Privacy Policy
Last updated July 13, 2026
This Privacy Policy explains how Spectrum Labs LLC (“Spectrum Labs”, “we”, “us”, or “our”), a limited liability company organized in South Carolina, United States, collects, uses, shares, and protects information when you play Vibe Code Dev Story (the “Game”) or visit vibecodedevstory.com, play.vibecodedevstory.com, and our related services (together, the “Services”).
We built the Services to collect as little personal data as possible. You can play anonymously without an account, our analytics are cookieless, and we don’t sell your personal information or use it for cross-site advertising. If you have any questions, reach us through our contact page.
1. Information we collect
Playing anonymously
You can play the Game without creating an account or giving us your name or email. When you play, the Game creates an anonymous player record identified only by a randomly generated identifier so your progress, achievements, and settings work. Your in-progress game, preferences, and a few caches are stored on your own device (see Cookies and local storage) and are not sent to us unless you choose to sign in, share a run, or submit to a leaderboard.
Account and sign-in
Signing in is optional and uses a “magic link.” We do not use or store passwords. When you sign in we collect and store your email address (stored in lowercase), the time your email was verified, and a fun, auto-generated public handle (for example, “async-gremlin”). Your email is never displayed publicly — your handle is the only public identifier. To keep you signed in we store a securely hashed session (refresh) token; we never store the raw token.
Gameplay and leaderboards
When you submit a ranked run or share a run, we store a server-verified record of that run so results can’t be faked. This includes the run’s seed and the sequence of moves you made, your chosen initials (1–3 characters), difficulty, outcome, turns, valuation, peak users/revenue, founder and company names you chose, achievements, and folded career statistics (games played, wins, best valuation, and similar). Raw shareable run records may be archived in our object storage. Leaderboard entries (initials and stats), shared run cards, achievements, and public profiles (your handle, join date, and shared runs) are publicly visible by design.
Launch notifications and marketing
If you ask us to notify you (for example, the “notify me at launch” form or the in-game toggle), we store your email address, the interests you selected (such as updates, Steam, Epic, or mobile), and where the opt-in came from. Submitting the launch-notification form may create an account keyed to your email so we can remember your preference; this does not verify your email or sign you in. Every marketing email includes a one-click unsubscribe link, and you can opt out at any time.
Purchases
Paid unlocks are processed by Stripe. We do not receive or store your full card number or payment credentials — Stripe handles payment card data directly on its hosted checkout. We store only a Stripe customer reference, an order reference (for receipts, refunds, and fraud matching), and the entitlement (what you own). Purchases you make through a platform store (such as Steam, Epic, Apple, or Google, if and when offered) are processed by that platform under its own terms.
Support and contact
When you contact us, we collect the name, email address, and message you provide, and we may store the IP address of the request for spam triage. We use this only to respond to you and keep our support queue workable.
Technical and usage information
Like any internet service, our servers process your IP address and basic request metadata to operate the Services — for rate limiting, security, fraud and abuse prevention, anti-bot checks (Cloudflare Turnstile on our forms), and diagnostics. To detect cheating we record anonymized timing signals for ranked runs (for example, elapsed time and actions-per-turn) as flags; these do not include your IP address or any device fingerprint, and we do not fingerprint your device.
Analytics
We use Plausible Analytics, a privacy-friendly, cookieless analytics tool that we run on our own infrastructure. It measures aggregate traffic (page views, referrers, approximate country, and unique-visitor counts) without cookies and without building advertising profiles. To count unique visitors and approximate country, your IP address and browser are used transiently to compute a daily-rotating, one-way hash; the raw IP address is not stored by the analytics tool. We do not track you across other websites.
2. How we use information
We use the information above to:
- Provide, operate, and maintain the Game and the Services;
- Create and manage your optional account and sign you in via magic link;
- Run leaderboards, shareable runs, achievements, and public profiles;
- Process purchases and manage what you own;
- Send you transactional email (such as sign-in links and support replies) and, if you opt in, launch/update notifications;
- Keep the Services secure — prevent fraud, abuse, and cheating, and enforce fair play;
- Respond to your questions and support requests;
- Understand aggregate usage to improve the Game; and
- Comply with legal obligations and enforce our Terms of Service.
