Privacy Policy

Ruststead is a browser-based homestead role-playing game developed and operated by Ruststead Dev. This policy applies to all users of the game, including visitors who browse without registering and registered players who create an account.

This policy is intended to comply with applicable data protection laws including, but not limited to:

• The General Data Protection Regulation (GDPR) — European Union / United Kingdom
• The California Consumer Privacy Act (CCPA) as amended by the CPRA — California, United States
• The Children's Online Privacy Protection Act (COPPA) — United States
• Other applicable national and regional privacy frameworks

Where this policy refers to "personal data" or "personal information," these terms are used interchangeably and encompass any information that identifies, relates to, or could reasonably be linked to a specific individual.

We collect the following categories of information in order to operate, maintain, and improve Ruststead. We collect only what is necessary for the purposes described in this policy.

We use the information we collect for the following purposes:

• Account Management: Creating and authenticating your account, verifying identity on login, enabling password recovery, and enforcing account security.
• Game Services: Saving and restoring your game state, processing in-game actions, updating leaderboards, and enabling multiplayer and social features.
• Communications: Delivering in-game chat messages, private messages, trade offers, and optional push notifications that you have opted into.
• Security & Integrity: Detecting cheating, fraud, abuse, and unauthorized access; preserving fair play for all users; enforcing our Terms of Service.
• Service Improvement & Analytics: Diagnosing bugs, improving game balance, monitoring server health and performance, and understanding aggregate in-game usage patterns (such as which features are used, how often, and by how many players). This analysis uses data we already hold internally. On Android, we may also review aggregate platform-level analytics provided by Google Play Console (such as crash reports, installs, and Android Vitals) to maintain app stability and compatibility.
• Moderation: Reviewing reports of misconduct, applying sanctions such as chat bans or account bans, and maintaining the safety of the community.
• Legal Compliance: Complying with applicable laws, regulations, legal process, and governmental requests.

We do not use your personal data for automated individual decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

We use trusted third-party infrastructure and service providers, including cloud hosting providers, to operate the game. Our current primary hosting provider is DigitalOcean, LLC. Servers are located in data centers that maintain industry-standard physical and environmental security controls.

We implement the following technical and organizational security measures:

• Password hashing: All passwords are hashed using bcrypt with an appropriate cost factor before storage. Plaintext passwords are never stored, logged, or transmitted beyond the initial authentication request.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS (TLS).
• Authentication tokens: Sessions are managed using signed JSON Web Tokens (JWT). Tokens are validated server-side on each request.
• Access controls: Administrative access to production systems is restricted to authorized personnel only.
• IP logging: IP addresses are retained for cheat detection and abuse prevention purposes and are not associated with advertising or tracking.

Data Retention: We retain your personal data for as long as your account is active or as necessary to provide the game services. Moderation records (cheat flags, abuse reports) may be retained beyond account deletion for safety and enforcement purposes, but are stripped of personal identifiers where possible. See Section 8 for full details on deletion.

We do not share personal data with advertising networks, data brokers, analytics providers, or any other third party not described in this policy. The only circumstances under which we may disclose your information are:

• Service Providers: We use trusted third-party providers (such as cloud hosting and email delivery services) to help operate the game. These providers act as data processors on our behalf and are contractually prohibited from using your data for their own purposes.
• Platform Analytics Providers (Google Play): If you access Ruststead through the Google Play Store, Google collects and provides us with aggregate app analytics via Google Play Console, including crash reports, Android Vitals, install and uninstall data, and device compatibility statistics. We may also use Firebase or other Google platform services for app diagnostics on Android. This data is collected and processed by Google under Google's Privacy Policy and is used solely for app maintenance and improvement. We receive only aggregate or anonymized reports — not data linked to individual players.
• Payment Processors (Stripe & Google Play): Payment transactions are processed by Stripe (web) and Google Play (Android). These processors receive your payment data directly and handle it under their own privacy policies. Ruststead Dev receives only the limited transaction confirmation data described in Section 11.
• Legal Requirements: We may disclose personal data if required to do so by law, court order, subpoena, or other governmental or law enforcement request, or where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Ruststead Dev, our users, or the public.
• Business Transfers: If Ruststead Dev is involved in a merger, acquisition, asset sale, or similar transaction, your data may be transferred as part of that transaction. We will provide notice of any such transfer and any changes to this Privacy Policy.
• With Your Consent: We may share information with third parties when you have given us explicit consent to do so.

We do not embed advertising networks, behavioral tracking scripts, or third-party analytics SDKs beyond those described above. All core game functionality is self-contained.

Depending on your jurisdiction, you may have the following rights with respect to your personal data. We will honor all verifiable requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

To exercise any of these rights, please contact us at support@ruststeadrpg.com. We may require you to verify your identity before processing your request. We will not charge a fee for reasonable requests unless a request is manifestly unfounded, excessive, or repetitive.

In compliance with the Children's Online Privacy Protection Act (COPPA) and analogous international laws (including GDPR-K provisions applicable in the EU and UK), users must confirm they are at least 13 years of age at the time of registration. We do not knowingly collect, maintain, or use personal information from children under 13.

If we become aware that we have collected personal data from a child under the age of 13 without verifiable parental consent, we will take immediate steps to delete that data from our systems. If you are a parent or guardian and believe your child under 13 has created an account, please contact us immediately at support@ruststeadrpg.com so we can investigate and remove the account and associated data.

Users between the ages of 13 and 17 may use the game subject to any applicable minor consent requirements in their jurisdiction. We recommend that minors review this policy with a parent or guardian.

Ruststead does not offer parental consent mechanisms or child-directed accounts. If under-13 access is detected, the account will be removed.

You have the right to delete your Ruststead account and associated personal data at any time. Account deletion is self-service and does not require contacting support.

