Privacy Policy - Riftlab Studios

Version 1.0 │ Effective Date: March 2026 │ riftlabstudios.com

This document can be also found in a file form here: Google Docs
- If a new document will be taking place the upcoming version will be available in the Google Docs version first, and the online version will be updated as soon as possible after the new version is finalised and reached its effective date.
- In case of a discrepancy between the Google Docs version and the online version, the Google Docs version will be considered the most up-to-date and authoritative version until the online version is updated.

PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE ACCESSING OR USING ANY SERVICE PROVIDED BY RIFTLAB STUDIOS. BY ACCESSING OR USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREED TO BE LEGALLY BOUND BY THE TERMS OF THIS POLICY. YOUR CONTINUED USE OF THE SERVICES CONSTITUTES ONGOING ACCEPTANCE OF THIS POLICY AS AMENDED FROM TIME TO TIME. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY DISCONTINUE ALL USE OF RIFTLAB STUDIOS SERVICES.

This Privacy Policy (“Policy”) operates alongside and is to be read together with the Riftlab Studios Terms of Service, End User Licence Agreement (EULA), Community Standards, and Confidentiality Guidelines, each of which forms part of the overall framework governing your relationship with RLS. Where RLS games and services are distributed via Steam, the Steam Privacy Policy and Steam Subscriber Agreement also apply and take precedence over this Policy with respect to data processed exclusively by Valve Corporation.

SECTION 1 — DEFINITIONS

For the purposes of this Policy, the following definitions apply:

“Riftlab Studios,” “RLS,” “we,” “us,” or “our” refers to Riftlab Studios, an independent game development studio operating the Services described herein (riftlabstudios.com).
“User,” “you,” or “your” refers to any individual or entity accessing or using the Services.
“Services” refers collectively to all games (including Breach Protocol), websites, community platforms, digital distribution channels (including Steam), APIs, and any other offerings operated or published by Riftlab Studios.
“Personal Data” refers to any information that identifies or is reasonably capable of identifying a natural person, including but not limited to usernames, email addresses, IP addresses, and persistent device identifiers.
“Usage Data” refers to automatically collected technical and behavioural data generated through your use of the Services, including gameplay statistics, session records, crash reports, error logs, and feature interaction data, which does not in isolation identify a natural person.
“Processing” refers to any operation or set of operations performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, and destruction.
“Third-Party Services” refers to platforms, tools, and services operated by parties other than RLS that interact with or are accessible through the Services, including without limitation Steam, Discord, and any analytics or infrastructure providers engaged by RLS.
“Data Controller” refers to the party that determines the purposes and means of processing Personal Data. For the purposes of this Policy, Riftlab Studios acts as Data Controller in respect of Personal Data processed directly by RLS.

SECTION 2 — SCOPE AND APPLICABILITY

This Policy applies to all individuals who access or use the Services, including without limitation players, playtesters, community members, content creators, collaborators, press contacts, and any other party to whom access has been granted.

This Policy governs the Processing of Personal Data by Riftlab Studios only. It does not govern data collected, held, or processed by Third-Party Services. Each Third-Party Service operates under its own privacy policy and data protection framework, for which RLS bears no responsibility.

This Policy takes effect at the moment of first access to any part of the Services and continues to apply for the duration of the User’s relationship with RLS and, in respect of retained data and surviving obligations, thereafter.

Individuals who have been granted access to non-public RLS information through testing programmes, collaboration agreements, or community roles are subject additionally to the RLS Confidentiality Guidelines, which apply concurrently with and supplement this Policy. Where both instruments impose obligations in respect of the same information, the stricter obligation shall prevail.

SECTION 3 — CATEGORIES OF INFORMATION COLLECTED

RLS collects information within the following categories, the applicability of which varies according to the nature of your engagement with the Services:

3.1 Information Collected Automatically

Usage Data, including gameplay statistics, session durations, feature interaction records, in-game event logs, and performance metrics.
Technical identifiers, including device type and model, operating system version, browser type and version, IP address, and persistent device or installation identifiers.
Diagnostic data, including crash reports and error logs generated automatically upon malfunction or abnormal termination of the Services.
Access logs, including timestamps of access, service endpoints or pages accessed, and referring source data.