3. Legal bases (EEA/UK)
If you are in the European Economic Area or the United Kingdom, we process your personal data on these legal bases: performance of a contract (providing accounts, gameplay, and purchases you request); legitimate interests (securing the Services, preventing fraud and cheating, and understanding aggregate usage through privacy-preserving analytics); consent (sending marketing/launch emails, which you may withdraw at any time); and compliance with legal obligations. Where we rely on legitimate interests, we balance them against your rights.
4. Cookies and local storage
Our marketing site does not set advertising or tracking cookies, and our analytics are cookieless. We use only the following:
- Strictly-necessary sign-in cookies. If you sign in on the web, our API sets secure, HttpOnly session cookies (a short-lived access cookie and a longer-lived refresh cookie) so you stay signed in. These are set only after you choose to sign in and are used only for authentication. The native app uses tokens instead of cookies.
- Anti-bot. Cloudflare Turnstile, used on our contact and notification forms to block automated abuse, may set its own cookie or local storage as part of the challenge.
- On-device storage. The Game stores data locally in your browser or device to work, including your in-progress game, your accessibility and audio preferences, an offline queue of finished runs waiting to be submitted, and small caches (such as a sign-in hint and cached entitlements/achievements). This stays on your device and is not, by itself, transmitted to us.
5. How we share information (service providers)
We do not sell your personal information and we do not share it for cross-context behavioral advertising. We share information only with service providers who process it on our behalf to run the Services, and where required by law. Our key providers are:
- Cloudflare — website and game hosting, content delivery, edge network, and Turnstile anti-bot;
- Amazon Web Services (SES) — sending transactional and notification email;
- Stripe — payment processing;
- Plausible — cookieless analytics (self-hosted by us);
- OVHcloud and our own servers — application hosting, databases, and object storage.
Some of this infrastructure (for example, our payment and analytics accounts) is shared across Spectrum Labs’ products with logical separation so each product’s data is kept apart. If we later offer the Game on platform stores (Steam, Epic, Apple, Google), those platforms will process the data needed to deliver your purchase and, where you link an account, a platform identifier used to recognize you. We may also disclose information to comply with the law, enforce our Terms, protect our rights and users’ safety, or in connection with a business transfer.
6. How long we keep information
- Account data is kept while your account exists and until you ask us to delete it.
- Anonymous player data is retained only as needed and may be periodically cleaned up.
- Sign-in links are single-use and expire quickly; session tokens are stored hashed and rotate.
- Leaderboard entries and shared runs remain until removed by you or by us (for example, for cheating).
- Support messages and logs are kept for a limited period for security and record-keeping.
7. Your privacy rights
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent. You can unsubscribe from marketing emails at any time using the link in each email or the in-game setting. To make any other request, contact us through our contact page; we will verify and respond as required by law. You also have the right to complain to your local data protection authority.
8. U.S. state privacy rights
If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have rights to know, access, correct, delete, and obtain a portable copy of your personal information, and to opt out of the “sale” or “sharing” of personal information and of targeted advertising. We do not sell or share personal information for cross-context behavioral advertising, and we do not use it for targeted advertising. We will not discriminate against you for exercising your rights. To exercise any right, use our contact page.
9. Children’s privacy
The Services are intended for a general audience and are not directed to children under 13, and we do not knowingly collect personal information from children under 13. Where local law sets a higher minimum age for consent to online services (for example, up to 16 in parts of the European Economic Area), that higher age applies unless a parent or guardian provides consent. If you believe a child has provided us personal information, please contact us through our contact page and we will delete it.
10. International data transfers
We are based in the United States and our providers may process data in the United States, the European Union, and other countries. When we transfer personal data across borders, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) where required by law.
11. How we protect information
We use encryption in transit (HTTPS), store session tokens only in hashed form, keep passwordless sign-in, restrict internal/administrative access behind zero-trust controls, and design our systems to minimize the personal data we hold. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly to any incident.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date above and, for material changes, provide a more prominent notice. Your continued use of the Services after an update means you accept the revised policy.
13. How to contact us
Spectrum Labs LLC (South Carolina, United States) is the controller responsible for your personal data. For any privacy question or request — including access, correction, or deletion — please reach us through our contact page.
See also our Terms of Service.