Privacy Policy

Last updated: 14 May 2026

Summary

VoidCraft is a multiplayer space-strategy game. To play, you sign in with Google so we can identify your account across devices. Once you're in, the game backend stores everything you'd expect: your planets, ships, battles, messages, and alliances. We do not sell your data, we don't run ads, and we don't share your gameplay or account information with advertising or analytics third parties.

This policy describes what we collect, why, where it lives, and how to delete it. If anything here is unclear or you want your data removed, email [email protected].

1. Who runs VoidCraft

VoidCraft is operated by Hanamori Labs, LLC ("we", "us"). Apple Developer Team ID Y96ZBULSTS. The website you're reading now is hosted at voidcraftgame.com. The game backend lives at api.voidcraftgame.com.

2. What we collect

From your Google account (during sign-in via Firebase Authentication):

Your email address
Your Google account display name
Your Google account profile picture URL (if set)
A persistent Google account identifier (used internally as your VoidCraft user ID)

From your gameplay (stored on our backend):

Your in-game display name (which you can change in Settings - this is what other players see)
The state of your empire: planets, buildings, research, ships, defences
Fleet missions, battle reports, espionage reports
Messages you send to other players and alliance members
Alliance memberships and join requests
Galactic Trade Centre offers you post and accept
Aggregate gameplay metrics needed for matchmaking, leaderboards, and balance tuning

From the app itself:

Crash reports and uncaught errors, sent to Sentry. These include the JavaScript stack trace, the device model, the OS version, and the app build number. We do not attach your email or display name to crash reports.
If you opt in to push notifications: an opaque push-token assigned by Apple or Google. The token identifies your device for delivery purposes only; it is not tied to anything outside our backend.

From the website (voidcraftgame.com):

Standard web-server access logs (IP address, browser user-agent, page accessed, timestamp). Retained 30 days for security and abuse prevention.
We do not use cookies for analytics or advertising on the website.

3. What we don't collect

We do not collect your location, GPS, contacts, photos, microphone, or camera data.
We do not run advertising or third-party advertising SDKs.
We do not run third-party analytics SDKs (no Google Analytics, no Facebook SDK, no Adjust, no AppsFlyer, no Amplitude, no Mixpanel).
We do not collect payment information. The game is currently free; if cosmetic purchases launch in the future, payments will be handled by Apple or Google's store and we will update this policy.
We do not knowingly collect data from children under 13 (United States) or under 16 (European Union). VoidCraft is targeted at teen and adult audiences. If you become aware that a child has provided us with personal information without parental consent, contact us and we will delete the account.

4. Why we collect what we collect

To run your account. Without your Google identifier, we cannot sync your progress across devices.
To run the game. Your empire state, fleets, battles, and messages are the game.
To prevent abuse. Server logs and rate-limit data are used to spot bots, cheats, and harassment.
To diagnose crashes. Sentry reports help us find and fix bugs before they affect more players.
To balance the game. Aggregate metrics (average resource production, battle outcomes, research rates) inform balance changes. This work is done on aggregated data and never tied back to individual accounts in published material.

5. Who we share data with

We use a small number of infrastructure providers. We do not sell your data, and we do not share it for advertising. The providers process your data on our behalf:

Google Firebase (Google LLC) - authentication, identity verification
Railway (Railway Corp.) - hosts the game backend (api.voidcraftgame.com) and the website
Sentry (Functional Software, Inc.) - crash reporting
Apple Push Notification Service - delivery of iOS push notifications (if you've opted in)
Google Firebase Cloud Messaging - delivery of Android push notifications (if you've opted in)
Cloudflare - DNS and edge caching for static assets

Each provider has its own privacy policy and security practices. We pick providers we trust and review what we send to each.

6. Where your data lives

The primary game database is hosted by Railway in the United States. Sentry crash reports are processed in the United States. Firebase Authentication runs in Google data centres globally. If you are accessing VoidCraft from outside the United States, you consent to your data being transferred to and processed in the United States.

7. How long we keep data

Account data is kept for as long as your account is active.
Crash reports in Sentry are retained for 90 days by default.
Web server logs are retained for 30 days.
Aggregate gameplay metrics (player-count, average battle outcomes, balance telemetry) are retained indefinitely in anonymised form.

8. Your rights

Depending on where you live, you have one or more of the following rights:

The right to access a copy of your personal data
The right to correct inaccurate data
The right to delete your personal data (subject to legal retention requirements)
The right to object to or restrict certain processing
The right to data portability (a machine-readable export of your data)
The right to withdraw consent at any time

To exercise any of these rights, email [email protected] from the email address tied to your VoidCraft account. We respond within 30 days.

9. Account deletion

You can request full account deletion at any time by emailing [email protected]. We delete:

Your Firebase Authentication record (this severs the link between your Google account and VoidCraft)
Your in-game empire, ships, planets, alliance memberships, and message history
Sentry crash reports tied to your sessions (where identifiable - most are not)

What we keep: aggregate gameplay statistics that no longer identify you (e.g. "X battles resolved this month" - your specific battles are removed from such aggregates if individually re-identifiable). We may also keep an audit-log entry confirming the deletion request was honoured, to comply with our own records-retention obligations.

Deletion is final. We cannot restore an account or its history once deleted.

10. Security

We use industry-standard practices to protect your data: TLS in transit for all client-server traffic, encrypted database storage, scoped credentials for every infrastructure provider, and the principle of least privilege for internal access. No system is perfectly secure, so we encourage you to use a unique strong password on the Google account you sign in with.

11. Changes to this policy

If we change how we handle your data in a material way - for example if we add a new third-party processor, or start collecting a new category of data - we will update this page, change the "Last updated" date at the top, and (where the change is significant) notify you in the app.

12. Contact

Privacy questions, deletion requests, or rights enquiries:

Email: [email protected]
Operator: Hanamori Labs, LLC