Privacy Policy.

Playloop is operated by Wander & Wilt Studios, a small, independent game-and-tools studio based in the United States. This Privacy Policy describes how we (“Playloop,” “we,” “us”) handle personal information you share with us, or that we collect as you use the service at playloop.gg.

For any privacy question, reach us at privacy@playloop.gg. For general support, use hello@playloop.gg.

We collect the minimum needed to run the service, render your dashboard, and bill you accurately. Specifically:

Account data

• Email address and display name (via Clerk, see Section 8).
• Your plan (free, indie, or studio) and any admin-granted paid-plan entitlement window.
• Your preferences (notification settings, default game engine, studio name, optional).

Payment metadata

• Stripe customer ID, subscription ID, and subscription status.
• Date of last successful charge, in-grace status, plan tier. We never see or store card numbers, CVCs, expirations, or any other raw card data. All card-handling happens inside Stripe.

Playtest telemetry your games send

• Session metadata (game ID, build version, environment tag, start/end time, duration, active duration).
• Per-event data from your SDK (event names, custom properties, optional player handle, anonymous device identifier).
• IP-derived geography stamped at session creation: country, region, city. We do not store the raw IP address, only the geo fields the request headers expose.
• Anonymous device identifier (a random GUID stored on your tester’s machine by the SDK) so the dashboard can compute returning-tester / DAU / cohort retention without identifying individuals.
• Optional asset uploads (audio, video, transcripts) when your integration sends them.

Player feedback submissions

If you embed our feedback form in a shipped game, your end-users’ submissions (free-text comments, optional rating, the player handle / device ID the SDK already attaches to their session) are sent to Playloop and attached to the session that generated them. As with custom event properties, anything the player types is content you (the developer) are the controller for; we act as your processor for it.

Broadcasts and audiences

If you configure an audience (a saved predicate over your telemetry, e.g. “players who reached level 5”) or a broadcast (an in-game message targeted at an audience), we evaluate player IDs against the predicate at delivery time and record dismissal / acknowledgement events from the client so the same player isn’t re-prompted. No new player PII is collected here beyond what the session already carries.

BYO AI provider keys

If you paste an OpenAI, Anthropic, or Google Gemini API key into your settings, we store it encrypted at rest using AES-256-GCM (see Security). We decrypt it only for the duration of an AI call, never log it, and never expose it in any API response or UI surface after the initial save.

Our managed inference is routed through Vercel AI Gateway to the underlying provider (listed as a sub-processor in Section 8). Calls made with your own key go directly to the provider you chose and do not pass through the Gateway, so your key reaches only that provider, never our relay.

AI usage logs

Each managed-AI call records the provider, model, token counts, estimated cost in cents, and which session it ran for. We use this for cost monitoring and to decide when you’ve hit your monthly managed-AI cap. It does not contain the prompt or completion text.

Operational logs

Our infrastructure providers generate the usual request / error logs that any web service needs to stay up. Hosting (Vercel) and the rate-limiter (Upstash Redis) hold IPs transiently, typically minutes to a few hours under their default retention. We do not store IP addresses in our own application database, and we strip visitor IPs from error-monitoring events (Sentry) before transmission.

• Raw card numbers. Stripe handles every byte of card data; PCI scope stops at Stripe.
• Third-party tracking pixels. No Google Analytics, no Mixpanel, no Segment, no Facebook Pixel, no ad-network re-targeting.
• Your AI prompts and completions. We log the metadata (counts, costs), not the content.
• Your players’ personal information. The telemetry SDK is designed to send anonymous device IDs and event data, never PII. If your game sends PII through custom event properties or the optional tester-handle field, that’s a configuration choice on your end , you (the developer) become the data controller for any such information and remain responsible for obtaining whatever consent your jurisdiction requires (including parental consent for player audiences likely to include children). We act as your processor for that content; see Section 12 for the DPA path.

Our marketing site (the pages you’re on now) uses Umami, a privacy-first analytics tool that we self-host alongside our own database. Umami does not set advertising cookies, does not share data with third parties, and anonymizes visitor IPs at ingest.

Umami logs: page paths visited, approximate country / region, referrer (where you came from), and a handful of named product events we use to track sign-up and upgrade funnels. None of this data leaves our infrastructure.

We do not currently honor the Do Not Track browser header at the analytics layer. DNT is widely sent and rarely meaningful; we’re being honest about this rather than promising compliance we don’t enforce. If you don’t want any analytics events, use the cookie banner’s Reject all option (or customize and uncheck preferences), clearing browser storage re-prompts. A content blocker that blocks first-party scripts also works.

We use only the cookies needed to keep you signed in and the service working:

• Authentication cookies set by Clerk to maintain your sign-in session.
• CSRF and session cookies set by our application and Stripe Checkout while you complete a payment flow.

