Privacy Policy

Account Information: When you create an account, we collect your email address and display name. You may optionally provide a username, bio, and avatar.

Authentication Data: We store a securely hashed version of your password. If you sign in via GitHub OAuth, we store your GitHub user ID and access token.

Payment Information: Payments are processed by Stripe. We store your Stripe customer ID for subscription management but never receive or store your credit card number, CVV, or full card details.

User-Generated Content: We store game projects, assets, devlogs, comments, and other content you create within the platform.

Usage & Security Data: We collect IP addresses and user-agent strings for active sessions to detect unauthorized access and enforce rate limits.

Transactional Email Records: We record which transactional emails were sent to your address (e.g., verification, password reset) for debugging and compliance purposes.

Account Operation: To create and maintain your account, authenticate your identity, and provide access to your projects and content.

Communication: To send transactional emails such as email verification, password resets, subscription confirmations, and security alerts. You can opt out of non-critical emails in your notification preferences.

Security: To detect and prevent fraud, abuse, and unauthorized access through session tracking and rate limiting.

Payments & Billing: To process subscription payments, marketplace transactions, and creator payouts through Stripe.

Platform Improvement: To monitor errors and performance issues so we can maintain a reliable service.

Stripe (stripe.com): Payment processing, subscription billing, and marketplace payouts. Stripe receives your payment details directly and is PCI-DSS compliant. See Stripe's privacy policy at stripe.com/privacy.

Resend (resend.com): Transactional email delivery. Resend receives your email address and the content of emails we send to you.

Cloudflare (cloudflare.com): CDN, DNS, DDoS protection, and frontend hosting via Cloudflare Pages. Cloudflare may process request metadata (IP addresses, headers) as part of its network services.

Railway (railway.app): API server and PostgreSQL database hosting. Railway hosts the infrastructure where your data is stored and processed.

GitHub (github.com): OAuth authentication and optional project sync. If you connect your GitHub account, we access your GitHub user ID and, with your permission, can sync project files to your repositories.

Your data is stored in a PostgreSQL database hosted on Railway. All connections use TLS encryption in transit.

We retain your personal data for as long as your account is active. When you delete your account, all associated data is permanently removed via cascading deletion, including projects, sessions, social connections, notifications, and audit log entries.

Expired sessions (refresh tokens) are periodically cleaned up automatically.

Audit log entries are retained while your account is active to support security review and account recovery.

Access & Portability: You can export a copy of all your personal data at any time using the data export feature in your account settings (GET /account/export). The export includes your profile information, project metadata, sessions, preferences, and activity history in a portable JSON format.

Correction: You can update your email address, display name, username, bio, and avatar through your account settings at any time.

Deletion: You can permanently delete your account and all associated data from your account settings. This action is irreversible.

Email Preferences: You can opt out of non-critical emails (such as welcome messages and subscription confirmations) in your notification preferences. Security-critical emails like password resets and email verification will always be sent regardless of your preferences.

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to restrict processing and the right to object to processing. Contact us to exercise these rights.

We use a single functional cookie (refresh_token) to maintain your authenticated session. This cookie is httpOnly, secure, and strictly necessary for the service to function.

We do not use any third-party tracking cookies, analytics scripts, or advertising pixels. We do not track you across other websites.

Caustic Studio is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

We implement industry-standard security measures including: password hashing with bcrypt, CSRF protection, rate limiting on sensitive endpoints, refresh token rotation with family-based reuse detection, and optional two-factor authentication (TOTP).

All data in transit is encrypted via TLS. Access to production infrastructure is restricted to authorized personnel.

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at [email protected].