Privacy Policy
Version 2.1 — Effective date: July 1, 2026
AI Game Dev (ai-game.dev) is a platform that bridges AI-powered coding assistants with game engines through the Model Context Protocol (MCP). This Privacy Policy explains what data we collect, why we collect it, who we share it with, and how we protect it.
1. Who We Are (Data Controller)
The data controller for the Service is Ivan Murzak (trading as Modalith), a sole proprietorship, located at 13205 97th Ave NE, Kirkland, WA 98034. For questions about this policy or to exercise your rights, contact us at privacy@ai-game.dev.
EU/EEA & UK GDPR Representatives (Article 27). If you are in the EU/EEA or the UK and have questions or concerns about your personal data, you may contact our appointed GDPR representative:
- EU Representative — Euverify Ltd (Ireland), Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland — Email: gdpr@euverify.com
- UK Representative — Euverify Ltd (UK), 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom — Email: gdpr@euverify.com
This representative covers everyone whose personal data we process in the EU/EEA or the UK — including users of our free hosted service — and does not depend on whether paid plans are available in your country.
Submit a data-subject request. You can verify our representative and submit a data-subject request — access, rectification, erasure, restriction, portability, or objection — through our Euverify portal: gdpr.euverify.com/verify/f3d62d85-9dc6-472f-a512-9163bed30352. You can also contact us at privacy@ai-game.dev.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your email address and a hashed version of your password. We never store passwords in plain text. You may optionally provide a display name and timezone. During registration you may also provide profile details (e.g. years of experience, roles, engines, and platforms) to help us tailor the product.
2.2 Waitlist Subscriptions
If you sign up for a game engine waitlist (e.g., Unreal Engine or Godot notifications), we collect your email address and the engine you subscribed to. This data is used solely to notify you when support for that engine becomes available. We process this on the basis of your consent, which you may withdraw at any time — by using the unsubscribe link in any such email or by contacting privacy@ai-game.dev. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.
2.3 API Tokens
When you generate an API token to authenticate MCP connections, we store a SHA-256 hash of the token along with a user-assigned label, creation timestamp, and last-used timestamp. The raw token value is shown exactly once at creation and is never stored or retrievable afterward.
2.4 Billing and Subscription Information
When you purchase a paid subscription, payments are processed by Stripe. To manage your subscription we store a Stripe customer identifier, your plan, billing period, subscription status, and renewal/cancellation timestamps. Stripe collects and processes the data needed to take payment — typically your name, email address, billing address, IP address, and payment-card details.
Card details are entered on Stripe-hosted pages and never touch our servers — we do not see, receive, or store full card numbers. We receive from Stripe only the limited information needed to operate the subscription (such as the last four digits of the card, card brand, payment status, and tax/invoice metadata).
2.5 Request Metadata
When MCP clients or the engine plugin connect through our server, we log operational metadata to maintain service quality:
- Client IP address
- Timestamp and request duration
- HTTP status code and request path
- Tool name and tool call count
- Request and response size (in bytes)
- Endpoint type (MCP or API) and client type (AI agent or plugin)
In addition, when you sign in we record the IP address and browser/device user-agent associated with that login session, so that you and we can identify and manage active sessions for security purposes.
2.6 MCP Events
We record MCP protocol-level events (tool calls, prompt retrievals, resource access, connection events) including the event type, timing, status, session identifiers, the tool, prompt, or resource referenced, and any error details. These events help us monitor system health and debug issues.
2.7 What We Do NOT Collect
We do not collect, store, or have access to:
- The content of conversations between you and your AI assistant
- Your source code, project files, or game assets
- Scene data, game design documents, or creative content
- Any data from your local project beyond the MCP tool calls you initiate
- Your full payment-card number, which is handled entirely by Stripe
The MCP server acts as a stateless relay — it routes tool calls between your AI client and the editor without inspecting or persisting the payload contents.
2.8 Proxied AI Usage (Paid Plans Only)
On the free tier the Service is an MCP relay only: you connect your own AI agent, and your AI prompts and completions go directly to the AI provider you chose — they do not pass through us, and we do not send them to any AI provider on your behalf.
On paid plans, our metered AI tools route your AI requests through third-party AI providers to generate completions. For this purpose, the relevant request content is transmitted to the applicable provider:
- Anthropic (United States) — processes paid AI requests routed to Anthropic's models.
- DeepSeek (China) — processes paid AI requests routed to DeepSeek's models. DeepSeek is not available to accounts in the EU, UK, or Switzerland; this is enforced server-side based on your account country, so no transfer of EU/UK/Swiss personal data to China occurs for those data subjects.
These AI providers apply only to paid, proxied AI usage. We do not send free-tier traffic to them.
3. How We Use Your Information, and Our Legal Basis
Where data-protection law (such as the EU/UK GDPR) applies, we rely on the following legal bases for each purpose:
- Provide the Service and process payments (account creation, authentication, running subscriptions, charging and renewing paid plans) — performance of a contract with you.
- Operate and secure the platform (monitoring uptime, diagnosing errors, enforcing rate limits and usage allowances, detecting abuse, preventing fraud) — our legitimate interests in running a reliable, secure service.
- Comply with legal obligations (tax, accounting, and invoicing requirements for paid transactions) — compliance with a legal obligation.
- Send service communications (email verification, password resets, billing notices, critical service notifications) — performance of a contract and/or legitimate interests.
- Optional notifications you request (e.g. engine waitlists) — your consent, which you may withdraw at any time.
