Privacy Policy

Effective Date: May 28, 2026

Highest Five, Inc. ("Highest Five," "we," "us," or "our") operates Nutter Words at nutterwords.com (the "Site"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

We try to collect as little as possible. Plain-English summary up front: we store a per-browser identifier so we can remember your puzzle progress without an account, we record anonymous gameplay events so we can understand what's working, and if you give us your email or feedback, we hold onto those for the purposes described below.

1. Information We Collect

Information you provide

• Email address, if you sign up for our launch announcement list
• Feedback, if you submit a comment about a puzzle through our feedback form
• The puzzle code or identifier, when you submit feedback (so we know which puzzle the feedback refers to)
• User Content, if you submit puzzles or other creative content to Nutter Words in the future (the term "User Content" is defined in our Terms of Service). Any personal information you choose to include in such submissions (for example, a name you want credited) will be governed by this Policy. Submitted content is reviewed internally before being made public, and accepted content may be retained indefinitely as part of our product.

Information collected automatically

• A device identifier (device_id), generated locally in your browser and stored in your browser's localStorage. It's a random string. We use it to associate your gameplay events and puzzle progress with your browser without requiring you to create an account.
• Gameplay analytics events — for example: which puzzles you play, when you start, finish, or get stumped, how many hints you use, votes you cast on "coming soon" Nutcases, and similar actions. These events are tied to your device_id, not to your name or email.
• Server logs from our hosting provider, which may include IP addresses, browser type, and timestamps. We use these for security, abuse prevention, and operational diagnostics.

We do not use third-party advertising cookies or cross-site tracking on the Site.

2. How We Use Your Information

We use the information we collect to:

• Provide and improve the game (e.g., remember your progress within Nutcases, understand which puzzles are working)
• Send you launch announcements and product updates, if you signed up for them
• Respond to feedback you submit
• Maintain the security and operation of the Site
• Comply with our legal obligations

We do not sell your personal information.

3. Local Storage and Cookies

We use your browser's localStorage to store:

• Your device_id
• Your progress within Nutcases (which puzzles you've finished, in what state)
• Local preferences

You can clear localStorage at any time through your browser's settings. If you do, your puzzle progress on this device will reset.

Cookies. We and our service providers use a small number of cookies that are strictly necessary to operate the Site (for example, security and load-balancing cookies set by our hosting provider). We do not use advertising or cross-site tracking cookies, and we do not currently use first-party analytics cookies. You can control cookies through your browser; blocking strictly-necessary cookies may break parts of the Site.

4. Do Not Track Signals

Some web browsers offer a "Do Not Track" ("DNT") signal that lets users indicate a preference not to be tracked across websites. There is no common industry standard for how websites should respond to DNT signals, so our Site does not currently respond to them. We treat all visitors consistently regardless of DNT setting. If a standard emerges, we will update this Policy.

5. Service Providers

We share information with the following service providers, who are contractually bound to use the information only as needed to support our operations:

• Supabase — hosts our database and stores analytics events, feedback, and email signups
• Vercel — hosts the Site
• MailerLite — sends our launch announcement and product update emails

Each of these providers may use their own subprocessors to deliver their services. Current subprocessor lists are available from each provider on request or via their public documentation.

We may add additional analytics or error-monitoring services in the future. If we do, we'll update this policy.

6. Children's Privacy

Nutter Words is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@nutterwords.com and we will delete it. Users in the European Economic Area or the United Kingdom must be at least 16, or have parental/guardian consent if local law allows.

