Is Road to Headliner really free?

Yes, 100% free with no ads or pay-to-win mechanics. All players compete on equal footing. We believe the best game is one where skill and strategy determine success, not your wallet.

How long is a season?

Each season lasts 12 real-world weeks. After a season ends, there's a brief offseason period, then you start fresh with a new band while keeping your awards, prestige, and account history.

Can I play on mobile?

Road to Headliner is designed primarily for PC/desktop browsers. The interface works reasonably on tablets, but the complex management screens are best experienced on a larger screen. A dedicated mobile experience may come in the future.

Yes! You share the game world with other players in real-time. Compete on leaderboards, enter festival brackets, collaborate on features, and declare rivalries with other bands.

What is MT (Management Time)?

MT is your action currency — think of it as your manager's energy. It regenerates 1 per hour up to a maximum of 48. Every action like booking shows, rehearsing, or recording costs MT, so planning your time wisely is key to success.

Privacy Policy | Road to Headliner

1. Who We Are

Road to Headliner is an online multiplayer band management game operated by an independent developer based in Slovakia, European Union. We are the data controller for the personal data processed through this service under Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"). Our game servers and database are hosted by Hetzner Cloud in Falkenstein, Germany (EU). For all privacy inquiries, data subject requests, or complaints, contact us at [email protected].

2. What Data We Collect

Account data: email address, display name, hashed password
Preference data: language, timezone
Technical data: IP address, user agent (browser), session identifiers
Game data: band name, game actions, statistics, season scores
Communication data: direct messages, forum posts (user-generated content)
Security data: authentication attempts, multi-account detection signals

3. How We Use Your Data

Providing and operating the game service
Security, anti-cheat, and fraud prevention
Cookieless product analytics via PostHog EU cloud (memory-only, no cookies or localStorage).
Transactional emails (verification codes, password resets, security warnings) sent through our self-hosted mail server.

4. Legal Bases for Processing (GDPR)

Contract performance (Art. 6(1)(b)): Account management, game data, communications
Legitimate interest (Art. 6(1)(f)): Security monitoring, anti-cheat, analytics
Consent (Art. 6(1)(a)): Only if specific future features require it

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR). The following retention periods are enforced automatically via daily scheduled cleanup:

Active accounts: data retained while your account exists and is active
Authentication attempts: automatically deleted after 90 days
Sessions: maximum 30 days, expired sessions cleaned daily
Request and security logs: automatically pruned after 90 days
Admin audit logs: retained for 1 year for regulatory compliance, then deleted
Notifications: read notifications deleted after 90 days, unread after 180 days
Security alerts: resolved alerts deleted after 180 days, open alerts deleted after 365 days
Game system logs: deleted after 30 days. Calculation traces and RNG audit records: deleted after 90 days
Direct messages: read messages deleted after 180 days, unread messages deleted after 365 days
Player action logs: deleted after 30 days
State snapshots and weekly snapshots: deleted after 365 days
Player reports: resolved or dismissed reports deleted after 180 days
Expired or used verification and password reset tokens: deleted after 7 days
Deleted accounts: personal data anonymized immediately upon account deletion. Game records (band standings, chart history) are preserved in pseudonymized form for competitive integrity
Backups: personal data may persist in encrypted backups for up to 30 days post-deletion. Backups are encrypted at rest, access-controlled, and automatically purged within the retention window. This is an accepted limitation disclosed under Recital 65 GDPR

6. Your Rights

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data. To exercise any of these rights, email [email protected] with the subject line "Data Subject Request" and specify the right you wish to exercise. We will verify your identity before processing your request. We will respond within 30 days (Art. 12(3) GDPR), extendable by a further 60 days for complex requests, in which case we will inform you of the extension within the initial 30-day period.

Right of Access (Art. 15): Request a copy of all personal data we hold about you. You can also download your data in machine-readable JSON format at any time via Settings > Export Data, or by sending a GET request to /api/v1/auth/data-export while logged in. The export includes account data, game data, messages, forum posts, and transaction history.
Right to Erasure (Art. 17): Request permanent deletion of your account and anonymization of all personal data. You can do this yourself at any time via Settings > Delete Account (requires password confirmation). Your personal data is anonymized immediately. Game records (band standings, chart entries) are preserved in pseudonymized form for competitive integrity. Please note: anonymized data may persist in encrypted backups for up to 30 days.
Right to Rectification (Art. 16): Request correction of inaccurate personal data. You can update your profile information through your account settings. For data that cannot be changed through the UI (such as your email address), contact [email protected].
Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON). Use the data export feature described above, or request a copy via email.
Right to Object (Art. 21): Object to processing based on our legitimate interest (Art. 6(1)(f)), including anti-cheat profiling and security monitoring. Email [email protected] with the specific processing you object to. We will cease the processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Restriction (Art. 18): Request temporary limitation of processing while we verify the accuracy of your data, assess your objection, or establish whether our legitimate grounds override yours. During restriction, we will store but not actively process the relevant data. Email [email protected] to request restriction.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Currently, all processing is based on contract performance or legitimate interest, not consent.
Right to Lodge a Complaint (Art. 77): You have the right to file a complaint with a supervisory authority. The competent authority for our operations is the Urad na ochranu osobnych udajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), Hranicna 12, 820 07 Bratislava, Slovakia (https://dataprotection.gov.sk). You may also contact the supervisory authority in the EU Member State of your habitual residence or place of work.

