News FAQ Login Steam Discord
Create account
Privacy

Privacy policy

Last updated: May 14, 2026

Driftborn is operated by Redstride Studio. This policy explains what we collect, why we collect it, and the choices you have. We aim to comply with the EU GDPR, the UK GDPR & Data Protection Act 2018, and Canada's PIPEDA.

If anything here is unclear, email us at [email protected] or reach the team through the official Driftborn Discord.

What we collect

  • Account information: name, email address, password hash, and optional profile fields you choose to fill in.
  • Newsletter / Kickstarter / playtest opt-ins: the lists you joined plus consent metadata (source, timestamp, IP address, user agent) so we can honor and audit your preferences.
  • Session & security data: a session cookie, CSRF token, and optional two-factor authentication state. These are strictly necessary to keep you signed in and the site secure.
  • Server logs: short-lived request logs (IP, URL, status code, user agent) for security and abuse prevention.
  • Analytics (optional, with consent): if you accept the cookie banner, Google Analytics 4 sets cookies and collects a pseudonymous client ID, page URLs, referrer, approximate location (country/region), device type, and browser. We use IP anonymization and do not enable advertising features, ad personalization, Google Signals, or remarketing.

Future game stats, race results, inventory, creature ownership, and rewards are written only by trusted server-side systems and are tied to your account.

Why we collect it (legal bases)

  • Contract: account creation, sign-in, profile features, and any future game services you use.
  • Consent: newsletter, Kickstarter, and playtest emails; analytics cookies. You can withdraw consent at any time.
  • Legitimate interests: security logging, abuse prevention, and keeping the site running. We balance these against your rights and use the minimum data needed.

Cookies & similar technologies

We use two categories of cookies:

  • Strictly necessary: session cookie, CSRF token, and your cookie-consent choice itself (stored in your browser's localStorage). These do not require consent.
  • Analytics (optional): Google Analytics 4 cookies (_ga, _ga_*) only set after you click "Accept all" in the cookie banner. We use Google Consent Mode v2, so until you opt in, no analytics cookies are written and no identifiable data is sent to Google.

You can change your decision at any time by using the button (also available in the site footer), or by clearing site data in your browser.

Who we share data with

We do not sell or rent personal data. We share limited data with the following processors only as needed to run the service:

  • Hosting & email delivery providers (server infrastructure, transactional and newsletter email).
  • Google LLC / Google Ireland Limited for Google Analytics, only if you accept analytics cookies. Data may be transferred to the United States under Google's Standard Contractual Clauses and the EU–US Data Privacy Framework.

Staff access to signup lists is permission-gated and logged. Raw email exports may only be used with approved mailing tools that support unsubscribe handling and suppression lists.

How long we keep data

  • Account data: for the lifetime of your account, then deleted on request.
  • Newsletter subscribers: until you unsubscribe (one-click link in every email or via your profile settings).
  • Server & security logs: rotated within 30 days unless retained longer for an active investigation.
  • Google Analytics: data retention is set to the shortest GA4 setting (2 months for user-level data, 14 months for events).

Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint with your local supervisory authority (e.g. your EU data protection authority, the UK ICO, or the Office of the Privacy Commissioner of Canada).

To exercise any of these rights, opt out of development news from your profile settings, or email [email protected]. We respond within 30 days.

Children

Driftborn is not directed at children under 13 (or under 16 in the EEA, where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email [email protected] and we will delete it.

Changes to this policy

If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in-product or by email. Continued use of the site after changes constitutes acceptance of the updated policy.