# gLOGGED Privacy Policy

**Effective Date:** May 1, 2026
**Version:** 1.2
**Last Updated:** June 9, 2026

> **Plain-language summary (not part of this policy):** We collect the information you give us (email, password, date of birth, profile details, what you post) and some information automatically (IP address, device type, usage patterns) so we can run and improve gLOGGED, keep it safe, and — if you subscribe — bill you. We don't sell your data. If you turn on push notifications, your browser gives us a subscription so we can send them to your device, and you can turn them off anytime. Users under 13 aren't allowed on gLOGGED. Users 13–17 have extra protections described in our [Children's Privacy Notice](childrens-privacy.md). You can access, correct, export, or delete your data — see Section 8.

---

## 1. Who We Are

This Privacy Policy describes how **Inflaite LLC** ("**gLOGGED**", "**we**", "**us**", "**our**"), a Utah limited liability company with its principal office at 1027 W 250 S Apt C104, American Fork, UT 84003, collects, uses, shares, and protects personal information when you use the Service (as defined in our [Terms of Service](terms-of-service.md)).

Where the GDPR (or UK GDPR) applies to your use of the Service, Inflaite LLC acts as the "**controller**". Where the CCPA/CPRA applies and to the extent statutory thresholds are met, Inflaite LLC acts as the "**business**"; we voluntarily honor the consumer rights described in Section 8 regardless of whether those thresholds are met. The Service is operated from the United States and is not directed to users outside the United States; see Section 6.

If you have privacy questions or requests, contact us at **`privacy@glogged.com`** or by mail at `Inflaite LLC`, Attn: Privacy, 1027 W 250 S Apt C104, American Fork, UT 84003.

---

## 2. Scope

This Privacy Policy applies to personal information we collect through:

- The gLOGGED website at glogged.com and sub-domains;
- Any gLOGGED mobile or desktop application;
- Our API and authenticated integrations;
- Email and other communications we send or receive;
- Customer-support interactions.

It does **not** apply to third-party services we link to or integrate with (such as IGDB, Google, Discord, Twitch, Stripe, or the sister platform gLIVED), which have their own privacy practices.

---

## 3. Information We Collect

### 3.1 Information You Provide

**Account registration:**
- Email address (required)
- Password (if you register with email/password — stored only as a one-way hash; never retained in plaintext)
- Username (required, 3–30 characters, alphanumeric + underscore)
- **Date of birth** (required — used to enforce the 13+ age requirement and to apply minor protections for ages 13–17; see [Children's Privacy Notice](childrens-privacy.md))
- Display name (optional)
- Bio (optional, up to 500 characters)
- Avatar image (optional)
- Profile banner image (optional, for subscribing users)
- Time-zone preference (optional)
- Content-rating preference (optional, within age-appropriate limits)

**OAuth sign-in:** If you sign in with Google, Discord, or Twitch, we receive the email address, username/name, and profile picture URL the provider shares with us. We do not receive your password from these providers.

**Optional profile fields:**
- Steam profile identifier and Steam username (if you link them, for display and library import)
- Pinned favorite games (IGDB IDs you select)
- Profile privacy setting (public or private)
- External links you attach to games or entries

**User Content you submit:**
- Journal entries (text, images, mood, entry type, hours-at-entry, spoiler flag, entry-level external links)
- Reviews (rating 0.5–5.0 stars, written text, spoiler flag)
- Lists (title, description, ordered game selections, cover image)
- Comments and replies
- Custom game submissions (title, platform, cover URL, screenshots)
- Reports submitted through the reporting tool
- Appeals of moderation actions

**Subscription and payment:**
- Your selected tier (Player/Champion/Legend) and payment method details — payment card data is collected and processed by our payment processor (**Stripe**) directly; we receive only a Stripe customer ID, subscription status, tier, renewal dates, and the last four digits and brand of your card for display. We do not store full card numbers.
- Gift-code purchase records (buyer email, recipient email, tier, code, status)

**Developer credits and verification (optional):** If you use Developer Mode features to claim that you worked on a game, or apply to be recognized as a verified developer, we collect:
- Game credits you claim (the game, the role you select, and an optional free-text role title), along with your acknowledgement that you personally worked on the game
- Developer-verification requests you submit (the evidence links you provide — such as store pages, studio pages, or public credits — and any explanatory note), the request status, the decision and any reviewer note, and the related timestamps
- Whether your account is marked as a verified developer

You provide this information voluntarily. Submitting a knowingly false credit or verification claim may result in moderation action up to account termination (see our [Community Guidelines](community-guidelines.md)).

