Privacy Policy

Last updated: 25 March 2026

Grimscript ("we", "our", "us") is operated by ArcadeOn Studios. This Privacy Policy explains how we collect, use, and protect your personal information when you use grimscript.co.uk (the "Service").

By using Grimscript, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored securely using bcrypt hashing)
  • Profile photo (optional)
  • Social login data (if you sign in via Google): your name, email, and provider-specific user ID. We do not store your social media passwords.

1.2 Studio & Subscription Data

When you create a studio (team) or subscribe to a paid plan, we collect:

  • Studio name and description
  • Payment information processed securely through Stripe. We do not store your full card number — only the card type and last four digits for display purposes. All payment processing is handled by Stripe, which has its own privacy policy.

1.3 Game & Content Data

When you use Grimscript to build worlds or play sessions, we collect:

  • World content you create (lore, NPCs, locations, system prompts, quests, items, character classes, achievements, factions, codex entries, world events, crafting recipes, and loot tables)
  • Character data (names, attributes, inventory, equipment, gold, XP, level, class, location, quest progress, achievement progress, faction reputation, codex discoveries, death state, and active titles)
  • Game session messages between players and the AI narrator, including multiplayer party sessions
  • Dice roll results, combat outcomes, and gameplay metadata
  • Multiplayer data including invite codes, party membership, turn order, and initiative rolls

1.4 Support Data

When you submit a support ticket, we collect:

  • Ticket subject, category, and message content
  • Email notifications related to ticket status updates and replies

1.5 Usage Data

We automatically collect:

  • Usage metrics: message counts, session counts, and token usage per studio for billing and rate limiting
  • Technical data: IP address, browser type, device information, and pages visited
  • Session data: stored server-side to keep you logged in

1.6 Cookies

We use the following cookies:

  • Essential cookies: session management, CSRF protection, and authentication state. These are required for the Service to function.
  • Preference cookies: remembering your consent choices and display preferences.

We do not use third-party advertising or tracking cookies.

2. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process subscriptions and payments via Stripe
  • Send AI-generated game responses via the OpenAI API
  • Track usage against your plan's monthly allowances
  • Send email notifications (welcome emails, password resets, email verification, support ticket updates, studio invitations)
  • Communicate with you about your account, billing, and service updates
  • Enforce our Terms of Service and prevent abuse
  • Manage support tickets and respond to enquiries
  • Comply with legal obligations

3. AI Processing

Game session messages are sent to OpenAI's API to generate AI narrator responses. This data includes:

  • Your character state and world context
  • Recent message history from your session
  • The world creator's system prompt and lore
  • In multiplayer, all party members' choices and action priority rolls

OpenAI processes this data under their API usage policy. We do not use your gameplay data to train AI models. OpenAI's API terms also state that API data is not used for model training.

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Stripe: for payment processing
  • OpenAI: for AI game master functionality (session message content only)
  • Law enforcement: when required by law or to protect our rights

If you use Google social login, Google receives confirmation that you have authenticated but does not receive your Grimscript gameplay data.

5. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account deletion.
  • Game sessions and characters: soft-deleted (recoverable) when you delete them, permanently purged after 90 days via automated scheduled task.
  • World content: soft-deleted when removed, permanently purged after 90 days.
  • Support tickets: retained for 12 months after resolution, then permanently deleted.
  • Payment records: retained as required by UK tax and accounting regulations (typically 6 years).
  • Usage logs: retained for the current billing cycle plus 12 months, reset monthly via automated scheduled task.

6. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability — receive your data in a machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time

To exercise any of these rights, contact us at hello@arcadeonstudios.co.uk or submit a support ticket. We will respond within 30 days.

7. Data Security

We implement appropriate technical measures to protect your data:

  • Passwords are hashed using bcrypt
  • All traffic is encrypted via HTTPS/TLS
  • Payment data is handled exclusively by Stripe (PCI DSS compliant)
  • Database access is restricted and monitored
  • Two-factor authentication is available for all accounts
  • Rate limiting prevents abuse (10 messages per minute per user)
  • Email verification required for all accounts

8. Age Restrictions

Grimscript is not intended for children under 13. We do not knowingly collect data from children under 13. Users must verify they are 18+ to access content rated "Mature" or "Adult". Age verification status is stored as a boolean flag on the user account.

9. International Transfers

Your data is processed in the United Kingdom and may be transferred to servers operated by our service providers (Stripe, OpenAI) in the United States. These transfers are protected by appropriate safeguards including Standard Contractual Clauses.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on the Service. Your continued use of Grimscript after changes constitutes acceptance.

11. Contact

For privacy-related enquiries:

ArcadeOn Studios Email: hello@arcadeonstudios.co.uk

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.