Privacy Policy

Voidbloom · Effective June 2026 · Adults 18+ only · play-voidbloom.com

Data Controller & Contact

Voidbloom (trade name) is operated by Masud Uddin Ahmed, an individual sole proprietor in New York, United States ("Operator," "we," "us"). For GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, APPs, and similar laws, the Operator is the data controller for personal information processed through play-voidbloom.com and the Voidbloom game application. Privacy, access, correction, deletion, and advertising opt-out requests: email playcandlex@gmail.com from the address tied to your account or include your public call sign. We respond within applicable legal timelines (typically 30–45 days). EU/UK residents may lodge complaints with their local supervisory authority. California residents: we do not sell personal information; for "sharing" related to personalized ads, use the Google CMP, Google Ad Settings, or account deletion in Settings.

Overview

Voidbloom (effective June 2026) uses a minimal-data approach: we collect only what is needed to operate an 18+ multiplayer game. This policy applies globally (EU/UK GDPR, US state laws including CCPA/CPRA, LGPD, PIPEDA, APPs, COPPA — the service is 18+ only). We do not sell your personal information to data brokers.

1. Account Data We Store

Account & authentication: Firebase user ID and email address (or Google OAuth credentials processed by Google — see Google Privacy Policy). Profile: public call sign (handle), avatar/cosmetic choices, account creation date, online/away status, coarse activity label (e.g. Command Deck, Survival Run — see Bloom Pulse & Presence), last-seen timestamp, terms/disclaimer acceptance flags (terms_accepted, privacy_accepted), gameplay progress (daily fuel, high scores, captured companions, friend and block lists by handle), optional rank-board invite preference (friend_invites_open), and a daily friend-invite counter (friend_invite_quota — UTC date + count only). Operator Ranks (Operator Registry): your handle, account rank tier, public suit class (Tracker/Blaster/Guard/Glider), peak performance score, personal-best solo score, best PvP kills in one match, career PvP kills/deaths and multiplayer sortie count, plus total sorties played — one row per operator, erased on account deletion. Age attestation: boolean flags age_verified and is_verified (true/false) after self-certification or step-up verification; after ID Analyzer step-up we also store an opaque attestation_token (cryptographic reference — not your ID image) and verification_date timestamp. We never store your date of birth. Portal distribution (CrazyGames iframe builds): optional opaque CrazyGames user ID (crazygames_user_id), mirrored portal username/avatar fields, boolean portal_guest, and portal_source label — guest portal sessions do not require email; portal entry sets age_verified from self-cert only and leaves is_verified false until step-up. Optional Bloom signals (push): only if you opt in — FCM device token, signal inbox, daily send counter, and device-computed UTC delivery windows (see Bloom Signals section). We do not store: date of birth, government ID images, raw biometrics, GPS/geolocation, raw timezone offsets, IANA timezone names, device contact lists, or free-text chat/DMs between players.

2. Age Attestation (No Date of Birth Stored)

We never record your day, month, or year of birth in Firestore or on our servers. Initial 18+ certification uses a self-declaration in your browser; high-gated multiplayer may require step-up verification via ID Analyzer (below). Only boolean age_verified / is_verified attestation flags are written to your profile — never DOB values. This supports COPPA, UK Online Safety Act, and US state minor-protection laws while avoiding birth-date databases.

3. Step-Up Age Verification (ID Analyzer)

For high-gated multiplayer actions, we route step-up checks to ID Analyzer's DocuPass pipeline (government ID + liveness). ID document images, raw biometrics, and your date of birth are processed by the vendor and are NOT saved to our Firestore user profile or main application database. After vendor confirmation we write to your profile: boolean age_verified / is_verified flags, an opaque attestation_token, and verification_date. Separately, server-side verification_audit_logs (job ID, Firebase UID, pass/fail status, session IP at initiation, assessed-age band from vendor callback — not DOB) are retained for fraud prevention and regulatory audit. Step-up verification is independent of advertising consent.