**Communications:** Emails you send us (to `support@glogged.com`, `privacy@glogged.com`, etc.), feedback and survey responses, and bug reports.

**Waitlist signups:** If you join a waitlist before registering, we collect your email address and the signup timestamp.

### 3.2 Information Collected Automatically

When you access the Service, we automatically collect:

- **IP address** (used for rate limiting, abuse prevention, rough geolocation for legal compliance, and security)
- **Device and browser information** (type, operating system, browser type and version, screen size, language, user-agent)
- **Log data** (requests, timestamps, URLs accessed, HTTP status codes, response times, referrer)
- **Session data** (sign-in state, CSRF token, session expiry, session metadata)
- **Usage data** (pages viewed, features used, searches performed, content created or viewed, interactions such as likes, follows, and lists)
- **Activity timestamps** (`lastLoginAt`, content creation times)
- **CAPTCHA signals** (used to distinguish humans from bots)
- **Error and diagnostic data** (client-side and server-side errors — if an error-monitoring service is enabled, limited error context may be sent to it; personally identifiable content is minimized)
- **Push notification data** (*only if you turn on push notifications*): a "push subscription" your browser generates — an endpoint URL issued by your browser's or operating system's push service, two cryptographic keys (a public key and an authentication secret) used to encrypt messages to your device, and your user-agent. This is stored per device and linked to your account until you disable push. Push is off by default and entirely opt-in.

### 3.3 Information from Third Parties

- **OAuth providers (Google, Discord, Twitch):** the identity and profile fields described in Section 3.1.
- **IGDB (operated by Twitch):** game metadata you view or that is cached in response to your searches — this is *third-party* content, not personal information about you, but your searches inform what is cached.
- **Stripe:** subscription, payment, and customer-management data as described above.
- **Cloudflare Turnstile:** anti-bot verification outcomes.
- **Email delivery / spam feedback:** if our email-delivery provider returns bounce, complaint, or delivery notifications for messages we send you, we ingest those to maintain sending quality.
- **Steam (optional):** if you link a Steam profile, limited public Steam profile data necessary to resolve your Steam ID.
- **Referrals and links:** if you arrive from another site, we may log the referring URL.

### 3.4 Cookies and Similar Technologies

We use cookies and similar technologies to operate and secure the Service. See Section 7 (Cookies) for details.

### 3.5 Sensitive Information

We do not knowingly collect biometric identifiers, precise geolocation, government ID numbers, financial account numbers (beyond what Stripe processes), health data, or data revealing racial or ethnic origin, political opinions, religious beliefs, union membership, genetic data, sex life, or sexual orientation. **Please do not submit such information through the Service.** If you voluntarily include any of these categories in User Content, you do so at your own risk.

---

## 4. How We Use Information

We use the information described in Section 3 for the following purposes:

**4.1 To provide the Service**
- Create and authenticate your account; maintain your session; apply your preferences
- Display your profile, library, journal entries, reviews, lists, and other User Content you elect to make public
- Sync and display game metadata from IGDB
- Process subscriptions, gift-code purchases, renewals, and related billing

**4.2 To personalize and improve**
- Recommend games, lists, users, and tags based on your interactions and preferences
- Power discovery, taste matching, and your activity feed
- Measure feature adoption and improve the Service

**4.3 To communicate with you**
- Send transactional emails (email verification, password reset, security alerts, billing, subscription renewals, penalty notices, appeal outcomes)
- Respond to your questions and support requests
- Send optional product announcements and newsletters if you opt in (you can opt out at any time)
- Deliver push notifications to your device for activity you choose to be notified about (such as new followers, comments, replies, and mentions), if you have enabled push notifications. Push is off by default and entirely opt-in, and you can turn it off at any time (see Section 8)

**4.4 To keep the Service safe**
- Detect and prevent fraud, abuse, spam, and violations of our [Terms of Service](terms-of-service.md), [Community Guidelines](community-guidelines.md), and [Acceptable Use Policy](acceptable-use-policy.md)
- Apply automated and human moderation to User Content, including keyword filters, AI classification, and volunteer-and-staff review
- Maintain the trust and reputation system that determines rate limits and eligibility for community privileges
- Verify age at registration and apply minor-safety protections
- Enforce rate limits, detect bots, and mitigate security threats

