Last updated 13 July 2026

Privacy and data retention

This page explains what Tactics With Tom stores, why it is used, and when it is removed.

Operator and lawful bases

The data controller and site operator is Tom, publishing as Tactics With Tom in the United Kingdom. Use the contact page for privacy questions and rights requests.

Depending on the purpose, information is handled to provide a service or take requested steps; for legitimate interests in securing, operating, measuring, moderating, and improving the site; with consent for optional analytics, advertising storage, and adaptation of submitted content; or to meet a legal obligation. Optional consent can be refused or withdrawn without losing essential site features.

Site and performance measurements

The site samples route timing, status, cache, and background-job measurements to diagnose reliability. Internal route metrics do not retain visitors’ raw IP addresses or full user-agent strings. Operational aggregates are kept only for the configured short retention period.

Google Analytics is optional and is not loaded unless a measurement ID is configured and the visitor chooses “Allow analytics.” Google may then process device, network, cookie, and interaction data under its own terms. Declining does not limit site features.

Advertising

The site is registered for Google AdSense. Ad delivery remains disabled until the site is approved and a Google-certified consent management platform is published for visitors in the EEA, UK, and Switzerland. When enabled, Google and its advertising partners may process device, network, cookie, consent, and interaction data to select, deliver, measure, and protect ads.

Google and third-party vendors may place or read cookies in a visitor's browser, use web beacons, collect an IP address and other device or online identifiers, and receive information resulting from ad serving on this site. Those technologies can be used for ad selection, personalisation where consent permits it, frequency control, measurement, fraud prevention, security, and reporting.

The advertising consent message will identify the purposes and vendors and offer the choices required for the visitor's region, including a way to revisit those choices. Essential site features remain available if optional advertising purposes are declined, although limited or non-personalised ads may still be shown where permitted.

Google explains how advertising data is used on its partner sites information page and provides ad personalisation controls.

Player statistics

Public World of Warships statistics may be stored as pseudonymized aggregates so community comparisons can be calculated. The site separates the public game identifier from the stored analytics key using a private server-side secret.

The player page offers a browser opt-out stored in an HttpOnly cookie. It applies to that browser; it is not proof that a visitor owns a public game account. A durable account-wide suppression or deletion therefore requires an administrator to verify the request.

Accounts and security

Accounts store an email address, username, password hash, role, and security timestamps. Passwords are not stored in plain text. Password-reset tokens are one-way hashed and are removed no later than seven days after they become used, revoked, or expired.

When a reset is requested, an expiring one-time link is held in a protected email queue until delivery. Its message body is erased after delivery, final failure, cancellation, supersession, or expiry. Changing the password cancels any reset email that is still waiting.

Submissions and builds

Replay and guide submissions store the details entered in the form, contact email, consent, source campaign fields, triage notes, and status history. Resolved submissions are retained for 365 days so editorial decisions and consent can be audited, then removed by the retention job.

A submission can queue a receipt containing its reference and a staff alert containing only the submission type, reference, and private queue location. The alert does not copy the submitted message or contact details. Completed email message bodies and duplicate recipient addresses are erased; limited delivery status and timing metadata is kept temporarily for reliability and audit purposes.

Commander builds store their configuration and optional description. Anonymous build edit tokens are shown once and kept in local browser storage; the server stores only a hash. Archived builds are retained for 30 days for recovery and moderation, then removed.

Cookies, sessions, local storage, and caches

  • Essential signed session and CSRF data keep sign-in and forms secure.
  • A browser opt-out cookie records the player-aggregate preference.
  • Theme choice and anonymous build capabilities may be stored in local browser storage.
  • An analytics-consent choice may be stored locally so the site can remember whether optional measurement is allowed.
  • Public data and page fragments may be cached for performance. Signed-in or session-dependent responses are marked private and are not placed in shared page caches.

If analytics is configured, use “Privacy choices” in the footer to change the choice. Declining stops future analytics collection on this site and attempts to remove its first-party analytics cookies.

External providers

Opening or embedding third-party content can share network and browser information with that provider. Relevant services include:

  • Google privacy policy for AdSense, Analytics, and YouTube.
  • Wargaming privacy policy for World of Warships account and encyclopedia data.
  • Render privacy policy for hosting infrastructure.
  • OpenAI privacy policy for editorial processing of public, official World of Warships source material. Canonical patch drafts are reviewed before publication; schema-validated weekly development briefings may publish automatically and always retain their official source links. Account, submission, and player data are not included in these requests.

The site's configured transactional-email provider processes recipient and sender addresses, message content, and delivery metadata only to send account and submission messages. The operator's current provider and contact details are available on request.

Questions and verified requests

Depending on the circumstances and applicable law, a person may ask for access, correction, deletion, restriction, portability, or an objection to processing, and may withdraw consent. Use the contact form for these requests or for verified player suppression. Include enough information to identify the relevant record, but do not send a password or other secret.

If the response does not resolve a UK data-protection concern, a complaint can be made to the Information Commissioner's Office. Rights are not absolute in every situation, and identity may need to be verified before private account information is disclosed or deleted.