Trraform Privacy Policy

Last updated 17 April 2025

Last updated: 17 April 2025

1. Introduction

Trraform (“Trraform,” “we,” “us,” or “our”) provides an online voxel‑world project accessible at trraform.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service. If you do not agree with this Policy, please do not use the Service.

For data‑protection purposes Trraform is the data controller. You can reach us at [email protected].

2. Information We Collect

2.1 Account Information

  • E‑mail address
  • Username
  • Password hash (bcrypt)
  • Stripe customer ID (no card data stored by us)

2.2 Content & Builds

Any data you voluntarily upload to your voxel plots—such as build data, names, descriptions, or links—may be public and can contain personal data if you choose to include it.

2.3 Payment & Subscription Data

Payments are processed by Stripe. We receive and store only non‑sensitive metadata such as customer IDs, subscription status, and payment timestamps.

2.4 Analytics & Usage Data

We use Cloudflare’s built‑in analytics to obtain aggregated traffic insights (e.g., page views, bandwidth, anonymized IP ranges). No additional analytics scripts are deployed.

2.5 Cookies & Local Storage

We set first‑party cookies or local‑storage tokens to:

  • Keep you signed in between sessions
  • Remember whether to show onboarding modals or similar UI state

We do not set third‑party cookies. Google and Cloudflare may set cookies when you use Google sign‑in or Cloudflare Turnstile.

2.6 Voluntary Reports

If you submit a plot report or support request we store the information you provide.

3. How We Collect Information

  • Directly from you: via registration forms, plot editors, reports, and e‑mail correspondence.
  • Automatically: server and Cloudflare logs, first‑party cookies/local storage.
  • From third parties: OAuth login with Google and payment metadata from Stripe.

4. Why We Use Information

  • Operate, maintain, and improve the Service (legal basis: Contract)
  • Process payments and manage subscriptions (Contract)
  • Provide customer support and respond to reports (Contract)
  • Send transactional emails such as account‑verification and password‑reset messages (Contract)
  • Ensure security, prevent fraud, and fix errors (Legitimate Interest)
  • Measure performance with aggregated analytics (Legitimate Interest)
  • Use cookies and Google sign‑in (Consent where required)

5. Sharing & Disclosure

5.1 Service Providers

We share information with vendors who help us run the Service, including:

  • Cloudflare (Pages, R2, Turnstile, analytics, edge caching)
  • Stripe (payments)
  • MongoDB Atlas (database)
  • AWS (backups)
  • Discord (error‑logging webhook)

5.2 Public Content

Usernames and all voxel builds as well as plot names, descriptions, and links are inherently public.

5.3 Legal Requirements & Business Transfers

We may disclose information if required by law or to protect the rights and safety of Trraform or others. If the project is sold or transferred, user data will transfer with it.

6. International Data Transfers

We store and process data in the United States. If you reside outside the U.S., especially in the EU/EEA, your data will be transferred to the U.S. We rely on Standard Contractual Clauses to legitimize such transfers.

7. Data Retention

We keep account data for as long as you have an account and for up to 30 days after deletion to allow recovery. Server logs are retained for operational purposes with no set deletion date. Backups are rotated on a regular schedule.

8. Your Rights & Choices

Depending on where you live, you may have the right to:

  • Access and receive a copy of your personal data
  • Correct inaccurate or incomplete data
  • Delete your account, plots, and related data
  • Port your data in a structured, machine‑readable format (JSON)
  • Opt‑out of non‑essential emails
  • Send a Do Not Track or Global Privacy Control signal, which we honor for analytics cookies

To exercise any of these rights, email [email protected].

9. Children’s Privacy

Trraform is not directed to children under 13. Users aged 13–17 must have a parent or legal guardian’s consent. We do not knowingly collect data from anyone under 13.

10. Security

  • All traffic encrypted via TLS
  • Passwords hashed with bcrypt
  • Web Application Firewall and rate limiting on critical routes
  • 2‑factor authentication on admin accounts
  • Least‑privilege staff access to production systems

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via a banner on the homepage and will take effect when posted unless stated otherwise.

12. Contact Us

For questions or concerns about this Privacy Policy, contact us at [email protected].