Privacy Policy

1. Who We Are

Keystone Singularity Studios Limited, trading as "KeyStone" ("we," "us," "our"), is a private limited company incorporated in England and Wales (company number 17072231), with its registered office at Flat 803 Bagshaw Building, 1 Wards Place, London, England, E14 9AZ. Our nature of business is software development (SIC 62012). We provide various software applications and platforms, including backend-as-a-service (BaaS) solutions for game servers, art reference board applications, and other digital tools and services (collectively, "Services"). References to KeyStone include its directors, officers, employees, affiliates, successors, and assigns.

2. Scope of This Policy

This Privacy Policy applies to all information we collect, use, store, and process in connection with all of our Services, including our websites, applications, platforms, and any other services offered under the KeyStone name. It explains what information we collect, how we use it, who we share it with, and what rights you have regarding your data.

3. Information We Collect

We may collect various types of information from you when you access or use our Services. This includes:

• Account Information: If you create an account, we collect your name, email address, password, username, and any other information you provide during registration or profile setup.
• Contact Form Information: When you submit inquiries or messages through our contact forms, we collect your name, email address, subject, message content, and any other information you provide.
• User Content: Any content, data, code, files, or materials you upload, submit, or store through our Services, including but not limited to game data, configurations, art and reference images, notes, project metadata (such as board layouts and item references), and documentation. Where you enable optional cloud synchronisation (for example DarkRef Cloud Sync), this content is transmitted to and stored on our cloud infrastructure as described in Section 8.
• Authentication Data: When you create an account or sign in, we and our authentication provider process authentication tokens, session identifiers, and security metadata (such as sign-in timestamps and IP addresses) to authenticate you and to protect your account against unauthorised access.
• Device and Technical Information: Your device type, operating system, browser type, IP address, device identifiers, and other technical specifications that help us understand how you access our Services.
• Usage Data: Information about how you interact with our Services, including pages viewed, features used, time spent, clicks, searches, and other usage patterns collected through analytics tools.
• Network Information: Data about your internet connection, network type (mobile, WiFi), and related technical information.
• Advertising Identifiers: Unique identifiers assigned by advertising platforms (Google, Meta, TikTok) to track advertising performance and user engagement across their networks.

4. How We Use Information

We use the information we collect for the following purposes:

• Provide and Improve Services: To deliver, maintain, support, and improve our Services, including technical support, bug fixes, and feature development.
• Respond to Inquiries: To respond to your questions, comments, and requests submitted through contact forms or other communication channels.
• Communications: To send you service-related announcements, updates, security alerts, support messages, and other administrative communications.
• Analytics and Usage Analysis: To analyze how our Services are used, understand user behavior, identify trends, measure engagement, and optimize performance and user experience.
• Detect and Prevent Issues: To detect, investigate, and prevent fraud, abuse, security incidents, technical issues, and other harmful or prohibited activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and lawful requests from government authorities.
• Marketing and Advertising: To send you marketing communications about our Services, new features, promotions, and related products (where permitted by law and your preferences).

5. Legal Basis for Processing (UK/EU)

If you are located in the United Kingdom or European Union, we process your personal data based on the following legal grounds:

• Contract: Processing is necessary to perform our obligations under our Terms of Service and to provide the Services you request.
• Legitimate Interest: We have a legitimate interest in analyzing usage, improving our Services, detecting fraud and abuse, and marketing our Services, balanced against your rights and interests.
• Consent: Where required, we rely on your explicit consent for non-essential cookies, advertising tracking, and certain marketing communications.
• Legal Obligation: We process data when required by applicable laws, regulations, or lawful government requests.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as pixels, beacons, and local storage) for multiple purposes:

• Analytics: To track usage patterns, understand how visitors interact with our Services, and measure performance metrics.
• Advertising: To deliver targeted advertising, measure advertising effectiveness, and track conversions across our Services and partner sites.
• Functionality: To remember your preferences, maintain login sessions, and enhance your experience.

