GameSpaces ("we", "us") operates a cloud-gaming and remote-streaming platform. This policy explains what personal data we collect, why we collect it, and the rights you have over it.
Short version: we store the minimum we need to run your account and your sessions. We do not use Google Analytics, advertising trackers, or third-party analytics cookies. Aggregate usage metrics are stored on our own infrastructure and never sold.
Data we collect
- Account data: email address, password hash (Argon2id), display name, and avatar.
- Authentication data: third-party identifiers from Google, Discord, Steam, or other partners, if you choose to link them. Only the minimum scopes (email, profile, library) are requested. Session tokens may be stored on your device if you tick "Remember Me".
- Billing data: Stripe customer ID and subscription tier. Card details are processed by Stripe and never touch our servers.
- IP address: collected at sign-up and on suspicious events for fraud, abuse, and rate-limit enforcement.
- Session telemetry: coarse, aggregated metrics about cloud session length, region, and tier — used for capacity planning. No game telemetry, no input capture, no audio/video recording.
Why we use it
- To run the service: provisioning streaming sessions, routing connections, billing.
- To keep the service safe: fraud detection, abuse prevention, rate limiting.
- To communicate with you: account confirmations, password resets, billing receipts, security notices.
Analytics
We run our own analytics on our API server. It records anonymous, aggregated event counts (page views, sign-ups, checkout starts, session starts) keyed by a rotating server-side hash. There is no third-party analytics provider, no cross-site identifier, and no advertising profile.
Third parties
The only third parties that ever see your personal data are:
- Stripe — payment processing and subscription management.
- Resend / SMTP provider — transactional email (verification, password reset, receipts).
- Cloudflare — CDN, TURN relay, and DDoS protection.
- OAuth providers you opt into — Google, Discord, Steam, Xbox.
We do not sell personal data to anyone, ever.
Cookies
We set one strictly-necessary HttpOnly Supabase Auth session cookie so you stay signed in. We do not use advertising or third-party analytics cookies. Full breakdown: cookie policy.
Retention
- Account data: deleted immediately upon confirmed account deletion.
- Billing records: kept for 7 years to satisfy tax obligations.
- Analytics events: aggregated, no PII; retained indefinitely for trend analysis.
- IP / abuse logs: 90 days unless tied to an active investigation.
Your rights
You can delete your account and all associated data at any time from Settings, or by emailing [email protected]. EU/UK residents have rights under GDPR; California residents under CCPA. We respond within 30 days.
Children
GameSpaces is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect data from children.
Security
Passwords are stored only as Argon2id hashes. Sessions use HttpOnly cookies with Secure and SameSite=Lax protection. All traffic is HTTPS with HSTS enabled. Disclose vulnerabilities to [email protected].