ARCADEBOX
YOUR DATA, STRAIGHT UP

Privacy Policy

Last updated: 28 June 2026 · Draft

The short version

ArcadeBox is an AI game maker: you describe a game in plain English and we build you a playable 3D game. To do that, we keep an account for you, run your prompts through AI services, store the games you make, and handle your Coins and payments. This page explains, in plain English, what we collect, why, who we share it with, and the controls you have. No jargon dumps — promise.

If you only read one thing: we don't sell your personal data, your typed prompts and any images you upload are sent to the AI providers that build your game, and you can delete your account (and everything in it) at any time.

1. Who we are (the data controller)

ArcadeBox is operated by Ailora Limited ("ArcadeBox", "we", "us", "our"), registered at [registered address — to be confirmed].

For privacy questions, requests, or complaints, contact us at privacy@arcadebox.ai.

For the purposes of UK and EU data protection law, ArcadeBox is the "data controller" of your personal data — meaning we decide what we collect and why.

2. What we collect

We try to collect only what we need to run ArcadeBox. Here's the full list.

Information you give us

  • Account & sign-in details. ArcadeBox uses passwordless sign-in (handled by Supabase Auth). Depending on how you sign in, this means your email address (for a magic email link), or your Google or GitHub account profile (such as your email, name, and avatar) if you choose to continue with one of those. We don't store your password — there isn't one.
  • Your profile. A username and display name, and an optional avatar.
  • The prompts you type. The plain-English descriptions and instructions you send to BIT in the Studio to build and iterate on your game.
  • Reference images you upload. Any image you attach to a prompt (for example, to "vibe-match" a look, or a photo/picture you upload to turn into a 3D model).
  • The games you create. The structured game design we generate from your prompts (your "GameSpec"), your game's title, theme, version history, and any 3D models or other assets you generate or upload. (More on what a "game" is in section 6.)
  • Support messages. Anything you send us when you ask for help or contact us.

Information created as you use ArcadeBox

  • Coins & plan data. Your Coin balance (both bought/plan Coins and your daily Free Play allowance) and your Coin ledger — the permanent receipt book of every Coin movement (e.g. −1 for a build, +120 for a pack).
  • Plan & subscription status. Which plan you're on (Free Play, Pro, or Studio) and your subscription state.
  • Play & social activity. Records of games you play, play counts, and likes — used to power The Arcade (our public gallery) and Free Play limits.
  • Payment information. When you buy Coins or a plan, Stripe processes the payment. We receive confirmation that you paid plus limited billing details (such as a Stripe customer ID and the last four digits / card brand for your records). We never see or store your full card number — Stripe handles that directly.
  • Usage, log & device data. Standard technical data such as IP address, browser/device type, timestamps, pages and features used, and error logs. This helps us keep the service running, secure, and reliable.
  • Cookies & local storage. Small bits of data stored in your browser to keep you signed in and remember session state (see section 11).

Information we do not collect

  • We don't collect special-category data (like health or biometric data) on purpose. Please don't put sensitive personal information into prompts or uploaded images.
  • We don't store your card numbers.

3. How we use your information

We use your data to:

  • Run ArcadeBox — create and manage your account, sign you in, show your cabinet (your saved games), and keep your Coin balance accurate.
  • Build your games — send your prompts and any attached images to our AI providers to generate your GameSpec and 3D models, then store and serve the result.
  • Process payments — take payments for Coins and plans via Stripe, and credit your wallet.
  • Provide The Arcade — show games you've chosen to share publicly, with your username, plus play counts and likes.
  • Support you — answer your questions and fix problems.
  • Keep things secure and reliable — detect abuse, prevent fraud, debug errors, enforce limits (like Free Play allowances and the refund-on-failed-build promise), and protect ArcadeBox and its users.
  • Improve the service — understand which features are used and where builds fail, so we can make ArcadeBox more reliable.

