PRIVACY POLICY
Last updated: [DATE] · TEMPLATE — have an attorney review before launch.
The short version: players give us nothing, creators give us almost nothing, and we sell nothing. No ads, no trackers, no analytics scripts, no data brokers.
1 · What we collect
| Who | What | Why |
|---|---|---|
| Players | Nothing. No account, no cookies, no tracking. A play counter increments — anonymously. | — |
| Creators | Username, password (stored only as a salted hash), email only if you choose to add one for account recovery, and the games you write. | Operating your account and displaying your games. |
| Everyone | IP addresses, briefly, in security and rate-limit logs. | Stopping abuse (signup floods, password guessing, spam submissions). |
| License buyers | Payment is processed entirely by Stripe; we receive a confirmation and the amount — never your card number. Stripe's own privacy policy applies to the checkout page. | Granting your Creator License. |
The Arcadia language itself cannot collect data: games have no text input, no network access, and no way to identify a player. This is by design — see Safe by Design.
2 · Cookies
One cookie, arc_session, set only when a creator logs in, used only to keep
you logged in. No advertising or analytics cookies exist on this site.
3 · Children
Playing requires no personal information at any age. Accounts are for ages 13+ (younger creators can use the Studio without an account, or publish through a parent's or teacher's account). We do not knowingly collect personal information from children under 13; if you believe a child has created an account, contact [CONTACT EMAIL] and we will delete it. We never use personal data for advertising — there is no advertising.
4 · Sharing
We share data with no one, with three narrow exceptions: Stripe (payments), Cloudflare (our hosting provider — data is stored and processed on their infrastructure), and authorities when the law genuinely requires it. We will never sell personal data.
5 · Retention & deletion
Account data lives as long as your account. Delete your account and we delete your profile and games; security logs age out within [90] days; backups clear on their rotation schedule ([30] days). To delete your account or request a copy of your data, email [CONTACT EMAIL] — we answer within [30] days.
6 · Your rights
Depending on where you live (GDPR, UK GDPR, CCPA, etc.) you may have rights to access, correct, delete, or port your data, and to complain to a supervisory authority. Since we hold almost nothing, exercising them is quick: [CONTACT EMAIL]. We don't discriminate against anyone who does.
7 · Security
Passwords are hashed (PBKDF2, per-user salts), sessions are stored hashed with strict cookies, all traffic is HTTPS, and moderation/security events are logged. No system is perfect; if a breach affects your data we will notify you as the law requires.
8 · Changes & contact
Material changes appear on this page with a new date. Controller / operator: [LEGAL NAME, ADDRESS]. Contact: [CONTACT EMAIL].
⚠ Template, not legal advice. The bracketed retention windows, the under-13 stance (§3), and your jurisdiction's specifics (GDPR representative? CCPA thresholds?) need a lawyer's eyes — but the architecture genuinely collects this little, which makes the lawyer's job unusually easy.