policy/PRIVACY_POLICY.md

# Privacy Policy

**Last Updated: April 2026**

Radium, a project by Rec Room Archive ("we", "our", or "us") collects and uses data to operate the game, maintain security, and provide support. This policy covers all services operated by Radium, including the game itself, the [Data Exporter tool](https://help.radie.app/data-exporter/) (used to preserve and migrate your Rec Room data via Rec Room Archive), and any other associated platforms or features. This policy explains what information we collect across these services and how it is used.

---

## 1. Information We Collect

We collect the information necessary to operate Radium and manage user accounts. For your account, this includes your username, Discord User ID (required for account creation and linking), and optionally your email address if you choose to provide one. Passwords are never stored in plain text - they are securely hashed using [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) via [ASP.NET Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity), a standard industry approach to credential security. On the technical side, we collect an encrypted form of your IP address, hardware-based Device IDs, the platforms and devices you use to log in, and the timestamp of your last login per platform. We also collect gameplay and activity data, including room interactions, in-game activity, chat messages, and any reports, moderation actions, or bans associated with your account.

### Account Information

* Username
* Discord User ID (required for account creation and linking — [what is a Discord ID?](https://support.discord.com/hc/en-us/articles/206346498-Where-can-I-find-my-User-Server-Message-ID))
* Email address (optional)
* Passwords (securely hashed using [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) via [ASP.NET Identity](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity) — never stored in plain text)

### Technical Information

* Encrypted IP address (stored per account — [what is an IP address?](https://en.wikipedia.org/wiki/IP_address))
* Hardware-based Device IDs (unique identifiers tied to the device you play on — [what are Device IDs?](https://en.wikipedia.org/wiki/Device_fingerprint))
* Platform information (devices used to log in)
* Last login time per platform

### Gameplay & Activity Data

* Room interactions and in-game activity
* Chat and messages
* Reports, moderation actions, and bans

---

## 2. How We Use Your Information

We use the information we collect solely to operate and improve Radium. This includes identifying users across devices and sessions, preventing ban evasion and enforcing community rules, linking Radium accounts to Discord users for access control and support, reviewing moderation actions and resolving player reports, and maintaining the general stability and functionality of the game and its infrastructure. We do not use your data for advertising or any purpose unrelated to operating the service.

---

## 3. Data Security

We take reasonable steps to protect your personal data from unauthorized access or disclosure. IP addresses are stored in encrypted form, passwords are hashed using [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) and never stored in plain text, and access to sensitive data is restricted to authorized personnel and systems only. While no system can guarantee complete security, we are committed to applying appropriate technical measures to safeguard your information.

---

## 4. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own purposes. All data is handled internally and used exclusively for operating Radium. The only exception is where disclosure is required by applicable law, such as in response to a valid legal request or court order.

---

## 5. Third-Party Services

To operate Radium, we rely on a small number of infrastructure providers, including hosting providers (VPS), authentication systems ([IdentityServer](https://duendesoftware.com/products/identityserver)), [S3-compatible](https://en.wikipedia.org/wiki/Amazon_S3) storage (such as [MinIO](https://min.io/)), and messaging systems ([RabbitMQ](https://www.rabbitmq.com/)). These services are used solely to support the platform's operation and do not receive your data for their own independent use. We select these providers carefully and limit the data shared with them to what is strictly necessary.

---

## 6. Cookies

Our website uses [cookies](https://en.wikipedia.org/wiki/HTTP_cookie) only for session management purposes, such as keeping you logged in while you browse. We do not use analytics cookies, advertising cookies, or any other form of tracking technology that monitors your behavior across websites. You can control cookie settings through your browser, though disabling session cookies may affect your ability to stay logged in.

---

## 7. Data Retention

We retain your data for as long as it is necessary to operate the service and uphold our moderation responsibilities. Some data, such as notifications and game invites, is cleared automatically after a short period. Other data, such as account information and moderation history, is kept for as long as your account is active or as needed to protect the integrity of the platform. If your account is closed or data is deleted upon request (see Section 8), we will remove your information within a reasonable timeframe, except where retention is required by law.

---

## 8. Your Rights & Data Deletion

We respect your rights over your personal data under applicable privacy laws. Depending on where you live, you may have the following rights:

* **[GDPR](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) (EU/EEA/UK users):** You have the right to access, correct, or erase your personal data; to restrict or object to its processing; and to [data portability](https://en.wikipedia.org/wiki/Data_portability). You also have the right to lodge a complaint with your local [data protection authority](https://www.edpb.europa.eu/about-edpb/about-edpb/members_en).
* **[CCPA](https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act) (California, USA users):** You have the right to know what personal information we collect and how it is used, to request deletion of your data, and to not be discriminated against for exercising these rights.
* **Other jurisdictions:** Users in other regions with applicable privacy laws (such as Canada's [PIPEDA](https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/), Brazil's [LGPD](https://en.wikipedia.org/wiki/Lei_Geral_de_Prote%C3%A7%C3%A3o_de_Dados), or Australia's [Privacy Act](https://www.oaic.gov.au/privacy/the-privacy-act)) may have similar rights to access and request deletion of their data.

At this time, accounts cannot be self-deleted through the game interface. To submit a data access or deletion request, please contact us through the official Radium or Rec Room Archive Discord server (see Section 11). We will respond to verified requests within 30 days, or within the timeframe required by applicable law. Please note that some data — such as moderation records — may be retained even after a deletion request where there is a legitimate legal or safety basis for doing so.

---

## 9. Age Requirements

Radium is not intended for users under the age of 13, in line with the [Children's Online Privacy Protection Act (COPPA)](https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa). We do not knowingly collect personal data from children under 13. If we become aware that a user under 13 has created an account or provided personal information, we will take steps to delete that data promptly. If you believe a minor has registered on our platform, please contact us through our Discord server.

---

## 10. Data Exporter (Rec Room Archive)

Radium operates a [Data Exporter tool](https://help.radie.app/data-exporter/) in partnership with [Rec Room Archive](https://www.recroomarchive.org/), which was created to preserve player data ahead of Rec Room's shutdown. When you use the Data Exporter, most of your Rec Room account data — including rooms, inventions, and related content — is saved onto Rec Room Archive's servers for potential future migration into Radium. This data is held separately from your active Radium account and is not immediately imported. Migration of exported data is not guaranteed and is subject to development progress. Users will be notified if and when migration becomes available.

Exported data is stored server-side, you do not need to keep your computer running for an export to complete. At this time, there is no self-service way to download a personal copy of your exported data, though this may be added in the future. Once a room or creation has been exported, it cannot be re-exported to overwrite the stored version. You may export data from multiple Rec Room accounts if you own them. Data collected through the Data Exporter is used solely for the purpose of migrating your content into Radium and is not shared with third parties or used for any purpose beyond preservation and migration. For full details, visit [help.radie.app/data-exporter](https://help.radie.app/data-exporter/).

---

## 11. Changes to This Policy

This policy may be updated from time to time to reflect changes in our practices or legal obligations. If we make any significant changes, we will notify users at least 7 days in advance through the Radium website before those changes take effect. We encourage you to review this policy periodically. Continued use of Radium after changes take effect constitutes your acceptance of the updated policy.

---

## 12. Contact

If you have any questions about this privacy policy, wish to exercise your data rights, or have concerns about how your information is handled, you can reach us through the official [Radium Discord server](https://discord.gg/radium-rr). We aim to respond to all inquiries in a timely manner, and to privacy-related requests within the timeframe required by applicable law.