Privacy Policy – Cosmic Canvas Productions

Privacy Policy (Cosmic Canvas Productions)

Effective date: [Insert date]
Last updated: [Insert date]

This Privacy Policy explains how Cosmic Canvas Productions (“Cosmic Canvas,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use our games, websites, and related services (collectively, the “Services”).

We are established in Europe and process personal data in accordance with the EU General Data Protection Regulation (“GDPR”), as well as applicable local implementing laws and, where relevant, the ePrivacy rules for cookies and similar technologies.

1. Who We Are (Data Controller)

Data Controller: Cosmic Canvas Productions
Registered address: [Insert address, city, country]
Email: [Insert privacy email, e.g., [email protected]]

If you have questions about this Privacy Policy or our data practices, contact us using the details above.

2. Scope

This Privacy Policy applies to:

Our games (including PC, console, and mobile titles),

Our websites and official community channels we operate,

Customer support and related communications,

Beta tests, playtests, and promotional campaigns, where stated.

Third-party platforms (e.g., Steam, PlayStation, Xbox, Nintendo, Apple App Store, Google Play, Epic Games Store, Discord, Twitch) have their own privacy practices. Please review their policies separately.

3. Personal Data We Collect

We collect personal data depending on how you interact with the Services. “Personal data” means information that identifies you directly or indirectly.

A. Data you provide to us

Account and profile data (if applicable): username, email address, display name, platform identifiers.

Support communications: messages you send to support, attachments, and troubleshooting details you provide.

Community or participation data: feedback, bug reports, survey responses, contest entries, or playtest sign-ups.

Age-related information (if required): date of birth or age gate responses (typically stored as “age confirmed / not confirmed” where possible).

B. Data collected automatically

Device and technical data: device type, operating system, app version, language, time zone, and similar technical identifiers.

Gameplay and telemetry data (if enabled): game events (e.g., level completion, crashes, performance metrics), in-game settings, and feature usage.

Log and security data: IP address (generally transient), timestamps, error logs, anti-fraud/anti-cheat signals (where applicable).

C. Data from third parties

Platform providers: if you purchase or access our games via a platform, we may receive limited information required to provide the Services (e.g., platform user ID, entitlement/ownership confirmation).

Payment processors: if we sell directly, payments are processed by third parties. We generally do not store full payment card details.

Analytics/advertising partners (if used): may provide aggregated insights or device identifiers depending on your settings and consents.

D. Special categories of data

We do not intentionally collect special categories of personal data (such as health data, biometric data, or political opinions). Please do not send such information to support.

4. How We Use Personal Data (Purposes)

We use personal data to:

Provide and operate the Services (deliver gameplay features, verify entitlements, enable multiplayer or social features if offered).

Maintain, debug, and improve the Services (crash reports, performance analysis, balancing, feature development).

Provide customer support and respond to requests.

Ensure security and prevent fraud/abuse (e.g., cheating prevention, account security, abuse investigation).

Communicate with you (service updates, security notices, support responses).

Marketing (where permitted): newsletters, promotions, and announcements only where you have opted in or where otherwise lawful.

Comply with legal obligations and enforce our rights (tax, accounting, regulatory requests, dispute handling).

5. Legal Bases for Processing (GDPR)

We process personal data under the following legal bases:

Contract performance (Art. 6(1)(b)): to provide the Services you request (e.g., delivering game functionality, responding to support).

Legitimate interests (Art. 6(1)(f)): to secure and improve the Services, prevent fraud, and understand usage trends (balanced against your rights).

Consent (Art. 6(1)(a)): where required, such as for certain cookies/SDKs, marketing communications, or optional analytics.

Legal obligation (Art. 6(1)(c)): to comply with EU and national laws.

Where we rely on legitimate interests, you may object (see Section 11).

6. Cookies and Similar Technologies

Our websites (and sometimes in-game web views) may use cookies, SDKs, and similar technologies for:

Essential functionality,

Preferences,

Analytics (where enabled),

Marketing/advertising (where used and permitted).

Where required by law, we will request your consent before setting non-essential cookies or using non-essential SDKs. You can manage preferences via [cookie banner/settings link] or your device/browser settings.

7. Sharing and Disclosure

We share personal data only as necessary:

A. Service providers (processors)

We may share personal data with trusted vendors who process data on our behalf, such as:

Hosting and infrastructure providers,

Crash reporting and analytics providers,

Customer support tools,

Email delivery services,

Anti-fraud/anti-cheat providers (if applicable).

These providers are contractually required to protect personal data and use it only for our instructions.

B. Platforms and partners

Where you access our games through third-party platforms, certain data exchanges may occur to provide entitlements, multiplayer features, or community functions.

C. Legal and safety

We may disclose data where required by law or where necessary to:

Respond to lawful requests by authorities,

Protect the rights, safety, and security of users, the public, or Cosmic Canvas,

Investigate fraud, abuse, or security incidents.

D. Business transfers

If we are involved in a merger, acquisition, reorganization, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

We do not sell personal data.

8. International Transfers

If personal data is transferred outside the European Economic Area (“EEA”), we will use lawful transfer mechanisms such as:

European Commission adequacy decisions, or

Standard Contractual Clauses (SCCs) and, where needed, supplementary measures.

You may request more information about transfer safeguards using the contact details in Section 1.

9. Data Retention and Deletion

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Deletion policy

If you delete your account or request deletion, we will delete or irreversibly anonymize your personal data without undue delay, unless we must retain limited data to meet legal obligations (e.g., tax/accounting, fraud prevention, dispute resolution) or to establish, exercise, or defend legal claims.

We do not retain personal data after deletion except where legally required or strictly necessary for the purposes above. Where retention is required, we will minimize what we keep and restrict access.

Typical retention examples

Support tickets: retained for up to [X months/years] after closure unless deletion is requested earlier.

Security logs: retained for up to [X days/months] unless needed to investigate incidents.

Crash reports/telemetry: retained for up to [X months] and then deleted or anonymized.

10. Security

We implement appropriate technical and organizational measures to protect personal data, including access controls, encryption where appropriate, and least-privilege practices. No system is 100% secure, but we work to prevent unauthorized access, disclosure, alteration, or loss.

11. Your Rights (EEA/UK and Similar Jurisdictions)

Subject to applicable law, you may have the right to:

Access your personal data,

Rectify inaccurate data,

Erase your data (“right to be forgotten”),

Restrict processing,

Data portability,

Object to processing based on legitimate interests,

Withdraw consent at any time (where processing is based on consent),

Lodge a complaint with your local data protection authority.

To exercise your rights, contact us at: [privacy email].
We may ask you to verify your identity to protect your data.

12. Children’s Privacy

Our Services are not intended for children under the age required by applicable law for consent to data processing (often 13–16 in the EEA depending on country). We do not knowingly collect personal data from children without appropriate consent mechanisms. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

13. Automated Decision-Making

We do not use personal data for solely automated decision-making that produces legal or similarly significant effects, unless explicitly stated and permitted by law.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will post the updated version with a new “Last updated” date. Where required, we will provide additional notice or obtain consent.

15. Contact

Cosmic Canvas Productions
Email: [Insert privacy email]
Address: [Insert address]