Privacy Policy

AI Game Dev (ai-game.dev) is an open-source platform that bridges AI-powered coding assistants with the Unity game engine through the Model Context Protocol (MCP). This Privacy Policy explains what data we collect, why we collect it, and how we protect it.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and a hashed version of your password. We never store passwords in plain text. You may optionally provide a display name and timezone.

1.2 Waitlist Subscriptions

If you sign up for a game engine waitlist (e.g., Unreal Engine or Godot notifications), we collect your email address and the engine you subscribed to. This data is used solely to notify you when support for that engine becomes available.

1.3 API Tokens

When you generate an API token to authenticate MCP connections, we store a bcrypt hash of the token along with a user-assigned label, creation timestamp, and last-used timestamp. The raw token value is shown exactly once at creation and is never stored or retrievable afterward.

1.4 Request Metadata

When MCP clients or the Unity plugin connect through our server, we log operational metadata to maintain service quality:

• Client IP address
• Timestamp and request duration
• HTTP status code and request path
• Tool name and tool call count
• Request and response size (in bytes)
• Endpoint type (MCP or API) and client type (AI agent or plugin)

1.5 MCP Events

We record MCP protocol-level events (tool calls, prompt retrievals, resource access, connection events) including the event type, timing, status, and session identifiers. These events help us monitor system health and debug issues.

1.6 What We Do NOT Collect

We do not collect, store, or have access to:

• The content of conversations between you and your AI assistant
• Your source code, project files, or Unity assets
• Scene data, game design documents, or creative content
• Any data from your local Unity project beyond the MCP tool calls you initiate

The MCP server acts as a stateless relay — it routes tool calls between your AI client and Unity Editor without inspecting or persisting the payload contents.

2. How We Use Your Information

• Authentication and access control — verifying your identity and authorizing MCP connections via bearer tokens
• Service operations — monitoring uptime, diagnosing errors, enforcing rate limits, and maintaining system health
• Usage analytics — understanding which MCP tools are used most frequently to guide development priorities
• Security — detecting abuse, preventing unauthorized access, and responding to incidents
• Communication — sending email verification, password reset links, and critical service notifications

3. Data Storage and Security

Your data is stored in a PostgreSQL database on our server infrastructure. We use industry-standard security practices:

• All connections are encrypted with TLS (HTTPS) via automatically renewed certificates
• Passwords and API tokens are stored as bcrypt hashes — never in plain text
• JWT-based session tokens have configurable expiry (15 min access, 7 day refresh)
• Redis-backed rate limiting protects against brute-force attacks
• Admin endpoints require a separate API key

4. Data Retention

• Account data is retained for as long as your account is active. You can request account deletion at any time.
• Request logs and MCP events are retained for operational purposes and periodically aggregated into anonymous statistics.
• Aggregated admin statistics are stored for approximately 42 days in 30-minute intervals, then aged out.
• Verification and reset tokens expire automatically (48 hours for email verification, 1 hour for password resets).

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may share data only:

• When required by law or valid legal process
• To protect the security and integrity of the service
• With infrastructure providers (server hosting) strictly as needed to operate the service — email delivery and analytics are self-hosted and not shared

6. Open Source Transparency

The Unity MCP ecosystem is open source. You can inspect the server code, the Unity plugin, and the .NET MCP framework to verify exactly what data is transmitted and how it is handled:

• Unity-MCP — Unity Editor plugin
• MCP-Plugin-dotnet — .NET MCP server framework
• AI-Game-Dev-Server — this server and frontend

7. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate information in your account
• Request deletion of your account and associated data
• Revoke any API tokens at any time through your dashboard
• Export your data upon request

8. Cookies and Tracking

We use essential cookies only for session management (JWT tokens stored in HTTP-only cookies). We do not use advertising cookies, tracking pixels, or third-party analytics that track you across websites.

We use Umami, a privacy-focused, open-source analytics tool, to collect anonymous usage statistics (page views, referrers, browser type). Umami is self-hosted on our own infrastructure — no data is shared with third parties. It does not use cookies and does not track individual users across sessions.

9. Children's Privacy

AI Game Dev is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the service after changes constitutes acceptance of the updated policy.