PRIVACY
POLICY.

Introduction

We collect what we need to run the game. We don't sell your data. Here's the detail.

This Privacy Policy describes how [BUSINESS_NAME] (“X Planet,” “we,” “us”) collects, uses, shares, and protects personal information in connection with the X Planet game and related websites and services (the “Service”).

This Policy is incorporated into and forms part of our Terms of Service. Capitalized terms used here have the meaning given in the Terms of Service unless defined here.

Information We Collect

Account info, character and gameplay data, payment metadata, things you type, and basic technical telemetry.

Information you provide

• Account information: email address, username, password (stored as a salted hash, never in clear text), and, if you choose, multi-factor authentication secrets and backup codes.
• Single sign-on identifiers: if you sign in through Google or another OAuth provider, we receive the identifiers and basic profile fields the provider returns to us (typically an opaque user ID, your email, and your display name).
• Character & gameplay data: character name, appearance, level, stats, inventory, equipment, gold, premium currency, position, quest progress, faction reputation, owned plots and houses, party membership, and similar in-game state.
• Communications: in-game chat (proximity, party, and similar channels), support tickets, feedback, and any other content you send through the Service.
• Community submissions: items, NPCs, tiles, maps, and other content you submit through the Community Editors, together with any associated metadata.

Information from payments

• Card payments (via Stripe): we receive payment metadata such as the last four digits of the card, the brand, the expiration month/year, the country of issue, and the success/failure of the transaction. We do not receive or store the full card number, CVC, or full magnetic-stripe data.
• Cryptocurrency payments (via NOWPayments): we receive the transaction identifier, the cryptocurrency and amount, the originating wallet address (where reported), and the status of the transaction.

Information collected automatically

• Activity & journal data: events generated by gameplay (combat actions, skill gains, crafting results, quest progress, trades, login/logout, faction actions, level-ups, map travel) so we can run the game, prevent cheating, and provide history features such as journals.
• Device & technical data: IP address, browser type and version, operating system, language preference, and basic device characteristics, plus client diagnostics where you have opted in or where collection is necessary to investigate a specific issue.
• Cookies & local storage: see §5.

How We Use Your Information

To run the game, take payments, prevent cheating, talk to you, and improve things.

We process personal information for the following purposes, with the legal bases noted in brackets where the GDPR or UK GDPR applies:

• Provide the Service: create and authenticate your account, render the world, sync state, save progress [contract performance];
• Process payments and fulfill orders [contract performance, legal obligation];
• Communicate with you: account notices, security alerts, support responses, service updates [contract performance, legitimate interests];
• Maintain safety, integrity, and fairness: detect and prevent cheating, abuse, fraud, harassment, spam, and unauthorized access [legitimate interests, legal obligation];
• Improve and develop the Service: understand how features are used, debug issues, plan changes [legitimate interests];
• Comply with legal obligations: respond to lawful requests, retain transactional records, enforce our Terms [legal obligation];
• With your consent, where required by applicable law (for example, certain non-essential cookies or marketing emails) [consent].

Third-Party Services

We use third parties to take payments, sign you in, host the game, and generate quest text. They each have their own privacy policy.

We use the following categories of third-party services to operate the Service. Each provider processes only the data needed for its function, under contractual or legal protections:

STRIPE

Payment processing for card payments, donations, subscriptions, and similar transactions. Subject to Stripe's privacy policy.

NOWPAYMENTS

Cryptocurrency payment processing. Subject to NOWPayments' privacy policy.

GOOGLE OAUTH

Authentication for users who choose “Sign in with Google.” We receive only the basic profile fields you authorize. Subject to Google's privacy policy.

xAI / GROK

Generative AI used to produce non-player-character dialog, quest narrative, and similar in-game content. Prompts may include game-state context and, in some flows, content you have authored (such as messages an NPC is responding to). Subject to xAI's privacy policy.

HOSTING & INFRASTRUCTURE

Cloud hosting, database, content delivery, and email-delivery providers. We use providers contractually committed to industry-standard security and confidentiality.

Cookies & Local Storage

We use cookies and local storage to keep you signed in and remember your preferences.

We use cookies, local storage, and similar technologies to operate the Service. The categories we use are:

• Strictly necessary: session cookies, CSRF tokens, and authentication state; without these the Service cannot function.
• Preferences: remembering settings such as audio volume, UI scale, and chat filters.
• Analytics & product: aggregated, mostly first-party signals about how the Service is used so we can fix bugs and prioritize features.

