Privacy Policy
Last updated: May 6, 2026
Quick Links
1. Introduction
Welcome to BrainCandy (braincandy.im), a user-generated content arcade gaming platform with daily contests, creator revenue sharing, and virtual currency rewards.
This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information. We are committed to protecting your privacy and being transparent about our data practices.
2. Information We Collect
Account Information
- Email address (required to create account)
- Username (display name)
- Verified age (13+ for general zone; verification via parent consent for Kids Zone under 13)
- Password (hashed and salted)
- Optional: profile photo, bio, social media links
Gameplay Data
- Game scores and leaderboard rankings
- Game play history (which games, when, duration)
- Streak counts and trophy/achievement progress
- Contest participation and daily rankings
- SB (BrainCandy points) balance and transaction history
Device & Technical Information
- Device type (mobile, tablet, desktop)
- Operating system and version
- Browser type and version
- IP address (anonymized for analytics)
- Device identifiers (localStorage keys, session tokens)
- Crash logs and error diagnostics
Creator-Specific Information
If you upload games as a creator:
- Game metadata (title, description, thumbnail, gameplay mechanics)
- Game performance metrics (plays, revenue share earned)
- Tax information (W-9 for payouts >$600/year)
- Stripe Connect account details (name, routing, account number — processed securely by Stripe, not stored by BrainCandy)
Automated Fraud Detection & Telemetry
- Play patterns (speed of gameplay, unusual win rates, automated detection signals)
- IP/device risk scores (geo-velocity, impossible travel, VPN/proxy detection)
- Payment fraud signals (from Stripe)
- Note: Human review is always performed before any payout denial or account suspension
3. Third-Party Data Processors
We share or process data with the following third parties to operate BrainCandy:
| Service | Purpose | Data Shared |
|---|---|---|
| Vercel (hosting, serverless functions) | Application hosting, API routing, deployment | Account creation logs, gameplay events, crash reports |
| Turso/libSQL (database) | Persistent data storage | All user-generated data: accounts, scores, creator metadata |
| Vercel Blob (file storage) | Game assets, profile photos, thumbnails | User-uploaded media files |
| Stripe Connect (payment processing) | Creator payouts, SB redemption | Name, payout email, W-9 tax info (only if >$600/year) |
| SendGrid (optional email) | Transactional emails (welcome, password reset, payout confirmation) | Email address, username, transaction confirmation codes |
| OneSignal (optional push notifications) | Daily contest reminders, streak notifications | Device token, basic user preferences |
Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with all GDPR-relevant vendors. All processors are required to treat personal data as confidential and implement appropriate technical and organizational security measures.
4. Cookies & Tracking
First-Party Cookies & Local Storage
BrainCandy uses first-party only cookies and browser storage for authentication and user preference:
| Name | Purpose | Duration | Type |
|---|---|---|---|
bc_token |
Authentication JWT | 30 days | HTTP-only cookie |
bc_session |
Session identifier | Session (browser closes) | Secure cookie |
bc_user |
User preferences (theme, volume) | Persistent (1 year) | localStorage |
bc_streaks |
Local streak cache (performance) | Persistent until cleared | localStorage |
No Third-Party Tracking
We do NOT use:
- Google Analytics or similar third-party analytics cookies
- Tracking pixels or retargeting pixels
- Third-party advertising cookies
- Facebook Pixel or other ad network trackers
GDPR Consent Banner
For EU/UK visitors, we display a cookie consent banner at first visit (see Cookie Policy). We do not set any cookies requiring consent until you accept.
Do Not Track (DNT)
We honor the Do Not Track browser signal. If your browser sends a DNT header, we do not engage in behavioral analytics tracking.
5. Children Under 13 (COPPA Compliance)
Kids Zone Games
The following 11 games are labeled as "kid-appropriate" and accessible only via verifiable parental consent:
- Puzzle Quest
- Color Splash
- Memory Match
- Word Builder
- Doodle Dash
- Number Ninja
- Pattern Pro
- Shape Shuffle
- Sound Squares
- Quick Snap
- Rainbow Tiles
Parental Consent Process
To use the Kids Zone, we require:
- Child enters date of birth claiming to be under 13
- System requests parent/guardian email address
- We send email to that address with a unique verification link
- Parent clicks the link to confirm consent
- Only after parent verification can child play Kids Zone games
Kids Zone Data Collection (Minimal by Design)
For users under 13 in Kids Zone, we collect ONLY:
- Verified age (under 13)
- Parent email address (for consent verification)
- Game scores within Kids Zone games
We explicitly do NOT collect:
- Geolocation or device ID
- Behavioral profiling for advertising
- Device sensor data (camera, microphone, motion)
- Any third-party sharing of kids' data
- Cookies or persistent tracking identifiers
No Behavioral Advertising to Kids
We do not show targeted or behavioral advertising in Kids Zone. All ads (if any) are contextual and non-personalized.
