KUBORA / PRIVACY Join waitlist
◆ PRIVACY POLICY

Privacy Policy

Effective April 24, 2026. Last updated April 24, 2026.

Summary. We only collect what we need to run KUBORA: the email you sign up with, the content you choose to upload, and basic telemetry to keep the client stable. We don't sell personal data. We don't train AI models on your content. You can export or delete your data at any time from the settings panel or by emailing us.

1. Data we collect

1.1 You give us

  • Account data: email address, display name, password hash (we never store plaintext passwords), optional avatar image.
  • Billing data: if you subscribe, our payment provider handles your card details; we only store the subscription state (active / cancelled / past-due), the last four digits of the card, and invoice history.
  • Your Content: worlds, scripts, 3D assets, messages you post in multiplayer rooms, support-ticket messages.
  • Waitlist data: email address and the date you joined.

1.2 We collect automatically

  • Technical data: IP address (truncated before storage), coarse country derived from IP, client version, operating system and GPU model (for crash triage), session timestamps.
  • Crash reports: when the client crashes we capture a stack trace and the set of files the world depends on. You can disable crash reports in Settings → Privacy.
  • Usage analytics (aggregated): how often core features are used (e.g. "edited script", "published world"), without tying to a specific account. No page-level tracking.

1.3 From third parties

  • Payment status and invoice metadata from our payment provider.
  • Abuse signals from services we use to protect logins (e.g. common-password lists, IP-reputation).

2. How we use it

  • To provide the Service — authentication, cloud sync, publishing, multiplayer.
  • To keep the Service safe — detect and prevent fraud, abuse, spam, and unauthorized access.
  • To bill paid subscriptions and pay out creator revenue.
  • To reply to support requests and send essential service messages (receipts, security alerts).
  • To fix bugs and improve the product, based on aggregated usage and crash data.
  • To comply with legal obligations (tax, accounting, lawful government requests).

We do not sell your personal data. We do not use Your Content to train AI models. We do not run third-party advertising on KUBORA.

4. Sharing & processors

We share personal data only with service providers that help us run KUBORA, under written data-processing agreements:

  • Supabase (authentication + managed Postgres + object storage) — hosting your account and world data.
  • Cloudflare (CDN + DDoS protection) — delivering the landing page and static game assets.
  • Paddle / Lemon Squeezy (merchant of record, payment processing) — receiving and storing payment details, sending receipts.
  • Postmark or a similar transactional email provider — sending receipts, password resets, security alerts.
  • Sentry (crash-report collection) — receiving stack traces if you keep crash reports on.

We may disclose personal data to comply with law, to protect our rights, or to investigate abuse — but only what's strictly needed and only when compelled.

5. How long we keep it

  • Account and profile data — until you delete your account.
  • Your Content — until you delete it. Deleted content is purged from live systems immediately and from backups within 90 days.
  • Billing records — 7 years after the transaction (tax requirement).
  • Crash reports and logs — 30 days.
  • Waitlist emails — until launch, then archived for one year in case of re-launch comms, then deleted.

6. Cookies

The kubora.net website uses only strictly necessary cookies (session cookie, CSRF token). We don't use third-party advertising or cross-site tracking cookies. The desktop client uses local storage on your machine for login persistence and project cache — nothing is sent to us.

7. Your rights

No matter where you live, you have the following rights over your personal data with KUBORA. If you're in the EU, UK, California, or certain other jurisdictions, these are also enforceable under local law (GDPR, UK-GDPR, CCPA):

  • Access a copy of the data we hold about you.
  • Correct anything inaccurate.
  • Delete your account and personal data.
  • Export your data in a portable format (JSON + assets archive).
  • Object to processing based on legitimate interests.
  • Restrict processing while a dispute is resolved.
  • Withdraw consent for optional things at any time.
  • Complain to your local data-protection authority if you think we've misused your data.

Most of these work directly from Settings → Privacy in the desktop client. You can also email privacy@kubora.net and we'll respond within 30 days (usually much faster).

8. Security

We use encrypted transport (TLS 1.2+) for everything in transit and encryption at rest for databases and backups. Passwords are stored only as salted hashes (Argon2id). Access to production systems is restricted to a small number of maintainers and uses two-factor authentication. If we experience a data breach that affects you, we'll notify you within 72 hours.

9. Children

KUBORA is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we learn that a child under 13 has created an account, we'll delete it. Parents: email privacy@kubora.net if you believe your child has signed up and we'll help.

10. International transfers

KUBORA's servers and backups are located in the EU (Frankfurt) and the US. If you're outside those regions, your data may be transferred across borders. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the EU Commission.

11. Changes

We'll post any changes to this policy on this page and, if changes are material, email you 30 days before they take effect. The "Last updated" date at the top always reflects the current version.

12. Contact & DPO

Privacy questions and data-subject requests: privacy@kubora.net. Security reports: security@kubora.net. General support: hi@kubora.net.