Privacy Policy
We built Buildlings for kids 6–12, supervised by their parents. That means we collect the absolute minimum personal data required to run the service — and nothing more. We do not advertise to children, sell data, or share it with marketing partners.
1. Who we are
Data controller: AliceSolution Inc., Ontario, Canada.
Contact: [email protected]
If you are in the European Economic Area (EEA), AliceSolution Inc. is your data controller under the GDPR.
2. What personal data we collect
We collect only what is strictly necessary:
| Data | From whom | Why |
|---|---|---|
| Email address | Parent / account holder (18+) | Account authentication and service communications |
| Password (bcrypt hash — never plaintext) | Parent | Secure sign-in |
| Hero display name | Parent (chosen for child) | In-game identity — max 14 characters, not a real name |
| Game saves (brick worlds, inventory, progress) | System (from gameplay) | Cloud-sync game state between devices |
| Stripe Customer ID / Subscription ID | Stripe (when you subscribe) | Manage your subscription — no card numbers stored by us |
3. What we do NOT collect
- Real names, home addresses, or phone numbers
- Date of birth or age
- Payment card numbers, CVV, or bank details (Stripe handles all payments — see §6)
- Photos or voice recordings
- Location data
- Device advertising IDs or cross-site tracking identifiers
- Any data directly from children — all account data is collected from the parent
4. How we use your data
- Provide the service — authenticate your account, sync game saves, manage hero profiles.
- Subscription management — process payments via Stripe, enforce tier features, send renewal receipts.
- Service communications — password reset, security notices, material policy changes. No marketing without explicit opt-in.
- Safety & abuse prevention — detect and block account abuse, brute-force attacks, and policy violations.
Legal basis (GDPR): Contract performance (subscription + account); Legitimate interests (security, fraud prevention).
5. Who we share data with
We do not sell, rent, or share personal data with advertisers or data brokers.
We use one payment sub-processor:
| Sub-processor | Purpose | Privacy policy |
|---|---|---|
| Stripe, Inc. (USA) | Payment processing & subscription billing. Stripe stores card data on our behalf under PCI-DSS Level 1 compliance. We never see or store your full card number. | stripe.com/privacy |
We may also disclose data when required by law or court order, or to protect the safety of our users.
6. Children's privacy (COPPA & GDPR-K)
Buildlings is a family service. Only parents or legal guardians aged 18 or older may create an account. Children play under a parent-controlled profile and do not register or submit personal data directly.
The only data we hold about a child is a hero display name (chosen by the parent) and game save data. No real name, no contact information, no location.
If you believe a child under 13 has submitted personal information to us without parental consent, please contact us at [email protected] and we will delete it promptly.
US (COPPA): We do not knowingly collect personal information directly from children under 13 without verifiable parental consent. Our parent-account model satisfies COPPA's parental consent requirement.
EU (GDPR Art. 8): Children's data is processed under the parent's account with the parent's explicit consent at registration.
7. Your rights
Depending on where you live, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — delete your account and all associated data. You can initiate this by emailing [email protected]; we complete deletion within 30 days.
- Portability — receive your data in a machine-readable format.
- Objection / restriction — object to or restrict certain processing.
- Withdraw consent — you may stop using the service and delete your account at any time.
California (CCPA/CPRA): You have the right to know what personal information we collect, to delete it, and to opt out of its sale. We do not sell personal information.
Canada (PIPEDA): You have the right to access your personal information and challenge its accuracy. Contact our privacy officer at the address above.
To exercise any right, email [email protected]. We respond within 30 days (GDPR) or as required by applicable law.
8. Data retention
- Account data is kept for as long as your account is active.
- On account deletion, personal data is permanently deleted within 30 days.
- Stripe may retain billing records per their own legal obligations (typically 7 years for tax purposes).
- Anonymised aggregate statistics (e.g. "how many worlds were created this month") may be kept indefinitely as they cannot identify you.
9. Security
- Passwords are stored as bcrypt hashes — never in plaintext, never readable even by our team.
- All API traffic uses TLS 1.2+ (HTTPS). Cloudflare terminates TLS at the edge.
- Session tokens (JWT) expire after 2 hours; refresh tokens after 30 days.
- Rate limiting protects login and registration against brute-force attacks.
- We conduct periodic security reviews of our codebase and infrastructure.
10. Cookies & local storage
We use localStorage (not cookies) to store your session token on your device. This token lets us keep you signed in between visits. We do not use advertising cookies, tracking pixels, or third-party analytics.
You can clear local storage at any time through your browser settings, which will sign you out.
11. International data transfers
Our servers are hosted in Canada (infra-core) and the European Economic Area (Cloudflare CDN edge). If you are in the EU/EEA, your data may transit Cloudflare's global network. Cloudflare participates in the EU–US Data Privacy Framework. Stripe is headquartered in the USA and processes payment data there.
12. Changes to this policy
We will post changes here and update the "Effective" date at the top. For material changes (new data types, new sharing arrangements), we will notify you by email at least 30 days before they take effect.
13. Contact & complaints
Email: [email protected]
Mail: AliceSolution Inc., Ontario, Canada
If you are in the EU and believe we have not resolved your concern, you may lodge a complaint with your national data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu.
If you are in Canada, you may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.