Umami is configured to operate without setting tracking cookies. We do not use cookies for advertising, cross-site tracking, or behavioral profiling.

A first-visit cookie-consent banner is in place. It offers equally-prominent “Reject all,” “Customize,” and “Accept all” options (no pre-ticked non-essential boxes), and the choice is persisted in localStorage. Clearing browser storage re-prompts.

Lawful basis (GDPR Art. 6). For the bulk of what we do, account creation, dashboard rendering, session ingest, AI summaries, billing, the lawful basis is performance of contract: you can’t use Playloop without us processing your account + telemetry. Operational logging, abuse prevention, and error monitoring run under legitimate interest. Marketing email (newsletter signups) is processed under explicit consent, with a confirmation click before any send and a one-click unsubscribe on every message.

Automated processing (GDPR Art. 22). Playloop applies AI models to your telemetry to generate per-session insights and per-tester / per-build summaries. These are decision-support outputs for you, the dev reading the dashboard. They produce no legal or similarly significant effects on the data subjects (your players); you and your team are the audience and the decision-makers. There is no “solely automated” decision under Art. 22. You can still object to specific processing, email privacy@playloop.gg.

• Render your dashboard. Telemetry powers the session list, charts, top-events panel, and retention cohorts.
• Generate per-game AI summaries. Your session events are processed by an AI model (either ours, on a paid plan, or your own BYO provider) to produce session, tester, and build summaries. These summaries are for your account only.
• Bill you accurately. Stripe handles charges; we keep enough metadata to show your plan, status, and grace state.
• Communicate operationally. Email you about billing receipts, payment failures, security events, and material policy changes. We do not send marketing email without explicit opt-in.
• Detect and prevent abuse. Standard rate limiting and request-shape checks.

We do not use your telemetry to train general-purpose AI models. Your data trains your per-game prompt context, nothing more.

Each plan sets the window over which we keep a session’s data:

• Free plan: 90 days from session creation.
• Indie plan: 180 days from session creation.
• Studio plan: 365 days from session creation.

Your plan’s window is the limit on how long we retain a session’s data (events, insights, and any uploaded assets) for the product. You can delete any game or session from your dashboard at any time, and closing your account removes every session, asset, insight, and summary tied to it (see below). We are expanding this with automatic deletion at the end of each plan’s window.

When you delete sessions in bulk, the default is a recoverable delete: the sessions are hidden from your dashboard right away but kept in cold storage for a short period so our support team can restore them if you ask. You can also choose a permanent delete, which removes the sessions and their assets immediately, frees the storage, and cannot be undone. Deleting a single session, or closing your account, is always permanent.

Account data (your email, display name, preferences, encrypted BYO keys) is retained for as long as your account exists. To close your account, head to Settings → Account and click Close my account. Closure runs on a 14-day soft-delete grace window: your row is marked for deletion immediately, you can undo from the same page any time during the window, and an automated daily cleanup permanently deletes the account (plus every game, session, transcript, insight, attached asset, webhook subscription, and notification you own) on day 15. The same delete reaches into object storage so any uploaded audio/video/transcript files are removed alongside the database rows. The 14-day window mirrors the past-due grace already in our Terms.

Security audit logs. A separate security audit log records security-relevant events (sign-ins, key rotations, rate-limit hits, webhook failures) for up to 365 days on info-severity entries and 730 days on warning and error entries, regardless of plan. After account deletion, the entry’s identifier reference is nulled, but a pseudonymized snapshot is kept so we can investigate prior incidents; this retention is justified under GDPR Art. 17(3)(e) (defense of legal claims).

Backups. Database backups are kept for at least 7 days. A deletion takes full effect once the next backup roll-over passes the deletion timestamp.

We use the following third parties to operate Playloop. They process data on our behalf, under their own contractual and statutory obligations:

• StripeUnited States

  Payment processing and card-data handling.

• ClerkUnited States

  Authentication, session management, optional 2FA.

• OpenAIUnited States

  Managed-AI inference for sessions on paid plans, OR routed through your BYO key when you've supplied one.

• AnthropicUnited States

  BYO-key routing only; we don't use Anthropic as a managed default.

• Google (Gemini)United States

  BYO-key routing only.

• Vercel AI GatewayGlobal (primary in the US)

  Managed-AI request relay. Our managed inference is routed through the Gateway to the underlying provider, with the provider's billed cost returned at zero markup. BYO-key calls do NOT use the Gateway; they go directly to your chosen provider.

• SupabaseUnited States

  Primary application database (accounts, telemetry, AI usage logs).

• ResendUnited States

  Transactional email (billing receipts, payment failures, account notices, newsletter confirmations).