No Social Features in Kids Zone
Kids Zone users cannot:
- Access chat or messaging
- Comment on other users' profiles
- Follow or be followed by other users
- View leaderboards with real names (first name + initial only)
Parental Rights
Parents may at any time:
- Review the child's collected information
- Request deletion of the child's data
- Revoke further collection (disabling the Kids Zone account)
To exercise parental rights, contact: safety@braincandy.im
We will respond within 5 business days.
FTC Resources
For more information on COPPA, visit: https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy
6. California Residents (CCPA/CPRA Rights)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know
You have the right to request what personal information BrainCandy has collected about you in the past 12 months, including:
- The categories of personal information collected
- The sources of that information
- The purpose for collection
- The categories of third parties we share it with
Right to Delete
Subject to limited exceptions, you may request deletion of personal information we have collected from you. Note: We may retain data for:
- Tax/legal compliance (7 years for creator 1099 records)
- Fraud prevention and security (30 days after account deletion)
- Contractual obligations (audit trail of creator payouts)
Right to Correct
You have the right to request correction of inaccurate personal information. You can update most profile information directly in your account settings; for disputes, contact privacy@braincandy.im.
Right to Opt-Out of "Sale or Sharing" of Personal Information
Declaration: BrainCandy does NOT sell or share personal information. We do not:
- Sell data to third-party marketers
- Share data with ad networks or data brokers
- Exchange data for valuable consideration (under CCPA's definition)
Our processor arrangements with Vercel, Turso, Stripe, etc., are solely for service delivery, not "sale or sharing."
Right to Limit Use of Sensitive Personal Information
We collect minimal "sensitive" data. We do not use sensitive information for targeted advertising, profiling for pricing discrimination, or other secondary uses.
Right to Non-Discrimination
We will not discriminate against you for exercising any CCPA/CPRA rights. We will not deny services, charge higher prices, provide lower quality service, or retaliate if you submit a valid request.
How to Submit a Request
To exercise any of these rights, email privacy@braincandy.im with:
- Your full name and email address associated with your account
- The specific right you are exercising (know, delete, correct, opt-out)
- A statement that you are a California resident
Response Time: 45 days (CCPA) or 30 days (CPRA). We may extend by 15 additional days if needed and will explain any delay.
Verification
We will verify your identity by matching your email to our records. For high-risk requests (e.g., deletion), we may ask for additional proof.
7. EU/UK Residents (GDPR & UK GDPR Rights)
If you are in the EU or UK, your personal data is protected under GDPR (EU) or UK GDPR. Below are your rights and our commitments:
Lawful Basis for Processing
We process your personal data based on:
- Consent: For gameplay data collection and optional communications (push notifications, email updates). You can withdraw consent at any time in account settings.
- Legitimate Interest: For fraud detection, security, abuse prevention, and service improvements. We balance our interest against your rights.
- Contractual Necessity: For account management, transaction processing, and payout processing (creator agreements).
- Legal Obligation: For tax records (W-9 if applicable) and law enforcement cooperation.
Data Subject Rights
- Right of Access: Request a copy of your personal data in a machine-readable format (CSV/JSON).
- Right to Rectification: Correct inaccurate data.
- Right to Erasure ("Right to be Forgotten"): Request deletion, subject to lawful exceptions (fraud prevention, legal holds).
- Right to Restrict Processing: Ask us to limit how we process your data while a dispute is resolved.
- Right to Data Portability: Request your data in a structured, portable format.
- Right to Object: Object to processing based on legitimate interest. We will stop processing unless we have a compelling legal reason.
- Rights Related to Automated Decision-Making: You have the right to object to automated decisions (e.g., fraud flags) and request human review.
International Data Transfers
BrainCandy is US-based and uses US data processors (Vercel, Turso, Stripe). To comply with GDPR Chapter 5 (Transfers), we rely on:
- Standard Contractual Clauses (SCCs) with all US processors
- Adequacy Decisions (if any apply, e.g., EU-US Data Privacy Framework for certain certifications)
By using BrainCandy from the EU/UK, you acknowledge these transfers and our data protection commitments.
Data Protection Officer & Supervisory Authority
You have the right to lodge a complaint with the supervisory authority in your jurisdiction:
- EU: Your national data protection authority (e.g., CNIL in France, ICO in UK, etc.)
