Privacy Policy

Last updated: 20 May 2026

This page summarises how Brain Rot IRL handles your personal data. The full, binding text lives inside our Terms & Privacy (section 8). This summary is written in plain English so it's easy to follow.

1. What we collect

• Account: email, hashed password (or your Google/Apple ID), display name.
• Age band: we store whether you're 13+, 13–17 or 18+. We ask for your date of birth at signup to verify this and to satisfy children's data-protection law.
• Game data: Rotmons caught, XP, streaks, battles, friendships, purchases.
• Approximate location: only used in your browser to spawn Rotmons near you. We do not store your precise GPS coordinates on our servers.
• Camera frames: used in AR mode on your device only — never uploaded.
• Contact form submissions: name, email, category, message.
• Technical & security data: IP address, browser/device type, basic crash and usage logs.

We deliberately do not collect: school name, home address, phone number, private messages, or your precise location history.

2. Why we collect it

• To run the game (contract).
• To keep accounts and the service safe from abuse (legitimate interest).
• To show you ads — only if you accept cookies (consent).
• To meet legal obligations (e.g. tax records for purchases).

3. How long we keep it

• Account & game data: while your account is active.
• After account deletion: up to 90 days, then permanently removed or anonymised — except records we must keep by law (e.g. tax).
• Contact messages: up to 24 months.
• Security logs: up to 12 months.

4. Who we share it with

• Supabase Inc. — backend hosting, auth and database.
• Cloudflare, Inc. — CDN and DDoS protection.
• Paddle.com Market Limited — payment processing (only if you purchase).
• Google LLC — AdSense and OAuth sign-in (ads only with your consent).
• Apple Inc. — Sign in with Apple (only if you use it).

We do not sell your personal data. We never share children's data for targeted advertising or behavioural profiling.

5. Your rights

Under UK/EU GDPR, the California CCPA/CPRA and similar laws, you can ask us to:

• access a copy of your data,
• correct inaccurate data,
• delete your data ("right to be forgotten"),
• restrict or object to processing,
• port your data to another service,
• withdraw any consent you've given (e.g. cookies).

You can also lodge a complaint with your local data-protection authority (in the UK: ico.org.uk).

6. How to delete your data

Signed-in players can permanently delete their account from Profile → Account settings → Delete account. This removes your profile, collection, progress, friendships, battles and trades.

If self-service deletion isn't available to you, email us via the contact form with the subject "Data deletion request". We action it within 30 days.

7. Children & young users

You must be 13+ to play. Players aged 13–17 must have a parent or guardian tick the in-app consent before playing. We never use targeted advertising or behavioural profiling for children, and we minimise the data we hold on under-18s. See our Play Safe page.

8. No school affiliation

Brain Rot IRL is not affiliated with, endorsed by, or connected to any school, academy, multi-academy trust, college, university, employer, pupil group or educational institution. It is an independent entertainment product.

9. Security

All traffic is served over HTTPS. Authentication is handled by a third-party identity provider; we never see or store your raw password. Row-Level Security in our database means each player can only see their own private data. We monitor for abuse and apply reasonable technical and organisational measures, but no system is perfectly secure.

10. Contact

For any privacy question or to exercise a right above, use our contact form (category: General or Other) and mention "Privacy".