To delete your account: Visit https://ruststeadrpg.com/delete-account.html, enter your username and password to verify your identity, and confirm the deletion request. Deletion requests are processed promptly. Some residual data may remain temporarily in encrypted backups or system logs for a limited retention period before automatic deletion. Deletion is irreversible — we are unable to restore accounts or data once deleted.

Deleted data may persist temporarily in secure encrypted backups until those backups are automatically overwritten in the normal backup cycle. This does not affect your erasure rights — the data is not accessible or used during this period.

We may be unable to recover or delete accounts where ownership cannot be reasonably verified.

The following data is permanently deleted upon account deletion:

• Account credentials (email address, password hash)
• All gameplay and progress data
• Private messages and trade records
• Market listings and price history entries attributed to your account
• Push notification subscription token
• All personally identifiable profile information

The following data is retained after deletion for the reasons stated:

• Public chat messages: Retained but anonymized — your username is replaced with [deleted] and no personal identifiers remain. This preserves chat history for other users while removing your identity.
• Moderation records: Cheat flags, abuse reports, and ban records associated with your username may be retained for safety and enforcement purposes. These records are stripped of personal identifiers (such as email address and IP address) but the username may be retained to prevent ban evasion and protect the community. Retention of these records constitutes a legitimate interest under applicable data protection law.

Ruststead offers optional browser push notifications to alert you to in-game events, reminders, and updates. Push notifications are entirely optional and require your explicit consent before they are activated.

When you enable push notifications, your browser generates a push subscription token which is stored on our servers and associated with your account. This token is used solely to deliver notifications from Ruststead to your device and is not shared with any third party.

To disable push notifications: You may opt out at any time by adjusting your notification settings within the game, or by revoking notification permissions in your browser settings. Upon opt-out or account deletion, your push subscription token is immediately removed from our servers.

Ruststead uses browser-side storage technologies to enhance your gameplay experience:

• LocalStorage: Used to store UI preferences such as town layout configurations and display settings. This data is stored locally on your device and is not transmitted to our servers except as part of gameplay saves.
• Session Cookies: We may use strictly necessary session cookies for authentication and security purposes. These cookies do not track you across other websites and are not used for advertising.

We do not use tracking cookies, third-party cookies, advertising cookies, or persistent analytical cookies. We do not participate in cross-site tracking or behavioral advertising of any kind.

You can clear locally stored data at any time through your browser's settings. Note that clearing local storage may reset certain UI preferences, though your account data is stored server-side and will not be lost.

Do Not Track: Ruststead does not respond to browser "Do Not Track" signals because we do not engage in cross-site tracking or behavioral advertising.

Ruststead features a premium in-game currency called Subsidies, which can be purchased using real money through our in-game shop. Depending on the platform you use, purchases are processed by Stripe (web browser) or Google Play (Android), both certified third-party payment processors.

When you complete a Subsidies purchase, Ruststead Dev receives a payment confirmation from Stripe via a secure webhook. The following limited transaction data is retained on our servers for account management and fraud prevention purposes:

• Your Ruststead username
• The Subsidy package purchased (e.g., name and quantity)
• The transaction amount (in USD)
• The Stripe Checkout Session identifier (a non-sensitive reference ID)
• The date and time of the transaction

This transaction data is used solely for fulfilling your purchase, preventing duplicate credits, resolving disputes, and complying with applicable legal obligations. It is not used for advertising or shared with third parties beyond the requirements of those purposes.

By initiating a purchase, you also agree to the terms of the applicable payment processor: Stripe's Terms of Service or Google Play's Terms of Service. Each processor may collect additional data as described in their own privacy policies.

To maintain a safe and fair game environment, Ruststead Dev operates moderation systems that may collect and retain certain data:

• Cheat Detection: IP addresses and gameplay patterns may be analyzed to identify cheating, exploitation of game mechanics, or unauthorized automation. IP data used in this context is not shared with third parties and is not used for advertising.
• Abuse Reports: Players may submit reports against other players for conduct violations. These reports are reviewed by administrators and stored for enforcement purposes.
• Administrative Actions: Administrators may apply sanctions including chat bans and full account bans. Records of these actions are retained for safety and enforcement continuity.
• Private Messages: Private messages are not end-to-end encrypted and may be reviewed by authorized administrators when reasonably necessary for moderation, abuse investigations, legal compliance, or security purposes.

Retention of moderation and anti-cheat records is based on our legitimate interest in maintaining the safety, integrity, and security of the service and preventing ban evasion, fraud, and abuse. As described in Section 8, such records may be retained following account deletion and are minimized to contain only the information necessary for their enforcement purpose.

If you believe a moderation action against your account was made in error, you may appeal by contacting us at support@ruststeadrpg.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the game's features. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page;
• Post a notice within the game or on our website at ruststeadrpg.com; and
• Where required by law (for example, for material changes affecting EU/UK users), provide advance notice and, if necessary, seek renewed consent.

Your continued use of Ruststead following the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. If you do not agree to the changes, you should cease using the game and may request account deletion pursuant to Section 8.

We encourage you to review this policy periodically. Archived versions of this policy may be requested by contacting us at the address below.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact Ruststead Dev using the details below. We are committed to resolving privacy inquiries promptly and transparently.

EU and UK residents also have the right to lodge a complaint directly with their national data protection authority if they are not satisfied with our response.

Any disputes relating to privacy or data protection shall be governed by applicable law and handled in accordance with the dispute provisions outlined in our Terms of Service.

We aim to respond to all privacy-related requests within 30 calendar days. For complex requests, we may extend this period by a further 60 days where necessary, in which case we will notify you of the extension and the reasons for the delay within the initial 30-day period.