Privacy
This policy describes how Envy Games (“we”, “us”) collects, uses, and protects information across our website.
Who we are & scope
Envy Games is a US-based team building games, game mods, software, and game assets. This policy applies to:
- Our website.
- Our studio apps.
- Our games and related apps.
Data we collect
Account & authentication
- Username and hashed password (never plain text).
- Optional email for notifications or recovery.
- MFA data such as TOTP secrets or WebAuthn/passkey public key credentials.
- Session identifiers and CSRF tokens.
Logs & diagnostics
- Server logs (IP address, user agent, timestamps, URLs, response codes).
- Error reports and performance metrics (e.g., request timing).
Voluntary communications
- Messages sent via contact forms or email and your replies.
Payments/commerce
For purchases or donations, payment data is processed by a PCI-compliant provider. We do not store payment information on our servers.
How we use data
- Authenticate users, maintain sessions, and secure the app (MFA/passkeys, CSRF).
- Provide support and respond to requests.
- Monitor reliability, debug issues, and prevent abuse.
- Comply with legal obligations and enforce terms.
Legal bases (where applicable)
- Contract: To provide the services you use (account, studio features).
- Legitimate interests: Security, fraud prevention, and improving our tools.
- Consent: Where we explicitly ask (e.g., marketing emails or beta tracking).
- Legal obligation: When laws require us to retain or disclose limited data.
Security
- Hashed passwords; support for MFA and passkeys/WebAuthn.
- Least-privilege access, audit logs, and environment-scoped secrets.
- Transport encryption (HTTPS) and hardened defaults where available.
No system is perfectly secure; if we learn of a breach, we’ll take appropriate steps and notify affected users when required.
Retention
We keep data for as long as needed to provide the service and for legitimate business or legal purposes. Examples: session logs (short-term), error logs (short to medium), studio content (until deleted by an authorized user or per project lifecycle policies). We may anonymize or aggregate data for longer-term analytics.
Your rights
Depending on your location, you may have rights to access, correct, export, or delete your data, restrict or opt out of certain processing, or lodge a complaint with a regulator. For requests, use the contact details below. We’ll verify identity before fulfilling account-level actions.
Children
Our services aren’t directed to children under the age required by local law. We don’t knowingly collect personal data from such users; if you believe we have, contact us to request deletion.
Changes to this policy
We may update this policy as our products evolve. We’ll post the revised version here and update the effective date.
Effective date: November 30, 2025
Contact
Questions or privacy requests: contact us.