• VercelGlobal (primary in the US)

  Application hosting, edge geo-headers (country/region/city stamping), scheduled task triggers. Transient request/error logs include IPs for a short retention window.

• SentryUnited States

  Error monitoring and on-error session replay. We strip visitor IPs from every event at the boundary; what reaches Sentry is request method, route, user-agent, and the error itself.

• Cloudflare (Turnstile)United States

  Bot-protection challenge on the sign-up form and the anonymous contact form. Cloudflare receives the visitor IP and user-agent for the challenge.

• Upstash (Redis + message queue)United States

  Cross-instance rate limiting (IP-keyed counters, held for the rate-limit window of minutes to 24 hours) and a durable message queue that coordinates background analysis jobs. Queue messages carry session and job identifiers plus the job parameters needed to process them; they are short-lived and deleted once the job completes.

• S3-compatible object storeUnited States

  Storage for optional session assets (audio, video, transcripts). Encrypted in transit and at rest. Files are deleted alongside the database rows when you delete a session or close your account.

We may add or change sub-processors over time. Material changes (a new processor with broad access) will be noted in this section with at least 30 days’ notice.

Optional outbound integrations

The services below are not Playloop sub-processors. You enable them yourself from Settings → Integrations (or per-game), and when enabled Playloop forwards specific data to them on your behalf. You are the controller for the data routed through each. You can disconnect any of them at any time, and Playloop stops sending immediately.

• Slack. What gets sent: notification text (analyzer completions, crash alerts, billing events, and other notifications you opt in to) to the channel you connect.
• Discord. What gets sent: notification text and player-feedback summaries to the channel or webhook you connect. If you use the Discord ingest path, messages your players post in your configured channel are sent to Playloop as feedback.
• GitHub. What gets sent: issue title, body, labels, and a link back to the source session or insight when you file a Playloop finding to a repository.
• Linear. What gets sent: issue title, description, team, and a link back to the source session or insight when you file a Playloop finding as a Linear issue.
• Notion. What gets sent: page title, body content, and a link back to the source session or insight when you export a Playloop finding to a Notion database.

See the dedicated Security page for the encryption, key handling, and operational controls we apply. Short version: BYO API keys are encrypted at rest with AES-256-GCM, everything moves over TLS 1.2+, and our admin surface is reachable only from a private tailnet.

Depending on where you live, you may have the following rights over your personal data:

• Access, request a copy of what we hold about you.
• Correction, ask us to fix inaccurate or incomplete data.
• Deletion, ask us to delete your account and associated data.
• Portability, ask for your telemetry in a machine-readable format (JSON or CSV).
• Objection / restriction, ask us to stop or limit specific processing.
• Opt-out of sale, we don’t sell your data, so this is automatic, but the right exists under CCPA.

Deletion is self-serve, see Settings → Account for the close-account flow described in Section 7. Portability / access is also self-serve: head to Settings → Data Export for a machine-readable JSON dump of your account, games, sessions, insights, and AI usage. For everything else (rectification beyond what the settings forms cover, objection / restriction, opt-out), email privacy@playloop.gg. We’ll respond within 30 days.

Playloop is a developer tool, and our Terms of Service require account holders to be at least 16 years old (see Terms § 2). We do not knowingly collect personal information from anyone under 16. If you believe a minor has signed up, email privacy@playloop.gg and we’ll delete the account.

Our infrastructure is hosted in the United States. By using Playloop, you understand that your information may be transferred to and processed in the U.S.

Transfer mechanism. For transfers of personal data originating in the EEA, the UK, or Switzerland to our U.S. sub-processors, we rely on the EU Commission’s 2021 Standard Contractual Clauses (Module 2: controller-to-processor), with the IDTA / UK Addendum applied to UK transfers. Where a sub-processor is also self-certified under the EU–U.S. Data Privacy Framework (DPF), that certification operates alongside the SCCs as an additional safeguard. The full sub-processor list is in Section 8.

Data Processing Agreement (DPA). If you use Playloop to process telemetry from EU-resident players, you (the developer) are the controller and we are your processor for that data. A DPA covering this relationship is available on request, email privacy@playloop.gg and we’ll send our current template (Module 2 SCCs, with appendix listing sub-processors and security measures).

If a personal-data breach happens that creates a real risk to your rights or freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify you directly without undue delay (Art. 34) if the risk is high. “Notify you” means an email to the address on your account plus a notice on the dashboard, with what happened, what data was affected, what we did about it, and what you can do.

We’ll update this page when material changes to our data practices ship. For changes that affect what we collect or who we share it with, we’ll email you and post a notice on the dashboard at least 30 days before the change takes effect. The Last updated date at the top of this page is the source of truth.

Privacy questions: privacy@playloop.gg
General questions: hello@playloop.gg