Our legal bases (UK/EU users)

Where UK-GDPR / EU-GDPR applies, we rely on these legal bases:

  • Performing our contract with you — to run your account, build your games, and process the Coins/payments you ask for.
  • Legitimate interests — to secure the service, prevent abuse and fraud, and improve ArcadeBox (balanced against your rights).
  • Legal obligation — to keep records we're required to keep (e.g. tax/payment records).
  • Consent — for any optional cookies/analytics or marketing where consent is required; you can withdraw consent at any time.

4. Do we train AI on your data?

ArcadeBox does not build or train its own AI models. We use third-party AI providers (see section 5) to generate your games and 3D models. We do not use your private prompts, uploaded images, or games to train an ArcadeBox model, because we don't have one.

To run and improve the service, we may review and analyze prompts, builds, and errors — including in aggregated or de-identified form — to fix bugs and make generation more reliable. When you choose to share a game to The Arcade, that game (and your username) becomes public by your choice.

5. Who we share your data with (our subprocessors)

We don't sell your personal data. We do share it with a small set of trusted service providers ("subprocessors") who help us run ArcadeBox. Each gets only what it needs.

  • Supabase — accounts/sign-in, database, and file storage (EU region, eu-west-1). Receives your account, profile, games, Coins ledger, uploaded images, and generated assets.
  • Stripe — payments for Coins and plans. Receives your payment details and billing info (Stripe handles card data directly).
  • OpenAI (model gpt-5-mini) — generates your game design from your prompt. Receives the prompts you type and any reference images you attach.
  • Meshy AI — generates 3D models from text or images. Receives the text and/or images you submit for 3D model generation.
  • Cloudflare (Workers, KV, Durable Objects, Pages) — serves the website, runs the generation backend, caches game blueprints, powers real-time multiplayer rooms, and hosts the app. Receives requests and technical data needed to serve you; game blueprints; multiplayer session data.

Important — about AI providers: to build what you ask for, your prompts and any images you upload are transmitted to OpenAI and/or Meshy AI. That content is processed under those providers' own terms and privacy policies. Don't include anything in a prompt or image that you wouldn't want sent to a third-party AI service.

We may also share data:

  • To comply with the law — if required by a valid legal request, or to protect our rights, users, or the public.
  • In a business transfer — if ArcadeBox is involved in a merger, acquisition, or sale of assets, your data may transfer to the new owner (we'll tell you if so).

We do not sell your personal data, and we don't share it with advertisers for their own marketing.

6. Your games, prompts, and content

A few words on what your "game" is, because ArcadeBox works differently from some tools:

  • What you make and keep. Your "game" is made up of: your prompts, the resulting GameSpec / design, any assets you upload or generate, and the playable builds (the in-browser game and, on eligible plans, a downloadable Windows .exe). These are yours — you can keep them, share them, or delete them.
  • What you don't receive. ArcadeBox does not generate a separate copy of game source code for each game. Every game runs on a single, hand-built ArcadeBox runtime engine that we own and that interprets your GameSpec. You don't receive or own that runtime/engine source code.

Note: per-game source export (e.g. an engine project you can edit yourself) is not a feature today. If we add anything like it in future, we'll update this policy.

  • No game marketplace yet. There is currently no on-platform marketplace to sell games through ArcadeBox. (Commercial use is governed by your plan and our Terms.) If we ever add on-platform selling or revenue sharing, we'll update this policy and our Terms first.

7. International data transfers

ArcadeBox is built on services in different countries:

  • Supabase stores your account, database, and files in the EU (eu-west-1).
  • Some providers — including OpenAI, Meshy AI, and Cloudflare — are based in or operate from the United States and other countries, so your data (including prompts and images you submit) may be processed outside your home country, including outside the UK/EEA.

Where we transfer personal data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum (and, where applicable, the providers' certifications under frameworks like the EU–US Data Privacy Framework).