3.2 Information Provided by the User

Correspondence and communications submitted to RLS through any official channel, including Discord support tickets, the contact form at riftlabstudios.com, and direct electronic mail.
Submissions made through testing programmes, including bug reports, feedback forms, and survey responses.
Any information furnished voluntarily in connection with an application to join a testing programme, community role, or formal collaboration arrangement.

3.3 Information Received from Third-Party Platforms

Where access to the Services is mediated through Steam or another supported platform, RLS may receive limited account metadata or identifiers as transmitted by that platform pursuant to its own terms and privacy policy. RLS does not receive, store, or process payment credentials or full account details held by any third-party platform.
Information posted or shared in RLS-affiliated community spaces hosted on third-party platforms (including Discord) is subject to the applicable platform’s own terms and may be visible to other participants in those spaces. RLS does not represent that such information is private.
RLS does not operate a standalone user account or authentication system. All account credentials and associated data are held exclusively by the applicable third-party platform and are outside the scope of this Policy.

3.4 Information Not Collected

RLS does not collect, store, or process payment card numbers, bank account details, or other financial credentials. All payment processing is conducted exclusively by the applicable third-party distribution platform.
RLS does not knowingly collect Personal Data from individuals below the applicable minimum age threshold in their jurisdiction of residence. Upon becoming aware that Personal Data has been collected from an individual below that threshold without appropriate parental or guardian consent, RLS will take all reasonably practicable steps to delete such data without undue delay.

SECTION 4 — PURPOSES OF PROCESSING

Personal Data and Usage Data collected through the Services are processed for the following purposes:

To operate, maintain, secure, and improve the Services, including the identification and remediation of technical defects, the balancing and refinement of gameplay systems, and the development of new features and content.
To respond to and administer enquiries, support requests, and other correspondence submitted through official RLS channels.
To administer and manage testing programmes, community roles, and formal collaboration arrangements, including the verification of eligibility, the grant and revocation of access, and the administration of associated agreements.
To monitor compliance with the RLS Terms of Service, EULA, Community Standards, and Confidentiality Guidelines, and to investigate suspected violations thereof.
To conduct aggregate and anonymised analysis of usage patterns for the purpose of informing development and operational decisions. Where practicable, such analysis shall be conducted on data that has been anonymised or pseudonymised prior to analysis.
To detect, investigate, and respond to security threats, unauthorised access, fraud, and other conduct that may compromise the integrity or availability of the Services.
To fulfil any legal or regulatory obligations to which RLS is subject, including responding to lawful requests from competent governmental or judicial authorities.
RLS does not employ Personal Data for purposes of automated individual decision-making or profiling that produces legal effects or similarly significant consequences, except where such processing is based on explicit consent or is otherwise required or permitted by applicable law.

SECTION 5 — LEGAL BASIS FOR PROCESSING

Where applicable data protection law requires a lawful basis for the Processing of Personal Data, RLS relies upon one or more of the following grounds:

Contractual necessity: Processing is required for the performance of the agreement between RLS and the User constituted by the Terms of Service and EULA, or in order to take steps at the User’s request prior to entering into such agreement.
Legitimate interests: Processing is necessary for the purposes of the legitimate operational, security, and development interests of RLS, having regard to the nature of those interests and the reasonable expectations of Users, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject.
Legal obligation: Processing is required to comply with a legal or regulatory obligation to which RLS is subject.
Consent: Where RLS relies upon consent as the lawful basis for any specific Processing activity, such consent shall be sought at the point of collection in a clear and unambiguous manner. Consent so given may be withdrawn at any time by contacting RLS through the channels specified in Section 14. Withdrawal of consent shall not affect the lawfulness of Processing carried out prior to such withdrawal.

