This Privacy Policy explains how Broken Window LLC ("Broken Window," "we," "us"), a Delaware limited liability company, collects, uses, and shares information when you use brokenwindow.ai, the game Barons of Steel, and related services (the "Service").
1. Information We Collect
Account information. When you register, we collect your email address and username. Sign-in uses secure one-time links sent to your email ("magic links") — we do not require a password, and we do not use third-party sign-in providers. If your account was created under an earlier password-based system, any password is stored only as a salted hash, never in plaintext.
Gameplay and platform data. We record your in-game activity, including matches played, game state and results, Shard balance and every Shard transaction (our ledger records how Shards were earned and spent), leaderboard standings, subscription status, and competition participation.
Usage and device data. We automatically collect standard technical data: IP address, approximate location derived from your IP address (country/region level), browser and device type, pages viewed, referral source, session timestamps, and interactions with the Service. We use this for analytics, security, and to operate the Service.
Cookies. We use only essential cookies — those required for authentication (keeping you signed in), security, and core functionality of the Service. Our analytics runs without cookies (see Section 4), and we do not use advertising cookies or third-party tracking cookies.
Communications. If you contact support or communicate with us, we keep those communications.
The Service is not intended for anyone under 16, and we do not knowingly collect information from children under 16. If we learn we have done so, we will delete it. If you believe someone under 16 has an account, contact us at the address below.
2. How We Use Information
We use your information to:
- Operate the Service: accounts, matches, the Shard ledger, subscriptions, leaderboards, and competitions
- Maintain security and fairness: detect cheating, botting, multiple accounts, fraud, and abuse
- Analyze and improve the Service: understand usage, fix bugs, develop features
- Communicate with you: service announcements, security notices, and responses to inquiries
- Comply with legal obligations and enforce our Terms of Service
Legal bases (EEA/UK users). Where GDPR or UK GDPR applies, we process your data on the following bases: performance of our contract with you (operating your account and the game), legitimate interests (security, anti-cheat, analytics, service improvement), and legal obligation where applicable.
3. What Is Public
Your username, public profile, gameplay statistics, and leaderboard standings are publicly visible, including to people without accounts, and may appear in search engines. Do not choose a username that identifies you personally if you don't want that association to be public. Your email address, Shard transaction details, and account settings are not public.
4. How We Share Information
We do not sell your personal information, and we do not share it with third parties for advertising.
We share information only with:
- Service providers who process data on our behalf under contract: Amazon Web Services (hosting and infrastructure), Resend (email delivery), Plausible (privacy-focused, cookieless website analytics), and an IP-geolocation lookup service (ipapi.co) used to derive approximate location from IP addresses
- Legal and safety recipients, when required by law, legal process, or to protect the rights, safety, and integrity of the Service, our users, or the public
- Business transfer parties, if Broken Window LLC is involved in a merger, acquisition, or sale of assets — your information may be transferred as part of that transaction, subject to this policy
5. International Transfers
We are a US company and our Service is hosted in the United States. If you use the Service from outside the US, your information will be transferred to and processed in the US. For EEA/UK users, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK Addendum) with our service providers where required.
6. Data Retention
We keep your information for as long as your account is active. When you delete your account:
- Account and profile data are deleted or anonymized within 35 days
- Shard ledger and match records may be retained in anonymized or pseudonymized form for integrity, anti-fraud, and analytics purposes
- Backup copies are purged on a rolling basis within the same 35-day window
- We may retain information as needed to comply with legal obligations, resolve disputes, and enforce our Terms
7. Your Rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your information
- Export your data in a portable format
- Object to or restrict certain processing
- Not be discriminated against for exercising these rights
To exercise any of these rights, email us at the address below. We will verify your identity and respond within the timeframe required by law (30 days under GDPR, 45 days under the CCPA). You can also delete your account directly from account settings.
EEA/UK users may lodge a complaint with their local data protection authority. California residents: we do not "sell" or "share" personal information as those terms are defined in the CCPA/CPRA.
8. Security
We protect your information with industry-standard measures, including encryption in transit (TLS), hashed passwords, access controls, and logging. No system is perfectly secure; if we experience a breach affecting your personal information, we will notify you and regulators as required by law.
9. Do Not Track
Because we use only essential cookies and do not track users across third-party sites, browser "Do Not Track" and Global Privacy Control signals do not change how the Service operates — there is no cross-site tracking to opt out of.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be announced through the Service or by email before they take effect. The "Last updated" date at the top reflects the latest revision.
11. Contact Us
For privacy questions, rights requests, or support:
Broken Window LLC
8 The Green, Ste B, Dover, DE 19901, United States
Email: support@brokenwindow.ai