data-protection authority available to you under applicable law.