As Riftlab Studios is not currently a formally registered legal entity, the specific applicable data protection regime will be identified and incorporated into a future revision of this Policy upon formal incorporation. In the interim, RLS commits to Processing Personal Data in a manner consistent with generally recognised data protection principles, including the principles of purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

SECTION 6 — DISCLOSURE AND TRANSFER

RLS does not sell, rent, licence, or otherwise trade Personal Data to or with any third party. Disclosure of Personal Data is made only in the following circumstances:

To third-party service providers engaged by RLS to perform functions in connection with the operation of the Services, including analytics, hosting, and communications infrastructure. All such providers are contractually bound to process Personal Data solely for the purposes for which it was disclosed and in accordance with standards no less protective than those set out in this Policy.
To competent governmental, regulatory, or judicial authorities, where disclosure is required by applicable law, regulation, court order, or other binding legal process, and only to the extent strictly required by such obligation.
In connection with a prospective or completed merger, acquisition, restructuring, or transfer of all or a material part of the assets or operations of RLS, provided that any acquirer or successor entity assumes obligations no less protective of Personal Data than those set out in this Policy. Affected Users shall be notified in advance through official RLS channels where reasonably practicable.
Where the User has provided express prior written consent to a specific disclosure not otherwise covered by this Policy.

Any disclosure made under this Section is limited to the minimum Personal Data necessary to fulfil the relevant purpose. Third-party providers who receive Personal Data from RLS are not authorised to process it for any purpose other than the specific service provided to RLS.

SECTION 7 — DATA RETENTION

Personal Data is retained only for so long as is necessary to fulfil the purposes for which it was collected, to satisfy applicable legal or regulatory obligations, or to establish, exercise, or defend legal claims.

Usage Data that has been irreversibly anonymised such that it can no longer be attributed to any identifiable individual may be retained for an indefinite period for statistical and development purposes.

Correspondence and support communications are retained for a period of two (2) years from the date of resolution of the matter to which they relate, unless a longer retention period is required by law or is necessary for the resolution of any outstanding dispute or claim.

Upon termination of a User’s access to the Services, RLS shall delete or render anonymous the User’s Personal Data within a reasonable period, save where continued retention is required by law, regulatory obligation, or legitimate operational necessity relating to ongoing disputes, claims, or audit obligations.

Former participants in testing programmes whose obligations under the Confidentiality Guidelines have expired may submit a request for deletion of their Personal Data in accordance with the procedure set out in Section 9.

SECTION 8 — SECURITY

RLS implements and maintains appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

Access to Personal Data held within RLS systems is restricted to those personnel for whom such access is operationally necessary, and is subject to appropriate confidentiality obligations.

RLS makes no representation that the security measures in place are impenetrable or that Personal Data is immune from all risk of compromise. No method of electronic storage or transmission is free from all risk of interception or breach.

In the event of a Personal Data breach that gives rise to a risk to the rights or interests of affected Users, RLS shall notify those Users through official RLS channels without undue delay and in accordance with applicable law.

Any suspected or confirmed unauthorised access to a User’s account or to RLS systems must be reported to RLS immediately through the channels specified in Section 14.

SECTION 9 — RIGHTS OF DATA SUBJECTS

Subject to the conditions and limitations imposed by applicable law and the nature of the data held, Users may hold the following rights in respect of their Personal Data:

Right of Access: the right to obtain from RLS confirmation of whether Personal Data concerning the User is being processed and, where it is, to receive a copy of that data together with information concerning the purposes, categories, and recipients of such processing.
Right to Rectification: the right to require RLS to rectify without undue delay any inaccurate Personal Data and, having regard to the purposes of the processing, to have incomplete Personal Data completed.
Right to Erasure: the right to require RLS to erase Personal Data where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn and no other lawful basis applies, or where the data has been unlawfully processed.
Right to Restriction of Processing: the right to require RLS to restrict Processing in specified circumstances, including where the accuracy of the data is contested, where Processing is unlawful but erasure is opposed, or where the data is no longer needed but must be retained pending the establishment, exercise, or defence of legal claims.
Right to Data Portability: the right, where Processing is carried out by automated means on the basis of consent or contractual necessity, to receive Personal Data provided to RLS in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible.
Right to Object: the right to object at any time to Processing of Personal Data carried out on the basis of legitimate interests, including processing for direct marketing purposes. Upon receipt of a valid objection, RLS shall cease the relevant Processing unless it can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or the Processing is necessary for the establishment, exercise, or defence of legal claims.

