← Back to BrainBlox

Privacy Policy

Last updated: 22 March 2026

1. Introduction

BrainBlox ("we", "us", "our") is committed to protecting the privacy of all users, especially children. This Privacy Policy explains what information we collect, how we use it, and how we protect it. BrainBlox is designed for children aged 5-12, and we take our responsibilities under children's privacy laws seriously.

2. Information We Collect

2.1 Account Information

• Username — a chosen display name (not a real name)
• Password — securely hashed with bcrypt (10 salt rounds); never stored in plain text
• Display name — optional, user-chosen
• Age — optional, used only for difficulty recommendations
• Role — automatically assigned (kid, parent, or admin)

2.2 Game Progress Data

• Coins earned, tools owned, inventory items
• World modifications (blocks placed/removed)
• Challenge completion progress and math statistics
• XP, level, badges earned
• Vehicle and weapon ownership
• Castle rooms cleared

2.3 Math Performance Data

• Math answers submitted (category, difficulty, correctness)
• Response time per question
• Performance trends across game modes
• Multiplication table accuracy statistics
• Strengths and weaknesses analysis

2.4 Technical Data

• JWT authentication tokens (session management)
• WebSocket connection data for multiplayer sessions
• Heartbeat signals (game mode and active status)

2.5 What We Do NOT Collect

• Real names (usernames are chosen freely)
• Email addresses (not required for child accounts)
• Physical addresses or phone numbers
• Photos, videos, or biometric data
• Location or GPS data
• Device identifiers or advertising IDs
• Browsing history or cookies for tracking

3. How We Use Information

We use collected information solely to:

• Authenticate users and maintain game sessions
• Save and restore game progress across devices
• Generate age-appropriate math problems
• Track educational performance and identify areas for improvement
• Power the parent dashboard with analytics and insights
• Enable the prize reward system (parent-managed)
• Facilitate multiplayer gameplay and in-game chat
• Display leaderboards (username and XP only)
• Detect and prevent abuse (rate limiting, input validation)

4. Children's Privacy (COPPA Compliance)

BrainBlox is designed with children's privacy as a priority:

• We do not require real names, email addresses, or personal identifiers from children
• All new accounts are assigned the "kid" role by default (server-enforced)
• Parent accounts can create and manage child accounts
• Parents can view their children's performance data and control learning settings
• Chat is heavily restricted: rate-limited, character-limited, and sanitized
• We do not display advertising or use data for marketing purposes
• We do not sell, rent, or share children's data with third parties
• Parents may request deletion of their child's data at any time

5. Data Storage & Security

5.1 Server-Side Storage

User accounts, game progress, math history, and parent settings are stored in a PostgreSQL database hosted on Railway. All database connections use encrypted channels.

5.2 Client-Side Storage

The following data is stored locally in the browser (localStorage):

• JWT authentication token (for session persistence)
• Cross-mode analytics data (capped at 2,000 most recent attempts)
• Prize definitions and progress

5.3 Security Measures

• Passwords hashed with bcrypt (10 salt rounds)
• JWT-based session authentication
• Server-side input validation (position bounds, block types, JSON size caps)
• Display name sanitization (XSS character stripping)
• CORS restricted to configured origins
• Chat rate limiting to prevent abuse
• Role enforcement on server (registration always creates "kid" role)

6. Data Sharing

We do not sell, trade, or share user data with third parties. Data is only accessible to:

• The user themselves (their own account and progress)
• Linked parent accounts (for their children's data only)
• Admin accounts (for platform moderation and user management)

Multiplayer sessions share only usernames, positions, and chat messages with other players in the same room. This data is ephemeral and not permanently stored.

7. Data Retention

• Account data is retained as long as the account exists
• Game progress is updated continuously and retained with the account
• Math history records are retained for performance analytics
• Multiplayer room data is ephemeral (deleted when rooms empty, max 4 hours)
• Client-side analytics are capped at 2,000 entries
• When an account is deleted, all associated data (progress, history, settings) is permanently removed via CASCADE deletion

8. Parental Rights

Parents and legal guardians have the right to:

• Create and manage their child's account
• Review all data collected about their child
• Control which math categories are enabled
• Set daily problem goals and time limits
• Request deletion of their child's data and account
• Revoke consent for data collection at any time

To exercise these rights, parents can use the Parent Dashboard or contact us at support@brainblox.io.

9. Third-Party Services

BrainBlox uses the following infrastructure services:

• Railway — application hosting and database
• Cloudflare — DNS and CDN (domain routing only)

We do not use any third-party analytics, advertising, or tracking services. All game analytics are processed internally.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the most recent revision at the top of this page. We encourage parents to review this policy periodically. Continued use of BrainBlox after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or your data, please contact us at support@brainblox.io.