**4.5 To comply with law**
- Comply with legal obligations, respond to lawful requests from public authorities, and enforce our agreements
- Report violations of child-safety laws to the National Center for Missing and Exploited Children (NCMEC) and law-enforcement agencies where required or permitted by law, including 18 U.S.C. § 2258A
- Respond to DMCA notices and counter-notices (see [DMCA Policy](dmca-policy.md))

**4.6 To operate the business**
- Keep accounting, audit, and tax records
- Conduct internal research and analytics (in aggregate or de-identified form where feasible)
- Plan and administer mergers, acquisitions, reorganizations, and similar transactions (see Section 5.4)

**4.7 Legal bases (for users in the EU/UK)**

| Purpose | Legal basis under GDPR/UK GDPR |
|---|---|
| Providing account and core Service features | Contract (Art. 6(1)(b)) |
| Billing and subscription processing | Contract; compliance with tax and accounting law |
| Safety, moderation, fraud prevention | Legitimate interests (Art. 6(1)(f)) — keeping the Service safe for all users |
| Service personalization and measurement | Legitimate interests |
| Marketing emails | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
| Age verification and minor protections | Compliance with children's-privacy laws including COPPA and GDPR Art. 8 |

We do not use personal information for automated decision-making that produces legal or similarly significant effects on you without human review. Moderation decisions that result in account termination are made by, or reviewed by, a human moderator.

---

## 5. How We Share Information

We share information only as described below. **We do not sell personal information.** We do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law (CPRA).

### 5.1 With Other Users

Information you make public on your profile (public profiles, reviews, journal entries you mark public, lists, comments, likes, follows, custom games promoted to the catalog, and game credits you claim) is visible to other users and to the public internet, including search engines. Game credits you claim appear on your profile; once your account is marked as a verified developer, those credits and your verified-developer status are also displayed publicly on the relevant game pages (for example, in a "Behind the Scenes" section). Private entries and private profiles are not displayed to other users, but the fact that an account exists and its username may be visible for moderation, blocking, and reporting.

### 5.2 With Service Providers (Processors/Sub-processors)

We engage trusted third-party service providers to process information on our behalf. They are contractually restricted from using personal information for their own purposes and must implement appropriate safeguards.

| Provider | Purpose | Data involved |
|---|---|---|
| **Amazon Web Services (AWS)** | Hosting, database, media storage, email delivery, content delivery | All hosted data |
| **Managed Postgres database provider** (currently Neon) | Application database | Application data |
| **Stripe** | Subscription billing and payment processing | Email, name (if supplied), customer ID, payment method (held by Stripe) |
| **Cloudflare** | Bot mitigation, network protection, rate limiting | IP address, HTTP metadata, challenge signals |
| **Error-monitoring service** *(if enabled)* | Error monitoring | Stack traces, request metadata, user ID reference |
| **IGDB / Twitch** | Game metadata lookups | Search terms (may be logged by Twitch); no user PII sent for metadata requests |
| **Google, Discord, Twitch** *(OAuth only)* | Account authentication | Email, name, avatar URL |
| **Browser / operating-system push services** (Google – Firebase Cloud Messaging; Apple – Apple Push Notification service; Mozilla) *(only if you enable push)* | Deliver push notifications to your device | Push subscription endpoint; encrypted message payload; delivery/routing metadata |

When you enable push notifications, the message content is **encrypted** so that the push-delivery service cannot read it; the service processes only the routing metadata needed to deliver the message to your device. These push services are operated by your browser or device vendor under their own privacy terms, which we do not control. We do not use them for advertising.

This list may change as we add or replace providers; we will update this policy to reflect material changes.

### 5.3 For Legal, Safety, and Enforcement Reasons

We may disclose information when we believe in good faith that disclosure is necessary to:

- Comply with applicable law, regulation, legal process, or lawful government request;
- Enforce our Terms of Service, Community Guidelines, Acceptable Use Policy, or other agreements;
- Protect the rights, property, or safety of gLOGGED, our users, or the public;
- Investigate and prevent fraud, security threats, or illegal activity;
- Report child-safety violations to NCMEC and law enforcement where required or permitted by law, including 18 U.S.C. § 2258A — this is a legal obligation we take seriously.

Unless legally prohibited, we will use reasonable efforts to notify the affected user before disclosing account content in response to civil legal process, so the user has an opportunity to object. We may delay or omit notice for emergencies, child-safety matters, fraud/security threats, or where notice would be unlawful or harmful.

### 5.4 In Corporate Transactions

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent privacy protections and notice to you.

### 5.5 With Your Direction or Consent

We may share information at your direction (e.g., when you publish content publicly, link a gLIVED clip, or connect a third-party account) or with your consent.