7. Your Rights

Depending on where you live, you may have rights regarding your personal information. To the extent the law gives you these rights, you can:

• Access — ask what personal information we have about you
• Correct — ask us to correct inaccurate information
• Delete — ask us to delete your personal information
• Opt out of marketing — unsubscribe at any time using the link in any email, or by emailing us

To exercise these rights, email us at privacy@nutterwords.com. We will respond to verifiable requests as required by applicable law (generally within 45 days under California law, or within one month under GDPR/UK GDPR), and may extend the response period where permitted by law if we let you know why. We may need to verify your identity before fulfilling a request.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you specific rights, including the right to know what personal information we collect, the right to delete personal information, the right to correct inaccurate information, and the right to opt out of the "sale" or "sharing" of personal information. As noted above, we do not sell or share personal information as those terms are defined under California law. To exercise any of these rights, contact us at privacy@nutterwords.com. We will not discriminate against you for exercising any of your privacy rights.

Categories of personal information we collect (as defined by Cal. Civ. Code § 1798.140):

• Identifiers — your device_id, email address (if you provide one), and IP addresses captured in server logs
• Internet or other electronic network activity information — gameplay events, votes, hint usage, and browsing activity within the Site
• Inferences drawn from the above — we derive aggregate patterns from gameplay events to understand which puzzles are working, but we do not build individual user profiles

In the past 12 months we have collected the categories listed above and have not "sold" or "shared" any personal information as those terms are defined under California law.

Other U.S. state privacy laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, or another U.S. state with a comprehensive consumer privacy law that applies to us, you may have the following rights, depending on your state of residence and the categories of personal information involved:

• Right to know / access — confirm whether we process your personal information and access that information
• Right to correct — request correction of inaccurate personal information
• Right to delete — request deletion of your personal information
• Right to data portability — receive a copy of your personal information in a portable format
• Right to opt out of (i) the sale of personal information, (ii) targeted advertising, and (iii) certain profiling. As noted above, we do not sell personal information, do not engage in targeted advertising, and do not conduct profiling that produces legal or similarly significant effects

To exercise these rights, email privacy@nutterwords.com.

Appeal of denied requests. If we deny your request, you may appeal our decision by replying to our response or emailing privacy@nutterwords.com with the subject line "Privacy Appeal." We will respond to your appeal within 60 days (or as otherwise required by your state's law). If your appeal is denied, you may contact your state Attorney General to submit a complaint.

Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require your authorized agent to provide proof of authorization, and we may also require you to verify your identity directly.

EU / UK residents (GDPR)

If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR / UK GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and the right to object. The legal bases on which we process personal data are:

• Consent — for marketing emails
• Legitimate interest — for analytics, security, and operating the Site
• Legal obligation — where applicable

You may also lodge a complaint with your local data protection authority. Highest Five, Inc. is the data controller responsible for your personal data.

8. Data Retention

• Email addresses — kept while you remain subscribed; deleted within 30 days of unsubscribe
• Feedback — kept indefinitely as part of our product improvement process, but you can request deletion
• User Content accepted into the product — kept indefinitely. Personal details associated with accepted submissions (such as a credit byline) are retained for as long as the content is in use, unless you request removal of the credit
• User Content that is not accepted — retained only during the internal review period (typically up to 90 days) and may be deleted at our discretion thereafter
• Analytics events — kept indefinitely, but associated only with a device_id, not with your identity
• Server logs — retained according to our hosting provider's policies, typically 30 to 90 days

9. Security

We take reasonable administrative, technical, and physical measures to protect your information against unauthorized access, alteration, or destruction. No system is 100% secure, however, and we cannot guarantee absolute security.

10. International Transfers

We are based in California, United States. If you access the Site from the European Economic Area, the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home jurisdiction. Where required, such transfers are protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses (or the UK International Data Transfer Addendum, where applicable) entered into with our service providers, or transfers to recipients certified under the EU-U.S. Data Privacy Framework. You may request a copy of the safeguards used by emailing privacy@nutterwords.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and, where appropriate, post a notice on the Site or notify you by email if you've given it to us.

12. Contact

Questions about this Privacy Policy or your data? Email us at privacy@nutterwords.com, or write to us at:

Highest Five, Inc.
Attn: Privacy
2041 East St Unit 1541
Concord, CA 94520