Where required by applicable law (for example, in the EU and UK for non-essential cookies), we will obtain your consent before placing optional cookies. You can clear cookies and local storage from your browser settings; doing so may sign you out and reset your preferences.

Sharing & Disclosure

We share with the providers that run the game, with other players (for things you do in public), and with law enforcement when legally required. We don't sell your data.

We share personal information only as follows:

• Service providers and processors listed in §4, acting on our instructions to operate the Service;
• Other players, when you choose to interact in a public or semi-public way (your character name, appearance, equipment, location on the map, faction, and chat are visible to other players to the extent the game's design intends);
• Successors, in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality;
• Legal & safety, to comply with applicable law, lawful requests, valid legal process, and to protect the rights, property, or safety of X Planet, our users, or others, including for fraud prevention and to enforce our Terms.

We do not sell personal information for monetary consideration. To the extent that any data sharing for online advertising would be characterized as a “sale” or “sharing” under California's CCPA/CPRA or similar laws, you can opt out at [CONTACT_EMAIL]; we currently do not engage in cross-context behavioral advertising.

Retention

We keep account data while your account is active, plus a tail for disputes, fraud prevention, and the law.

We retain personal information only as long as necessary to provide the Service and for the purposes described in this Policy. Indicative retention periods:

• Account & character data: for as long as the account is active, plus a reasonable wind-down period after closure (typically up to 90 days) to handle reversals and disputes, after which we delete or de-identify the data, except as required below.
• Transactional records: retained for the period required by tax, accounting, anti-fraud, and anti-money-laundering law (typically 6–10 years from the transaction).
• Chat logs & moderation records: retained for a period sufficient to investigate harassment, fraud, and policy violations (typically up to 12 months), longer where retained as part of an active investigation or legal hold.
• Backups: backups containing personal information may persist for a limited rolling window after deletion in the live system; we do not restore from those backups except for disaster recovery.

Your Rights

You can ask to see your data, correct it, delete it, or take it elsewhere. We'll honor those requests where the law gives you the right.

Depending on your location, you may have rights under the EU GDPR, the UK GDPR, the California CCPA/CPRA, the Virginia VCDPA, and similar laws. Where they apply, you can:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete information;
• Delete personal information, subject to exceptions for fraud prevention, legal obligations, and rights of third parties;
• Restrict or object to certain processing;
• Receive a copy of certain information in a portable format;
• Withdraw consent for processing based on consent (without affecting prior processing);
• Lodge a complaint with your local data-protection authority.

To exercise a right, email [CONTACT_EMAIL] from the address associated with your account. We may need to verify your identity before acting. We will respond within the time required by applicable law (typically 30 days under the GDPR; 45 days under the CCPA, extendable once).

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of “sale” or “sharing” (we do not engage in either as defined), and the right to limit use of sensitive personal information. We do not discriminate against you for exercising these rights.

Children's Privacy

The Service is not for children under 13. We don't knowingly collect their data and we'll delete it if we find out we did.

The Service is not directed to, and we do not knowingly collect personal information from, children under 13 (or, in jurisdictions where the floor is higher, that minimum). If you believe a child under that age has provided personal information to us, please contact [CONTACT_EMAIL] and we will promptly investigate and delete the information and the associated account.

International Data Transfers

Your data may move between countries. We use standard legal safeguards.

We and our service providers may process personal information in countries other than the one you live in, including in the United States and other countries that may not provide the same level of data-protection law as your country. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK Addendum, and equivalent mechanisms to legitimize the transfer.

Security

We use reasonable security measures. Nothing online is perfectly secure.

We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. These include encryption in transit, hashing of passwords, access controls, network segmentation, monitoring, and routine review. No system is perfectly secure, however, and we cannot guarantee the absolute security of personal information. You can help by using a strong, unique password and enabling multi-factor authentication.

Changes to this Policy

If we change this policy in a material way, we'll tell you.

We may update this Privacy Policy from time to time. We will post the updated Policy on the Service with a new “Effective” date and, for material changes, give at least thirty (30) days' notice via email, login banner, or other reasonable means before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Contact

Questions about your data? Email us.

EMAIL

[CONTACT_EMAIL]

CONTROLLER

[BUSINESS_NAME]

EU / UK REPRESENTATIVE OR DPO (IF APPLICABLE)

[DPO_OR_REP]