- UK: Information Commissioner's Office (ICO)
EU/UK Data Requests
To exercise any GDPR right, contact privacy@braincandy.im with:
- Your name and account email
- The specific right (access, rectification, erasure, etc.)
- Proof of EU/UK residency (optional but recommended)
Response Time: 30 days (extendable by 2 months for complex requests). We will inform you of any extension.
8. State Biometric Laws (BIPA, CUBI, WPA)
Several US states regulate the collection of biometric data (fingerprint, face, iris, voice, gait). To clarify:
- Use facial recognition
- Collect fingerprints
- Analyze voice or gait
- Use iris scanning
- Store biometric templates or identifiers
If you have concerns about biometric data or believe we have inadvertently collected such data, please contact privacy@braincandy.im immediately.
9. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account (email, username, password hash) | Until account deletion + 30 days | User control; 30-day soft-delete for recovery/audit |
| Game scores & gameplay history | 24 months | Leaderboard historical context, fraud investigation, user dispute resolution |
| Creator transaction records | 7 years | IRS tax reporting requirements, audit trail |
| Fraud/security logs | 90 days | Active fraud detection and incident investigation |
| Kids Zone parental consent emails | Until account deletion + 1 year | COPPA legal compliance |
| Payment/Stripe records | Stripe retains; we retain 7 years | PCI compliance, chargeback defense, tax compliance |
| Device cookies & session tokens | 30 days (bc_token) or session | Authentication, device management |
10. Security & Breach Notification
Security Measures
We implement the following technical and organizational security measures:
- Encryption at Rest: All databases encrypted using AES-256.
- Encryption in Transit: All API traffic over HTTPS/TLS 1.3.
- Password Hashing: Passwords hashed using bcrypt (salt rounds ≥12).
- API Keys & Secrets: Managed via environment variables, never committed to git or logs.
- Access Controls: Role-based access (RBAC) for admin functions. No hardcoded credentials.
- Logging & Monitoring: Error logs and security events monitored; suspicious patterns trigger alerts.
- Stripe PCI Compliance: We do not store full credit card numbers; all payment processing delegated to PCI-DSS Level 1 compliant Stripe.
Breach Notification
If we discover a data breach involving personal information, we will:
- Notify affected users within 72 hours (or as required by law) via email to the address on file.
- Describe the nature of the breach, data types affected, and recommended actions.
- Provide contact information for questions: privacy@braincandy.im
- Notify applicable regulators (e.g., state AG, FTC) as required by law.
No Guarantee of Security
While we implement industry-standard protections, no system is 100% secure. We cannot guarantee the absolute security of your data. By using BrainCandy, you accept this inherent risk of online services.
11. Exercising Access & Deletion Rights
Self-Service Account Deletion
You can delete your account at any time via account settings:
- Log in to your BrainCandy account
- Go to Settings → Account → Delete Account
- Confirm the deletion request
- Account and associated data soft-deleted (30-day retention for recovery)
Data Access Request (Data Subject Access Request / DSAR)
To request a copy of all your personal data, email privacy@braincandy.im with:
- Subject: "Data Access Request"
- Your account email and username
Response Time: 30 days. We will provide data in a machine-readable format (CSV/JSON).
Permanent Deletion
If you request permanent immediate deletion (no 30-day recovery period), email privacy@braincandy.im with:
- Subject: "Permanent Account Deletion Request"
- Your account email, username, and reason (optional)
- Confirmation that you understand this is irreversible
Processing Time: 7 business days. Exceptions: Creator payout records retained for 7 years per tax law; fraud logs retained for 90 days.
12. Contact Us
Privacy inquiries, GDPR/CCPA requests, and data deletion:
- Email: privacy@braincandy.im
- Mailing address: [BUSINESS_ADDRESS]
- Response time: 30 days
Child safety and COPPA concerns:
- Email: safety@braincandy.im
- Response time: 5 business days
13. Policy Updates
We may update this Privacy Policy from time to time. Material changes will be communicated 30 days in advance via email and a notice on the site. Continued use of BrainCandy after the effective date constitutes acceptance of the updated Privacy Policy.
14. Automated Decisions & Profiling
BrainCandy uses automated anti-fraud telemetry to detect and prevent cheating and fraudulent payouts. This includes:
- Analysis of play patterns (speed, win rate anomalies)
- Device/IP risk scoring (geolocation velocity, VPN detection)
- Payout threshold checks (unusual earning spikes)
Human Review: Any automated decision to flag an account, deny a payout, or initiate a ban includes mandatory human review by a BrainCandy team member before enforcement. You have the right to appeal any such decision by contacting support@braincandy.im.