4. Friends & Social (Handles Only)

Friends, lobby invites, squad queue invites, and blocklists operate on public handles only within our social mesh. Discover operators on Operator Ranks or via exact handle search — Connect/search sends a rate-limited, handle-only friend invite (accept/decline, no DMs). There is no in-game direct messaging or free-text chat. Email addresses and phone numbers are not exposed in friend graphs, lookups, or invite payloads. GPS, geolocation, and raw timezone identifiers are not used in social features. Friends who added each other may see your public handle, online/away status, last-seen timestamp, and a coarse activity label (Command Deck, Squad Lobby, Finding Squad, Survival Run, PvP Arena, Void War, Bio-Dome). Activity labels help friends queue together — never your email, GPS, or contact list. Bloom Pulse shows aggregate operator counts from our game servers: online now, in-match, finding squad, and total registered operators (handle claimed). Counts are anonymous totals — not a player list and not location data. Live counts refresh periodically while you are connected; the total registered count is cached and updated every few minutes. Operator Ranks (Operator Registry) lists every registered call sign ranked by peak performance — best solo score or weighted PvP best-kills — with account rank tier, public suit class, personal-best solo score, best PvP kills in one match, career PvP kills/deaths, multiplayer sortie count, and total sorties played (one row per operator). Browsing is available after handle registration; Connect (friend invites) and accepting requests require step-up age verification. Unverified recipients see pending counts only — sender handles unlock after step-up. Invites are rate-limited; you may disable rank-board invites in Settings. Decline and block work without verification. Your row is removed when you delete your account. Operator Ranks browsing is available after handle registration. Connect (friend invites), squad queue, matchmaking, custom lobbies, PvP, and Void War require step-up age verification (ID Analyzer) — only boolean is_verified / age_verified flags stored, never DOB. Solo survival does not require step-up. Outbound friend invites (Operator Ranks Connect or exact handle search) are capped at 5 per UTC day and 8 pending at once. Each invite is one accept/decline signal — no messages, no email exposure. Recipients may disable rank-board invites in Settings or block senders; blocked operators cannot invite you. Sending requires step-up verification; recipients who have not completed step-up receive a count-only alert (sender handle withheld in push and inbox until verification) — requests queue on their profile and unlock after ID Analyzer pass. Squad queue invites let friends matchmake into the same public lobby together. Invites are one-tap accept/decline signals — no chat thread. Blocked operators cannot queue together. Squad pairing uses ephemeral server memory during matchmaking; no message content is stored.

5. Google Sign-In (Transient Eligibility Check)

When you sign in with Google, we may transiently read eligibility fields (including birthday) via Google's API to block under-18 accounts. That data is used only for the immediate age check and is not stored or logged in our databases.

6. First-Party Analytics (Firebase)

We use Google Firebase Analytics to measure gameplay events (match start/end, wave reached, ad-offer funnel, etc.). Events may include your Firebase user ID and public handle for fraud prevention — not sold to marketing brokers. Analytics is separate from ad personalization. Where required by law, you may limit tracking via browser controls or delete your account. See Google Firebase privacy documentation for processor terms.

7. Advertising & Consent (Google AdSense)

We serve optional rewarded ads through Google AdSense for Games. Signup Terms & Privacy acceptance covers operating the service; ad personalization consent is separate. In the EEA, UK, and Switzerland, Google's certified Consent Management Platform (CMP) shows Consent, Do not consent, and Manage options before personalized ad cookies are used. Where you consent (or where law permits), Google and ad partners may use cookies and advertising identifiers. We do not sell your email or call sign to data brokers. Under CCPA/CPRA and similar US state laws, personalized ads may constitute "sharing" or "targeted advertising" — opt out via the CMP, Google Ad Settings, or account deletion. Non-personalized or no-fill paths may apply without blocking gameplay.

8. In-Match Equipment (Session-Only)

Void Drops, hotbar items, and lobby match-rule toggles are ephemeral match data relayed for gameplay — not sold, not profile-stored, and cleared when the match ends. Bloom Armory cosmetic loadouts (when enabled) store appearance choices only — no combat stats — and are deleted with profile wipe.

9. Bloom Signals (Web Push)

Optional Bloom signal (web push) alerts — crew invites, daily fuel, discovery pings — are delivered through Google Firebase Cloud Messaging (Google Ireland Ltd. / Google LLC; see policies.google.com/privacy). Alerts are never required to play. If you opt in via browser/OS permission, we store: (1) FCM device token, (2) signal inbox entries, (3) a daily send counter, and (4) device-computed notification delivery windows — UTC timestamps your browser calculates from its local clock when you open the app (AM ~7:00–12:59 and PM ~18:00–22:59 local) so retention alerts arrive at the correct local time while the app is closed. We do not store raw timezone offsets, IANA timezone names, GPS, geolocation API data, IP-based location, or device fingerprints. Windows refresh on your next app visit and are deleted when you disable push or delete your account. No PWA background execution (no Periodic Background Sync). Cross-user alerts (friend/lobby) send immediately without delivery windows. Matchmaking uses ephemeral in-memory queues (Redis scales WebSockets only — not geo). Capped at 2–3 signals/day. Legal bases: consent (push permission); contract/legitimate interest (alerts you requested). Erasure: Settings account delete or disable push.

10. Right to Deletion

Under GDPR Article 17, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and APPs, you may delete your account anytime in Settings. Deletion permanently removes your Firebase Authentication record (including email), profile, handle lease, Operator Ranks rows, companions, friend links, boolean verification flags (age_verified / is_verified), attestation token, push tokens, delivery windows, signal inbox, and gameplay data — typically within 24 hours. Server-side verification audit logs (job ID, UID, pass/fail — no ID images or DOB) may be retained where required for fraud prevention and regulatory compliance. Irreversible.

11. Privacy Auditor Support

We provide authorized digital safety regulators with a cryptographic auditor reporting interface. Reports confirm pass/fail verification status and attestation integrity without exposing government ID images, biometrics, or date of birth. Audit records may include Firebase UID, job ID, and session metadata as described in the Step-Up Age Verification section.

12. Database Security

Firestore security rules enforce authenticated access. Users cannot read or modify other operators' private profile fields. Push subcollections (tokens, inbox, delivery windows) are server-managed only.