We use a cookie banner to manage your consent preferences for non-essential cookies and tracking. You can manage your cookie preferences at any time through the banner or your browser settings. Please see our Cookie Policy for more detailed information.

7. Advertising and Analytics Providers

We work with third-party service providers who process your data on our behalf for analytics and advertising purposes:

• Google Analytics and Google Ads: Google processes data such as your IP address, browser type, device ID, and usage patterns to provide analytics and advertising services. Google's data processing is governed by its privacy policy. Opt out of Google ads.
• Meta Ads (Facebook): Meta processes data for targeted advertising and performance measurement. Manage Meta ad preferences.
• TikTok Ads: TikTok processes data for advertising and analytics purposes. TikTok Privacy Center.

Each provider may process data outside your country or region. Their privacy practices are governed by their own privacy policies, and we encourage you to review them. Where applicable, these providers may participate in privacy frameworks such as the EU-US Data Privacy Framework.

8. Cloud Storage and Authentication Sub-Processors

Certain features of our Services — including account creation and sign-in, and the optional cloud synchronisation of your content (for example DarkRef Cloud Sync) — rely on managed cloud infrastructure provided by Google LLC under its Firebase and Google Cloud platforms. Google LLC acts as our sub-processor for these services.

• Firebase Authentication: Used to create and manage user accounts and to issue authentication tokens when you sign in (including with email/password or a federated provider such as Google Sign-In). Firebase processes your email address, password credentials (in hashed form where applicable), authentication tokens, and limited device and IP metadata for the purpose of providing the authentication service and protecting your account.
• Firebase Cloud Storage: If you enable cloud synchronisation, the images and reference files you upload are stored on Google Cloud Storage at storage paths scoped to your user identifier.
• Cloud Firestore: Project and item metadata associated with your synchronised content (such as board layouts, file references, and timestamps) is stored in Firestore at document paths scoped to your user identifier.

Google encrypts the above data at rest (using AES-256 or stronger) and in transit (using TLS) as part of its standard platform protections. Google's processing of this data is governed by the Firebase Privacy and Security documentation and the Google Cloud Data Processing Addendum. Google Cloud data may be processed in data centres in multiple regions (see Section 10).

Important: we do not provide end-to-end (zero-knowledge) encryption. Content you upload to our cloud services is not encrypted on your device with a key only you control. The encryption keys protecting your data at rest are held by our cloud provider, and our authorised personnel — like the personnel of any managed cloud platform — have the technical ability to access stored content for the limited purposes described in this Privacy Policy (such as operating, securing, troubleshooting, or supporting the Services, investigating abuse, or complying with applicable law). If you require zero-knowledge or end-to-end encrypted storage, you should not use our cloud synchronisation features and should store sensitive content only on your own device.

9. Data Sharing

We do not sell, rent, or trade your personal data. We may share your information in the following limited circumstances:

• Service Providers: With trusted third-party service providers who assist us in operating our Services, including hosting providers, analytics vendors, advertising partners, and technical support vendors. These providers are contractually bound to use your data only as necessary to provide services to us.
• Legal Requirements: When required by law, regulation, legal process, government request, or to protect the rights, safety, and property of KeyStone, our users, or the public.
• Business Transfers: If KeyStone is acquired, merged, or its assets are transferred, your personal data may be transferred as part of that transaction. We will provide notice if such a change occurs.
• Protection of Rights: To enforce our Terms of Service, protect against fraud and abuse, and protect the legal rights and safety of KeyStone, our users, and the public.

10. International Data Transfers

Your personal data may be processed, stored, and transferred outside your country of residence, including to countries that may not have the same data protection standards as your home country. When we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses: We use contractual clauses approved by the European Commission to ensure adequate protection for international data transfers.
• Adequacy Decisions: We rely on adequacy decisions where applicable (e.g., for certain countries recognized as having adequate data protection).
• Google Cloud Infrastructure: We use Google Cloud services with data centers in multiple regions, including London (United Kingdom), Iowa (United States), and Sydney (Australia), to ensure data residency compliance where applicable.

