Get early access
DRAFT, pending legal review. This document has not been approved by counsel and is not yet in effect.

Privacy Policy

Last updated: 2026-06-11

Effective date: [EFFECTIVE DATE TO CONFIRM]

This Privacy Policy explains how NexGen UX & Engineering LLC, doing business as Multiplayer Rally ("we," "us," "our"), collects and uses personal information on multiplayerrally.com and, once launched, in the Multiplayer Rally service and desktop agent. We are the data controller for the information described here. Contact: privacy@multiplayerrally.com.

The product is currently pre-launch. Section 2 describes what we collect today, while only the website and waitlist exist. Section 3 describes what we will additionally collect at launch, when accounts, the agent, and billing go live; we will update this policy before those features ship.

1. The short version

  • Today we collect your waitlist email, the game you want to host, optional referral information, basic request data, and analytics and error events.
  • We do not sell or share personal information for advertising.
  • We do not run advertising pixels. Analytics are cookieless until you accept the consent banner.
  • We email you marketing only after you confirm via a double opt-in link, and every email has a one-click unsubscribe.
  • The service is not for children under 13.

2. What we collect today (waitlist phase)

  • Waitlist signup: your email address, the game you are interested in hosting (including an optional free-text "other" answer), an optional referral code, and optional attribution data about how you found us (for example a source or campaign parameter).
  • Request data: when you use the site or submit the form, we process your IP address and coarse data derived from it (such as country) for rate limiting, security, and regional settings.
  • Analytics: page views and interaction events via PostHog (US cloud). Until you accept our consent banner, analytics run cookieless: nothing is stored on your device and no cross-session identifier exists. If you accept, PostHog stores an identifier in your browser. See the Cookie Notice.
  • Error data: if something breaks, technical error reports (which may include your IP address and browser details) are sent to Sentry (US) so we can fix it.
  • Email delivery: waitlist confirmation and update emails are sent through Resend; delivery metadata (sends, bounces) is processed there.

3. What we will additionally collect at launch

  • Account: your email address, used for magic-link sign-in (no password), via Supabase Auth.
  • Device links: when you link a PC running the agent: device name, operating system version, agent version, hashed device tokens, last-seen timestamps, and the IP address used during linking and connections.
  • Server metadata: server names, which game, status, and player counts.
  • Console logs: server console log lines are relayed to your dashboard with credentials and tokens redacted.
  • Relay connection data: when players connect to your server through our relay, we process connection metadata (IP addresses, ports, byte counts, timestamps) to route traffic, meter usage, and stop abuse. In plain words: when your friend connects through our relay, we see their IP address to route traffic; we keep it briefly for security and never build profiles from it. We do not inspect, log, or store the contents of game traffic.
  • Billing: subscriptions are processed by Stripe. We receive your Stripe customer ID, plan, invoice records, and card brand and last four digits. We never store your full card number; it goes directly to Stripe.
  • Backups: in the current phase, your worlds, saves, and backups stay on your own PC. We do not store copies. If we later offer cloud backups, this policy will be updated first.

4. Why we use it, and the legal bases

For visitors in regions with GDPR-style laws, our legal bases are:

  • Consent: marketing emails (you join the waitlist and then confirm via a double opt-in link; you can withdraw with one click in any email) and persistent analytics identifiers (the consent banner).
  • Contract: operating the waitlist you asked to join, and at launch: your account, device links, servers, tunnels, and billing.
  • Legitimate interests: security, rate limiting, abuse prevention and detection, error diagnosis, cookieless aggregate analytics, and defending legal claims.
  • Legal obligation: tax and accounting records for billing.

5. Who processes it (service providers)

We share personal information only with the processors that run the service, under data processing agreements, and with authorities where legally required. Current processors:

  • Supabase (database and, at launch, authentication), US East
  • Vercel (website hosting), US
  • Cloudflare (DNS and network proxy)
  • PostHog (product analytics), US cloud
  • Sentry (error monitoring), US
  • Resend (transactional and waitlist email)
  • Stripe (payments, at launch)

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

6. How long we keep it

DataRetention
Waitlist email and signup detailsUntil you unsubscribe or ask us to delete it; unconfirmed signups are deleted after [TO CONFIRM: e.g. 30 days]
Account data (email, settings), at launchLife of the account plus 30 days
Device link recordsLife of the device link plus 30 days
Host IP addresses (agent connections)30 days rolling
Player IP addresses (relay connection logs)7 to 30 days rolling, then aggregate counters only
Server metadataLife of the account
Analytics events13 months
Error reports90 days of detail
Billing and invoice records7 years (tax law)
Support emails24 months

7. Your rights

If you are in the EEA, UK, or a similar jurisdiction (GDPR): you can ask for access to, correction of, deletion of, or a portable copy of your personal information; you can object to or ask us to restrict processing based on legitimate interests; and you can withdraw consent at any time (this does not affect processing before the withdrawal). You can also complain to your local supervisory authority. [TO CONFIRM: EU/UK representative details once appointed, per plan section 8.2.]

If you are a California resident (CCPA/CPRA): you have the right to know what personal information we collect and how it is used, to delete it, to correct it, and to opt out of sale or sharing. We do not sell or share personal information as those terms are defined in the CCPA, and we honor Global Privacy Control signals on our web properties. We will not discriminate against you for exercising your rights.

To exercise any right, email privacy@multiplayerrally.com. We respond within 30 days (GDPR) or 45 days (CCPA). For waitlist marketing, the fastest path is the unsubscribe link in any email.

8. Cookies and analytics consent

Our cookie and local-storage use, including exactly what the consent banner does, is documented in the Cookie Notice. Summary: we store your consent choice in your browser, analytics are cookieless until you accept, and we use no advertising cookies.

9. Children

The service is a general-audience tool with a hard minimum age of 13. We do not allow accounts for children under 13 and do not knowingly collect personal information from them. At launch, signup includes a neutral date-of-birth check; under-13 signups are blocked and the date of birth is not stored. If we learn that we have collected personal information from a child under 13, we delete it. Parents or guardians can contact privacy@multiplayerrally.com. Players who join a friend's server never create an account with us; at most we hold a short-lived relay connection log as described in Sections 3 and 6.

10. Security

An honest summary of our posture: traffic to our services is encrypted in transit (TLS); device tokens are stored hashed, never in plain text; access to production data is restricted and secrets are kept in managed secret storage; payment card data goes directly to Stripe and never touches our systems; and the relay does not inspect or store game traffic contents. No internet service can promise perfect security, and we do not. If a breach creates risk to you, we will notify you and, where required, regulators within the legally required timelines.

11. International transfers

We are a US company and our processors listed in Section 5 store data primarily in the United States. Where we transfer personal information from the EEA, UK, or Switzerland, we rely on the EU-US Data Privacy Framework for participating providers and on Standard Contractual Clauses otherwise. [TO CONFIRM: verify DPF participation status per provider at the attorney pass.]

12. Changes to this policy

We will update this policy as the product evolves, including before accounts, the agent, and billing launch. Material changes are announced by email to the waitlist or account address, and the "Last updated" date above always reflects the current version.

13. Contact

NexGen UX & Engineering LLC, d/b/a Multiplayer Rally
[POSTAL ADDRESS TO CONFIRM: CMRA business address per plan section 1.5]
privacy@multiplayerrally.com