This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use Vicariously Thru You (VTY)—our website and progressive web app, including mini-games, marketplace, chat & groups, push notifications, and support (the “Service”).
1) Scope & Roles
- Controller: VTM ES (to be incorporated), Estonia (EU).
- Applies to: Visitors, registered players, creators, and support contacts using our website/PWA, including push notifications and chats.
- Children: Not directed to children under 13 (or under 16 in the EEA/UK). If you believe a child used VTY, email contact@vtm.lat.
2) Data We Collect
2.1 You provide
- Account & Profile: email, username/handle, avatar, locale, and profile details you add.
- Content: public showrooms, messages in DMs/groups, bids/listings.
- Support: help requests, bug reports.
2.2 Collected automatically
- Usage & Device: app version, pages/screens, taps/clicks, session timestamps, approx. region/timezone, language, device/OS/browser, crash/error logs.
- Gameplay & Economy: session seeds/results, cooldowns, rewards, AFK claims, marketplace orders, bids/reveals, anti-abuse signals.
- PWA specifics: service worker cache events, install/uninstall, push subscription (web push token), background sync.
- Cookies/Storage: strictly necessary auth/session storage; we avoid cross-site tracking cookies by default.
2.3 From other sources
- Auth providers: if you use Google/Apple sign-in, we receive basic account info.
- Payment providers: when you buy premium features/items, we receive payment status (not full card data).
3) Why We Use Your Data & Legal Bases (GDPR)
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide the Service | sign-in, profile, inventory, showrooms, mini-games, AFK, marketplace | Contract (Art. 6(1)(b)) |
| Fairness & Safety | anti-cheat, rate limits, spam/abuse prevention, moderation of chats/items | Legitimate interests (Art. 6(1)(f)); sometimes Legal obligation |
| Localization & Accessibility | language auto-select, translations, screen/readability options | Legitimate interests |
| Push & Notifications | drops/auctions/aura-flowers, account messages (opt-in for push) | Consent for push; Contract/legitimate interests for service messages |
| Payments | purchase processing, receipts, fraud checks | Contract; Legal obligation |
| Analytics & Improvements | performance, crash logs, feature usage, A/B tests | Legitimate interests |
| Compliance | tax, accounting, requests from authorities, disputes | Legal obligation |
Where we rely on consent (e.g., push notifications, certain analytics/ads if enabled), you can withdraw it at any time in settings or your browser/OS permissions.
↑ Back to top4) Ads & Marketing
- Default: VTY does not use invasive third-party ad tracking in the core loop.
- If we add optional rewarded placements later: we’ll clearly disclose the ad partner, ask for any required consent, and provide a simple opt-out. No “always-on” behavioral ads without choice.
6) International Transfers
We aim to keep primary storage in the EU/EEA when feasible. Some providers may process data in countries outside the EEA (e.g., the United States). When we do, we use appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and additional measures where required. You can contact us for details about specific transfer mechanisms.
↑ Back to top7) Retention
- Account data: while your account is active and then typically up to 24 months after inactivity (or earlier if you delete your account and no legal basis requires more).
- Gameplay/economy logs: typically 24 months for anti-abuse and auditability.
- Chats: as long as the conversation exists; deletions remove content from user view and our active systems, with short-term backups expiring per cycle.
- Legal/financial records: retained as required by law (e.g., 5–10 years in some jurisdictions).
8) Your Rights
EEA/UK (GDPR)
You have the right to access, rectify, erase, restrict, object, and data portability. You may also withdraw consent at any time where processing is based on consent. You can lodge a complaint with your local authority; in Estonia, that’s the Estonian Data Protection Inspectorate.
California (CCPA/CPRA)
California residents have rights to know/access, delete, correct, and opt-out of sale/sharing of personal information. We do not sell your personal information. You also have the right to limit use of sensitive personal info where applicable and freedom from discrimination for exercising your rights.
Brazil (LGPD) and others
You may have similar rights under local laws. We honor valid requests consistent with applicable law.
How to exercise your rights: email contact@vtm.lat from your account email and describe your request. We’ll verify and respond within the statutory timeframe.
↑ Back to top9) Security
- Encryption in transit, secure hosting, and environment-scoped secrets.
- Row-Level Security and server-verified economy mutations.
- Rate limits, cooldowns, and anomaly detection to combat abuse.
- Access controls, logging, and monitoring across critical systems.
No system is perfectly secure. If we learn of a breach affecting you, we’ll notify you and regulators as required.
↑ Back to top10) Your Choices
- Account & Profile: edit your profile, change your visibility (public showroom vs. private vault).
- Push notifications: enable/disable in-app and via your browser/OS settings.
- Language & accessibility: select supported languages, reduce motion, high-contrast mode.
- Cookies/storage: you can clear site data in your browser; note that strictly-necessary auth/session storage is required for the Service to function.
- Delete account: email contact@vtm.lat to request deletion. We’ll remove or anonymize your personal data unless retention is required by law or for ongoing disputes/fraud prevention.
11) Automated Decision-Making
We use limited automation (e.g., spam/abuse detection, cooldown enforcement, basic content moderation and translation). These processes are designed to protect players and platform integrity and do not produce legal or similarly significant effects without human review. You can contest an automated decision by contacting us.
↑ Back to top12) Payments
When you make a purchase, payments are processed by our payment partner (e.g., a PCI-DSS–compliant processor) acting as an independent controller for your card data. We receive only limited information (e.g., success/failure, last4/card brand, receipt metadata).
↑ Back to top13) Third-Party Links
Our Service may link to third-party sites or services. Their privacy practices are their own; review their policies before using them.
↑ Back to top14) Changes to This Policy
We may update this Policy to reflect changes to our products, laws, or practices. We’ll post the new version with a new Effective date and, where appropriate, notify you via the app or email. Your continued use after the update means you accept the changes.
↑ Back to top15) Contact
Questions or requests about privacy?
Email: contact@vtm.lat
Controller: VTM ES (to be incorporated), Estonia
California Notice at Collection
We collect the categories described in Section 2 for the purposes in Section 3. We do not sell personal information. We may “share” limited identifiers for optional ads only with your consent. Retention periods are in Section 7. Your rights are in Section 8.