### 5.6 Aggregate and De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you (e.g., "X% of users played game Y last week") for research, analytics, publicity, or business purposes.

---

## 6. International Data Transfers

We are based in the United States and operate the Service from the United States. Our service providers are primarily located in the United States. **The Service is not directed to or marketed in the European Economic Area (EEA), United Kingdom, Switzerland, or other jurisdictions outside the United States.** Pricing, content, and communications are presented in US English and US dollars; we do not localize the Service for non-US markets, and we have not appointed an EU/UK Article 27 representative.

If you choose to access the Service from outside the United States, you do so on your own initiative. Personal information you submit will be transferred to, stored, and processed in the United States and other countries where we or our providers operate. **You should not use the Service if you do not consent to this transfer or if your jurisdiction requires safeguards (such as Standard Contractual Clauses with each sub-processor) that we do not currently maintain as a condition of service.**

We will honor reasonable rights requests from any user regardless of jurisdiction; see Section 8.

---

## 7. Cookies and Similar Technologies

### 7.1 What We Use

| Cookie / Technology | Purpose | Category | Duration |
|---|---|---|---|
| Session cookies | Keep you signed in | Strictly necessary | Up to 30 days, sliding |
| CSRF protection cookies | Cross-site request forgery prevention | Strictly necessary | Session |
| OAuth flow cookies | Complete sign-in via Google, Discord, or Twitch | Strictly necessary | Session or short-lived |
| CAPTCHA / anti-bot cookies | Bot mitigation | Strictly necessary | Short-lived |
| Local storage entries | Remember client-side preferences | Functional | Until cleared |
| Service worker (push notifications) | Receives and displays push notifications you have enabled; active only after you opt in | Functional | Until you disable push or clear site data |

We do **not** currently use advertising or cross-site tracking cookies. We do not implement third-party analytics beyond what is described in Section 5.2. If we add non-essential cookies (e.g., product analytics), we will update this policy and — for EEA/UK users — present a consent banner before those cookies are set.

### 7.2 Do Not Track / Global Privacy Control

We will honor the Global Privacy Control (GPC) signal in jurisdictions that recognize it (currently California and Colorado) as a valid opt-out of "sale" and "sharing" for behavioral advertising, if and when our practices ever involve such activity. Because we do not currently sell or share personal information for cross-context behavioral advertising, the GPC signal does not change our practices today; corresponding signal handling will be implemented in the Service if and when our practices change.

We do not respond to generic "Do Not Track" browser signals, which lack a common standard.

### 7.3 Managing Cookies

Most browsers let you view, delete, and block cookies. Blocking strictly-necessary cookies will break authentication and prevent you from using signed-in features.

---

## 8. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights. To exercise any right, email `privacy@glogged.com` from the address associated with your account or use the in-Service controls where available. We will verify your identity before acting on requests. We will respond within the timelines required by applicable law (typically 30 or 45 days).

### 8.1 Rights Available to All Users

- **Access:** See what information we hold about you, via your profile, your Settings, and — on request — a downloadable export.
- **Correction:** Update profile information yourself in Settings, or ask us to correct information you cannot change.
- **Deletion:** Close your account from Settings or request deletion by email. See Section 10 for how we handle deletion.
- **Portability:** Request a machine-readable export of your personal information and User Content.
- **Withdraw consent:** Where we rely on consent (e.g., marketing emails), withdraw it at any time.
- **Opt out of marketing:** Use the unsubscribe link in any marketing email or toggle email preferences in Settings.
- **Manage push notifications:** Turn push notifications on or off per device, and choose which types you receive, in Settings → Notifications. You can also revoke permission at any time in your browser's site settings or your device's operating-system notification settings. Disabling push deletes that device's stored subscription.

### 8.2 California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "**CCPA**"):

(a) **Right to know**: the categories of personal information we collect, the sources, the business purposes, the categories of third parties we disclose to, and the specific pieces of personal information we have collected about you.
(b) **Right to delete**: request deletion of personal information we have collected from you (subject to statutory exceptions — for example, we may retain information needed to complete a transaction, detect security incidents, or comply with law).
(c) **Right to correct**: inaccurate personal information we hold about you.
(d) **Right to opt out of sale/sharing**: we **do not sell** personal information and we **do not share** it for cross-context behavioral advertising, so there is nothing to opt out of today; if this changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.
(e) **Right to limit use of sensitive personal information**: we do not use sensitive personal information beyond the purposes permitted under CCPA Reg. § 7027(m); no action is required.
(f) **Right to non-discrimination**: we will not deny service, charge different prices, or provide a different level of service because you exercise your privacy rights.