11. Data Retention and Account Deletion

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:

• Account Data: Retained while your account is active. Upon account deletion, we will delete your personal data, subject to legal retention obligations.
• Contact Form Data: Retained as long as needed to respond to your inquiry and provide customer support, typically up to 90 days after our final response.
• Analytics Data: Retained in aggregated, anonymized form for trend analysis and service improvement. Individual identifiers are typically removed after 24 months.
• Synchronised Content: Images, notes, and project metadata stored through optional cloud synchronisation are retained while your account is active and are removed from production storage when you delete the relevant content or your account, subject to short-term retention in backups as described below.

How to delete your account. You may request deletion of your account and the personal data associated with it at any time, either from within the relevant application (where an in-app account-deletion option is offered) or by emailing us at timdommett@icloud.com. When we action a deletion request, we will remove your account record, your authentication credentials held by our authentication provider, and any synchronised content stored on our infrastructure under your account, subject to: (a) any temporary retention in disaster-recovery backups, which age out on a rolling basis in accordance with our cloud provider's standard retention practices; and (b) any data we are legally required to retain (for example, records relating to taxation, fraud prevention, or the resolution of an open dispute).

12. Your Rights

Depending on your location, you have certain rights regarding your personal data. These rights may include:

• Right to Access: You have the right to request and obtain a copy of the personal data we hold about you.
• Right to Correction: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to Deletion: You have the right to request that we delete your personal data, subject to certain legal exceptions.
• Right to Object: You have the right to object to processing of your personal data for marketing, analytics, or other purposes.
• Right to Restrict Processing: You have the right to request that we restrict how we process your personal data in certain circumstances.
• Right to Data Portability: You have the right to request your personal data in a structured, commonly used, and machine-readable format.
• Right to Withdraw Consent: If we process your data based on consent, you have the right to withdraw that consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have violated your rights.

To exercise any of these rights, please submit a request through our Contact form or email timdommett@icloud.com. We will respond to your request within the timeframe required by applicable law.

13. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using HTTPS/TLS protocols;
• Encryption of data at rest using the platform protections provided by our cloud infrastructure providers;
• Logical access controls designed so that, under normal operation of our applications, an authenticated user can read and write only their own account's data;
• Account authentication, including support for email/password and federated sign-in where offered;
• Hosting on reputable managed cloud infrastructure;
• Regular security review and updates of the application and its dependencies.

What our security measures do not do. Where Services involve storing your content on our cloud infrastructure (see Section 8), we do not provide end-to-end ("zero-knowledge") encryption of that content. We and our cloud infrastructure providers hold the keys to data at rest, and our authorised personnel — and personnel of our cloud providers — have the technical ability to access stored data for the limited purposes described in this Privacy Policy. Data stored on your own device by our applications relies on the operating system's standard file protections and is not separately encrypted by us beyond those protections.

No security system is absolutely secure. While we use reasonable measures to protect your personal data, we do not and cannot guarantee 100% security. You are responsible for maintaining the confidentiality of your account credentials and for keeping your devices and any backups of your content secure.

14. Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal data from, children under the age of 13 (or 16 in the United Kingdom and European Union). If we become aware that we have collected personal data from a child in these age groups, we will take steps to delete such data and terminate the child's access to our Services. If you believe we have collected information from a child, please contact us immediately at timdommett@icloud.com.

15. Updates to This Policy

We may revise this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes will be notified to you via email (if you have provided an email address) or by posting a prominent notice on our Services. Your continued use of the Services after any changes constitutes your acceptance of the revised Privacy Policy. It is your responsibility to review this policy periodically. The "Last Updated" date at the top of this policy indicates when it was last modified.

16. Contact

If you have questions, concerns, or requests regarding this Privacy Policy, your personal data, or our privacy practices, please contact us:

• Via our Contact form at keystonegames.com/contact
• By email at timdommett@icloud.com

Keystone Singularity Studios Limited (company number 17072231)
Registered Office: Flat 803 Bagshaw Building, 1 Wards Place, London, England, E14 9AZ

We will respond to your inquiries and requests within the timeframe required by applicable law.