8. How long we keep your data

  • We keep your account data and the games in your cabinet for as long as your account is active.
  • The Coin ledger and certain payment/transaction records are kept as long as needed for accounting, fraud-prevention, and legal/tax obligations, even after individual games are deleted.
  • Logs and technical data are kept for a limited period for security and debugging.
  • When you delete your account (see section 9), we delete or de-identify your personal data, except where we're legally required to keep certain records.

9. Deleting your account and your data

You can delete your ArcadeBox account at any time. Deleting your account cascades — it removes your profile, your games and their version history, your Coins balance and wallet, your plays/likes, and your uploaded/generated assets.

A few things to know:

  • Deletion is permanent. Once your games and Coins are gone, we can't get them back. Any unused Coins are forfeited on deletion (Coins have no cash value and aren't refundable except as described in our Terms).
  • Public traces. If you shared games to The Arcade, deleting your account removes them from the gallery, though cached or copied versions may persist briefly.
  • Records we must keep. We may retain limited payment/transaction records as required by law (section 8).

To delete your account, use the in-app account settings, or email privacy@arcadebox.ai.

10. Your rights

Depending on where you live, you have rights over your personal data.

If UK/EU data protection law applies to you, you can:

  • Access the personal data we hold about you.
  • Correct data that's wrong or incomplete.
  • Delete your data ("right to be forgotten").
  • Port your data — get a copy in a portable format, or have it sent to another service where feasible.
  • Object to or restrict certain processing (including processing based on our legitimate interests).
  • Withdraw consent at any time where we relied on consent.
  • Complain to your data protection authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your local supervisory authority. (We'd appreciate the chance to sort it out first.)

If you're in California (CCPA/CPRA) or another US state with privacy laws, you have rights to know what we collect, to access and delete your data, to correct it, and to opt out of any "sale" or "sharing" of personal data. We do not sell your personal data. We won't discriminate against you for exercising your rights.

To exercise any right, email privacy@arcadebox.ai. We'll verify your identity (usually via your account email) and respond within the time the law requires. These rights are free to use, within reason.

11. Cookies and local storage

ArcadeBox uses cookies and browser local storage to:

  • Keep you signed in (your secure session token).
  • Remember settings and state as you move around the Studio and the site.
  • Understand usage so we can improve the service (analytics).

We aim to use only what's needed to run the service plus basic analytics. We don't use cookies to build advertising profiles or to share data with ad networks.

12. How we protect your data

Reliability and safety are core to ArcadeBox. Among other measures, we:

  • Enforce Row-Level Security (RLS) in our database, so you can only read and write your own data — even a hacked browser can't touch someone else's games or Coins.
  • Keep money and Coin operations server-side only, behind secret keys the browser never sees, so balances can't be tampered with from the client.
  • Use passwordless sign-in, so there are no passwords for us to lose or for attackers to steal.
  • Store secrets and API keys securely and limit who can access production systems.
  • Rely on reputable infrastructure providers (Supabase, Cloudflare, Stripe) with their own strong security programs.

No system is 100% secure, but we work hard to protect your data and to fix issues quickly.

13. Children

ArcadeBox isn't intended for young children. You must be at least 16 years old to use ArcadeBox, or older if your country requires it. If you're under the age of majority where you live, you should have a parent or guardian's permission. We don't knowingly collect personal data from children under this age; if we learn we have, we'll delete it.

14. Changes to this policy

We may update this policy as ArcadeBox grows or the law changes. If we make material changes, we'll let you know — for example, by posting the new version here with a new "Last updated" date and, where appropriate, by notifying you in-app or by email. Continuing to use ArcadeBox after a change means you accept the updated policy.

15. Contact us

Questions, requests, or concerns about your privacy?

Ailora Limited
[registered address — to be confirmed]
Email: privacy@arcadebox.ai

BIT will pass it on. 🕹️

Ready to build?

Turn your game ideas into reality.

Make my game