**Categories of personal information collected in the past 12 months**, as defined by Cal. Civ. Code § 1798.140:

| CCPA category | Collected? | Sources | Purposes | Recipients |
|---|---|---|---|---|
| Identifiers (name, email, username, IP, account IDs) | Yes | User; OAuth providers; automatic | All purposes in Section 4 | Service providers; at user's direction; legal |
| Customer records (name, email, card last-4) | Yes | User; Stripe | Billing | Service providers (Stripe, AWS); legal |
| Commercial information (subscription history) | Yes | User; Stripe | Billing, service provision | Service providers; legal |
| Internet/network activity (logs, usage, interactions) | Yes | Automatic | Operations, security, improvement | Service providers; legal |
| Geolocation (IP-derived approximate only) | Yes | Automatic | Security, compliance | Service providers; legal |
| Audio/visual (avatars, screenshots uploaded by users) | Yes | User | Display to other users per privacy settings | Public (if published); service providers |
| Professional/employment | No | — | — | — |
| Education | No | — | — | — |
| Inferences (content recommendations, taste profile) | Yes | Derived | Personalization, safety | Service providers |
| Sensitive personal information (precise geolocation, gov IDs, biometric, union, health, etc.) | No | — | — | — |
| Children's information (under 13) | **No** — under-13 users are blocked | — | — | — |
| Minors 13–17 | Yes, where user is 13–17 | User | Age-appropriate service provision; minor protections | Service providers; legal |

To exercise CCPA rights, email `privacy@glogged.com` with subject "California Privacy Request" and include your account email. You may designate an **authorized agent** in writing to make a request on your behalf; we will verify your authorization of the agent.

### 8.3 EEA, UK, and Swiss Residents — GDPR Rights

If the GDPR or UK GDPR applies to you, you have the following rights:

- **Access** (Art. 15): confirm whether we process your data and obtain a copy.
- **Rectification** (Art. 16): correct inaccurate or incomplete data.
- **Erasure** (Art. 17): request deletion in certain circumstances.
- **Restriction** (Art. 18): request that we pause processing pending review.
- **Portability** (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- **Object** (Art. 21): object to processing based on legitimate interests; object at any time to direct marketing.
- **Withdraw consent** at any time, without affecting pre-withdrawal lawful processing.
- **Lodge a complaint** with a supervisory authority in your EU/EEA member state, the UK Information Commissioner's Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

To exercise these rights, email `privacy@glogged.com`. We will respond within one month, extendable by up to two additional months where necessary given the complexity and number of requests. As noted in Section 6, the Service is not directed to the EEA, UK, or Switzerland and we have not appointed an Article 27 representative; if you reside in those jurisdictions and choose to use the Service, you may contact us directly at the email above.

### 8.4 Other US States (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Others)

If a comprehensive state privacy law covers you, you generally have rights to access, correct, delete, and obtain a copy of your personal data, and to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. We do not engage in any of these opt-out-eligible activities today. Residents may make requests at `privacy@glogged.com`. Appeals of a denied request may be made to the same address.

### 8.5 Nevada Residents

Nevada law allows Nevada residents to opt out of the future "sale" of certain personal information. We do not sell personal information as defined under Nevada law, but you may direct any opt-out to `privacy@glogged.com`.

---

## 9. Data Retention

We retain personal information for as long as needed to provide the Service and as described below, after which we will delete or de-identify it.

| Data type | Retention period |
|---|---|
| Account profile (while active) | Until account closure |
| Push notification subscriptions | Until you disable push on the device, or until the subscription expires or is reported invalid by the push service — whichever is first |
| Journal entries, reviews, lists, comments (while active) | Until the User Content or account is deleted |
| Soft-deleted User Content (after deletion) | Up to 30 days, then anonymized or purged except where retained for moderation records |
| Date of birth | Retained while account exists; only year retained after account anonymization to support aggregate age demographics and COPPA audits |
| Authentication logs, security logs | 12 months (longer if required for a pending investigation) |
| Support tickets and communications | 3 years from last contact |
| Billing records | 7 years (US tax/audit requirements) |
| Moderation records (reports, penalties, appeals) | 3 years from the underlying event, or longer for severe violations |
| Clickwrap consent records (ToS / Privacy acceptance: timestamp, IP, user-agent, document hash) | Duration of the account, plus 7 years from account closure |
| Subscription consent verification (auto-renewal-law records) | At least 3 years, or 1 year after termination of the subscription, whichever is longer |
| DMCA notices, counter-notices, and repeat-infringer log | At least 3 years from receipt; longer if part of a pending claim |
| Legal holds, preservation requests, and subpoena records | For the duration of the hold or process, plus the period required by applicable law |
| CSAM / NCMEC CyberTipline preservation records | At least 1 year from CyberTipline submission, per 18 U.S.C. § 2258A(h) |
| Backups | Rolling backups retained up to 90 days; data in backups is deleted on the normal backup rotation after live-system deletion |
| Anonymized / aggregated data | Indefinitely |