7. Data Sharing & Sub-Processors

We use the following sub-processors to operate this service. Each sub-processor is engaged under a Data Processing Agreement (Art. 28 GDPR) and processes only the data strictly necessary for its purpose:

Hetzner Cloud (Hetzner Online GmbH, Germany): Infrastructure hosting and encrypted backup storage. Data categories: all database contents (account data, game data, communications). Location: Falkenstein datacenter, Germany -- no international transfer. DPA: Hetzner standard DPA per Art. 28 GDPR (https://docs.hetzner.com/general/general-terms-and-conditions/data-privacy-faq/).
Cloudflare (Cloudflare, Inc., US with EU edge nodes): CDN, DDoS protection, and web application firewall. Data categories: IP addresses, HTTP request headers, request URLs. Transfer mechanism: EU-US Data Privacy Framework (DPF, Art. 45 adequacy decision) and Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor, Art. 46(2)(c)). DPA: Cloudflare Customer DPA (https://www.cloudflare.com/cloudflare-customer-dpa/).
Transactional email delivery: verification emails, password resets, and security notices are currently sent through our self-hosted SMTP/Postfix server on the same Hetzner-hosted infrastructure as the application. Email addresses and display names are processed only for message delivery.
PostHog Cloud (EU region): Product analytics and public-site CTA analytics. Data categories: pseudonymous user IDs, band IDs, season IDs, page paths, and explicit event properties. Client storage is disabled (`persistence: memory`), so no analytics cookies or localStorage identifiers are created by PostHog in the browser. DPA: https://posthog.com/dpa.

We do not sell, rent, trade, or share your personal data with any third parties for marketing, advertising, or profiling purposes. Data is shared only with the sub-processors listed above, solely for the purposes described.

8. International Data Transfers

Your data is primarily stored in Germany (Hetzner Cloud, Falkenstein datacenter). Cloudflare processes HTTP request data at EU edge nodes; for any non-EU processing, Cloudflare participates in the EU-US Data Privacy Framework (DPF, Art. 45 adequacy decision) and provides Standard Contractual Clauses (SCCs, Module 2, Art. 46(2)(c)) as a supplementary safeguard. Product analytics are processed through PostHog's EU cloud region in cookieless memory mode. Transactional email delivery currently uses our self-hosted SMTP/Postfix server on the Hetzner-hosted infrastructure, so no separate third-country email processor is active in production. All data in transit is encrypted via TLS 1.2+. No personal data is transferred to countries without an EU adequacy decision or appropriate safeguards (Art. 46 GDPR).

9. Security Measures

Encryption in transit (TLS 1.2+)
Passwords hashed with Argon2id (industry-leading algorithm)
HttpOnly session cookies with CSRF protection
Role-based access controls and comprehensive audit logging

10. Cookies & Local Storage

We use only strictly necessary and functional cookies as defined under the ePrivacy Directive (Art. 5(3), Directive 2002/58/EC). No consent is required for these cookies because they are essential for providing the service you have requested. We do not use any tracking, advertising, or third-party analytics cookies:

access_token (httpOnly, Secure, SameSite=Strict, 1 hour): Authentication session cookie. Strictly necessary for maintaining your login session.
refresh_token (httpOnly, Secure, SameSite=Strict, 30 days): Session refresh cookie. Strictly necessary for seamless re-authentication.
rth-lang (functional): Stores your language preference. Functional cookie exempt under ePrivacy Art. 5(3) as it is necessary for providing the service in your chosen language.
__cf_bm (Cloudflare, third-party, session duration): Bot management cookie. Strictly necessary for DDoS protection and security.
Analytics: We use PostHog in memory-only mode for product and public-site analytics. PostHog does not set analytics cookies or localStorage identifiers in the browser in this configuration.
Local storage: We store non-personal UI preferences (cookie notice dismissal, tutorial progress, UI hints) in your browser's local storage. These contain no personal data.

11. Children's Privacy & Age Verification

Road to Headliner requires users to be at least 16 years of age, in compliance with GDPR Art. 8 (conditions applicable to a child's consent in relation to information society services). During registration, all users must confirm that they are at least 16 years old by checking a mandatory age confirmation checkbox. This confirmation is recorded as auditable evidence. We do not knowingly collect or process personal data from children under 16. If we become aware that a user is under 16, we will promptly delete their account and all associated personal data. If you believe a person under 16 has created an account, please contact us at [email protected].

12. Anti-Cheat & Automated Profiling

To maintain fair play, we use automated IP-based correlation to detect potential multi-account usage. This system compares IP addresses and login patterns across accounts. Detection alerts are reviewed by a human administrator before any action is taken -- no account is automatically banned or penalized based solely on automated detection. This processing is based on our legitimate interest in maintaining game integrity (Art. 6(1)(f) GDPR). You may object to this processing by contacting [email protected].

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR). If the breach is likely to result in a high risk to you, we will also notify you without undue delay via email or in-game notification (Art. 34 GDPR).

14. Data Protection Officer & Supervisory Authority

As a small-scale data controller that does not carry out large-scale processing of special categories of data or large-scale systematic monitoring, we are exempt from the obligation to appoint a Data Protection Officer under Art. 37(1) GDPR. For all privacy inquiries, data subject requests, or complaints, contact us directly at [email protected]. The competent supervisory authority for this service is the Urad na ochranu osobnych udajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), Hranicna 12, 820 07 Bratislava, Slovakia, website: https://dataprotection.gov.sk. You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work (Art. 77 GDPR).

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-game notification or email. Continued use of the service after changes constitutes acceptance of the updated policy.

16. Contact

For privacy inquiries, data subject access requests (SAR), data deletion requests, rectification requests, or complaints, contact us at [email protected]. Please include "Data Subject Request" in the subject line for faster processing. We aim to acknowledge receipt within 5 business days and to respond substantively to all data subject requests within 30 days of receipt (Art. 12(3) GDPR). If a request is complex or we receive a high volume, we may extend the response period by up to 60 days, in which case we will inform you within the initial 30-day period.