4. How We Share Your Information (Sub-processors)
We do not sell or rent your personal data, and we do not share it for third-party marketing. We share data only with the service providers (sub-processors) needed to operate the Service, and where required by law:
- Stripe (payment processor; United States) — processes payments, prevents fraud, and calculates and collects taxes. We are the merchant of record for your purchase; Stripe acts as our processor for subscription management and as an independent controller for its own fraud-prevention and anti-money-laundering purposes. Stripe receives the billing data described in Section 2.4.
- AI providers — Anthropic (US) and DeepSeek (China) — process paid, proxied AI requests only (see Section 2.8). Free-tier traffic is never sent to them. DeepSeek is not offered to EU/UK/Swiss accounts.
- Server hosting / infrastructure provider — hosts the application, database, and supporting services strictly as needed to run the platform.
- Email delivery — handled by our self-hosted mail service on our own infrastructure; transactional email is not shared with a third-party email-marketing provider.
- Analytics (Umami) — self-hosted on our own infrastructure; anonymous usage statistics only, not shared with third parties.
- Legal and safety — when required by law or valid legal process, or to protect the security, rights, and integrity of the service and its users.
5. International Data Transfers
Our infrastructure, our payment provider Stripe, and our AI provider Anthropic may process your data in the United States and other countries outside your own. Where we transfer personal data of EU/UK individuals to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses (SCCs) (and the UK equivalent) — to protect that data. Transfers to Anthropic (United States) and Stripe (United States) rely on SCCs.
DeepSeek (China). Our DeepSeek AI provider processes data in China. To avoid transferring EU/UK/Swiss personal data to China, DeepSeek is not available to accounts in the EU, UK, or Switzerland — this is enforced server-side based on your account country. As a result, no transfer of EU/UK/Swiss personal data to China occurs through the Service.
6. Data Storage and Security
Your data is stored in a PostgreSQL database on our server infrastructure. We use industry-standard security practices:
- All connections are encrypted with TLS (HTTPS) via automatically renewed certificates
- Passwords are stored as bcrypt hashes and API tokens are stored as SHA-256 hashes — never in plain text
- Payment-card data is handled by Stripe and never stored on our servers
- JWT-based session tokens have configurable expiry (15-minute access tokens and 7-day refresh tokens, or 30-day refresh tokens if you choose “remember me”)
- Redis-backed rate limiting protects against brute-force attacks
- Admin endpoints require a separate API key
7. Data Retention
- Account and profile data is retained for as long as your account is active. You can request account deletion at any time, after which we delete or anonymize your account data within a reasonable period, subject to the billing/tax exception below.
- Billing, invoice, and tax records are retained for at least 7 years (and longer where required — for example, approximately 10 years for EU VAT purposes) after the transaction to comply with tax, accounting, and audit obligations, even after account deletion.
- Operational request logs and MCP events are used primarily within a rolling 90-day window for analytics, monitoring, and reporting in our dashboards. We retain these operational records until they are no longer needed and are purged, and we work to minimize how long identifiable log data is kept. We do not currently guarantee automatic deletion at a fixed age.
- Aggregated admin statistics are stored for approximately 42 days in 30-minute intervals, then aged out.
- Verification and reset tokens expire automatically (48 hours for email verification, 1 hour for password resets).
8. Open Source Transparency
The AI Game Dev ecosystem is open source and supports multiple engines — including Unity, Godot, and Unreal Engine. You can inspect the server code, the per-engine plugins, and the .NET MCP framework to verify exactly what data is transmitted and how it is handled:
- Unity-MCP — Unity Editor plugin
- Godot-MCP — Godot Editor plugin
- Unreal-MCP — Unreal Engine plugin
- MCP-Plugin-dotnet — .NET MCP server framework
- AI-Game-Dev-Server — this server and frontend
9. Your Rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate information in your account
- Request deletion of your account and associated data (subject to legal retention)
- Object to or restrict certain processing, and withdraw consent where we rely on it
- Receive a copy of your data in a portable format. You can export your usage data directly from your dashboard; for a copy of other personal data we hold, contact us and we will handle the request manually
- Revoke any API tokens at any time through your dashboard
- Lodge a complaint with your local data-protection authority
To exercise any of these rights, EU/EEA and UK data subjects can use our Euverify data-subject request portal; you can also email us at privacy@ai-game.dev. Exercising these rights is free of charge. We will respond to your request within one month. Where a request is particularly complex or you have made a number of requests, we may extend this period by up to a further two months, and we will tell you within the first month if we need to do so and why.
10. Cookies and Tracking
We use JSON-based authentication tokens — not cookies — for session management. When you sign in, the Service returns short-lived access and refresh tokens in the login response, and your browser or client stores them and sends them back on each request to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics that track you across websites.
We use Umami, a privacy-focused, open-source analytics tool, to collect anonymous usage statistics (page views, referrers, browser type). Umami is self-hosted on our own infrastructure — no data is shared with third parties. It does not use cookies and does not track individual users across sessions.
The Stripe-hosted checkout and customer portal may set cookies necessary for payment security and fraud prevention; these are governed by Stripe's own privacy policy.
11. Children's Privacy
The free Service is not directed at children under 13, and paid subscriptions require the subscribing account holder to be at least 18, or a parent or legal guardian acting on behalf of a user who is at least 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated version number and effective date, consistent with our Terms of Service.
For material changes that affect a paid subscription or that are required by mandatory consumer or data-protection law, we will give you advance notice by email before the change takes effect and a reasonable opportunity to terminate your subscription if you do not accept the change. For non-material changes, continued use of the service after the changes take effect constitutes acceptance of the updated policy. Your mandatory statutory rights as a consumer and data subject are unaffected.
Contact
If you have questions about this Privacy Policy or wish to exercise your data rights, contact the Provider at privacy@ai-game.dev.