If a shorter retention is required by local law (e.g., GDPR storage-limitation principle), that shorter period applies.

---

## 10. Account Closure and Deletion

You may close your account at any time in Settings or by emailing `support@glogged.com`. Account closure follows a two-phase process:

**Phase 1 — Soft delete and reinstatement window (first 30 days).** When you close your account, we immediately set it to a "soft-deleted" state. Your profile, journal entries, reviews, lists, comments, and other content are hidden from other users; your sessions are revoked. During this 30-day window you may restore your account and content by signing in or by contacting `support@glogged.com`. After 30 days have passed, the account is no longer eligible for reinstatement.

**Phase 2 — Permanent erasure (within 45 days after the reinstatement window expires).** The account and its content are permanently deleted in dependency order. Audit-trail records (reports, penalties, appeals, moderation actions) referencing the account are anonymized — the user reference is removed but the record itself is preserved — to maintain community-integrity history. Year of birth is retained for COPPA/age-auditing purposes; day and month are removed.

A few specifics:

- Reviews and other public content that have been quoted, liked, or included in others' lists may remain visible on the Service attributed to a generic "Deleted User" identifier, to preserve the integrity of community discussion. If you want specific pieces fully removed before erasure, delete them from your profile before closing your account.
- Information required for legal compliance (billing/tax records, moderation audits, child-safety reports, DMCA logs, legal holds, clickwrap consent records, subscription consent verification) is retained for the period required by law as described in Section 9.
- Backups are retained up to 90 days on a rolling rotation; data in backups is removed on the normal backup-rotation schedule after live-system deletion.

You can also request immediate removal of specific User Content without closing your account, subject to moderation integrity and the license in Section 5.2 of the Terms of Service.

---

## 11. Security

We take reasonable administrative, technical, and physical measures to protect your information, including:

- Passwords protected with industry-standard one-way hashing
- TLS encryption for data in transit
- Encryption at rest for media and database storage
- Role-based access controls for staff
- Rate limiting, CAPTCHA, and CSRF protections
- Secure cookie flags appropriate to context
- Logging of privileged actions

No system is perfectly secure. You are responsible for protecting your password and for using unique passwords across services. If you suspect your account has been compromised, contact `support@glogged.com` immediately.

### 11.1 Breach Notification

If we determine that a breach has occurred involving your personal information, we will notify you and regulators as required by applicable law.

---

## 12. Children's Privacy

The Service is **not directed to children under 13** and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account or submitted information, contact `privacy@glogged.com` and we will investigate and delete as required. Users aged **13–17** are permitted with additional protections described in the [Children's Privacy Notice](childrens-privacy.md).

---

## 13. Third-Party Links and Services

The Service may contain links to third-party sites and services (game storefronts, OAuth providers, linked gLIVED clips, user-submitted links, etc.). We are not responsible for their privacy practices. Review their privacy policies before providing information.

---

## 14. Changes to This Policy

We may update this Privacy Policy. For material changes, we will notify you by email and/or in-Service notice at least thirty (30) days before the change takes effect, unless an earlier effective date is required by law. Non-material updates (typos, clarifications) take effect on posting. The "Last Updated" date at the top reflects the most recent change.

---

## 15. Contact Us

**Privacy inquiries, rights requests, complaints:**
Email: `privacy@glogged.com`
Mail: `Inflaite LLC`, Attn: Privacy, 1027 W 250 S Apt C104, American Fork, UT 84003

**Law-enforcement requests, subpoenas, preservation requests:**
Email: `legal@glogged.com` (subject line: "Law Enforcement Request")

---

**Changelog**

| Version | Date | Change |
|---|---|---|
| 1.0 | May 1, 2026 | Initial version |
| 1.1 | May 20, 2026 | Disclosed Developer Mode data: game credits and developer-verification information (Section 3.1) and public display of claimed credits and verified-developer status (Section 5.1) |