Legal
Privacy Policy
Last updated: July 14, 2026
Workshop is built to collect as little data as possible. This policy explains what we do collect, why, and what you can do about it.
The short version
- We do not sell your data. Not to advertisers, not to data brokers, not to anyone.
- We don't use third-party trackers that follow you around the web. No Facebook Pixel, no Google Analytics with cookies, no advertising identifiers.
- If you create an account, we store the minimum needed to make it work: your email and a hashed password.
- If you play a game, your save data is stored either in your browser's local storage (if you're not logged in) or in our database (if you are).
Data we collect
Account data
If you register an account:
- Email address (used for login and account recovery)
- Hashed password (we never see your plain password)
- Display name (visible to you, not shared publicly by default)
- Account creation date and last login timestamp
Game save data
When you play a game and the game saves your progress, that save data is stored as JSON. The contents are determined by the game — typically things like player position, inventory, completed levels, and achievements unlocked. The structure varies per game.
Aggregate analytics
We use Cloudflare Web Analytics, which provides aggregate page view statistics without cookies and without tracking individual users. You can read about how it works at Cloudflare's documentation .
Server logs
Our hosting provider (Cloudflare) and database provider (MongoDB Atlas) maintain standard server logs for security and abuse prevention. These logs may include IP addresses, request timestamps, and user agents. They are retained for a limited period consistent with each provider's policy.
Payment data
If you make a purchase (e.g., a subscription to remove ads), payment is processed by Paddle, our Merchant of Record. Paddle receives your payment information directly — Workshop never sees or stores your credit card number. We receive a notification that a transaction occurred, along with the order ID and the amount.
Your rights
Under the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and similar laws, you have rights regarding your personal data:
- Access: Request a copy of the data we hold about you.
- Correction: Ask us to fix inaccurate data.
- Deletion: Request that we delete your data.
- Portability: Receive your data in a machine-readable format.
- Objection: Ask us to stop processing your data for specific purposes.
To exercise any of these rights, email privacy@yourdomain.com. We respond within 30 days. We may need to verify your identity before responding.
Data retention
Account data is retained until you delete your account or request deletion. Game save data is retained as long as your account is active. Audit logs are retained for 30 days. Server logs follow each provider's standard retention policy.
Children's privacy
Workshop is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.
International transfers
Your data may be processed in countries other than your own, including the United States. We rely on standard contractual clauses and similar safeguards to ensure appropriate protection for data transferred outside the European Economic Area.
Changes to this policy
We will update this policy if our practices change. The "last updated" date at the top reflects the most recent revision. Material changes will be announced on the dev log.
Contact
Questions about privacy can be sent to privacy@yourdomain.com.