Requests to exercise any of the foregoing rights must be submitted to RLS through the channels specified in Section 14. RLS shall respond to all valid and verifiable requests within the period required by applicable law. RLS reserves the right to verify the identity of the requesting party prior to acting on any such request and to refuse manifestly unfounded or excessive requests.

As Riftlab Studios is not currently a formally registered legal entity, the precise legal framework governing the exercise of these rights will be confirmed in a future revision of this Policy. RLS commits to giving effect to all substantively valid requests in good faith pending such confirmation.

SECTION 10 — COOKIES AND TRACKING TECHNOLOGIES

The RLS website at riftlabstudios.com and associated web-based services may employ cookies, pixel tags, local storage objects, or functionally equivalent tracking technologies for the purposes of session management, preference retention, and the collection of Usage Data.

Where the use of such technologies requires consent under applicable law, RLS shall seek that consent at the point of first use and shall not deploy non-essential tracking technologies prior to obtaining it.

Third-party platforms, tools, and analytics providers integrated with the Services may independently deploy their own tracking technologies. RLS exercises no control over such third-party technologies and accepts no responsibility for them. Users should consult the relevant third-party privacy policies for further information.

Users may configure or disable cookies through their browser or device settings. Restriction or disablement of cookies may impair the functionality of certain components of the Services. RLS does not warrant the continued availability or full performance of any Service feature where cookies have been disabled.

SECTION 11 — MINORS

The Services are not directed at individuals below the minimum age threshold applicable in their jurisdiction of residence. Access to the Services by individuals below the age of thirteen (13), or such higher minimum age as may be required by applicable law in their jurisdiction, is prohibited without verified parental or guardian consent, as set out in Section 3 of the RLS Terms of Service.

Users who are under the age of majority in their jurisdiction of residence represent and warrant that a parent or legal guardian has reviewed this Policy and consented to the collection and Processing of information as described herein on the User’s behalf.

Any parent or legal guardian who becomes aware that a minor has submitted Personal Data to RLS without appropriate consent is required to notify RLS immediately through the channels specified in Section 14. Upon receipt of such notification, RLS shall take all reasonably practicable steps to delete the relevant Personal Data without undue delay.

SECTION 12 — AMENDMENTS

This Policy may be amended at any time by designated RLS leadership to reflect changes in applicable law, regulatory requirements, operational practice, or the nature of the Services.

In respect of material amendments, RLS shall endeavour to provide not less than seven (7) days’ advance notice through official RLS channels prior to the amended Policy taking effect. The date of the most recent revision shall be recorded at the head of this document.

A User’s continued access to or use of the Services following the entry into force of any amendment constitutes acceptance of the amended Policy. Each User bears responsibility for reviewing this Policy periodically to remain informed of its current terms.

A User who does not accept any amendment has no remedy other than the immediate discontinuation of all use of the Services.

SECTION 13 — RELATIONSHIP TO OTHER RLS DOCUMENTS

This Policy forms part of the overall framework governing the User’s relationship with RLS, alongside the Terms of Service, EULA, Community Standards, and Confidentiality Guidelines. Each instrument is to be read and construed in conjunction with the others.

In the event of any conflict between this Policy and the Terms of Service, the order of precedence established in Section 18 of the Terms of Service shall govern.

Where a User is subject to the RLS Confidentiality Guidelines by virtue of participation in a testing programme, collaboration arrangement, or community role, both this Policy and the Confidentiality Guidelines apply concurrently. In the event of any inconsistency between the two instruments in respect of any particular obligation, the stricter obligation shall prevail.

SECTION 14 — CONTACT

All enquiries, requests, and formal notices relating to this Policy — including requests to exercise data subject rights, notifications of suspected breaches, and requests for clarification of applicable obligations — shall be directed to designated RLS leadership through the official Riftlab Studios Discord support channels or through the contact information published at riftlabstudios.com.

Formal data protection notices must be clearly marked as such. RLS shall use reasonable endeavours to respond to all legitimate formal notices within a reasonable period and in any case within the timeframe prescribed by applicable law.

Where a matter may engage both this Policy and the Confidentiality Guidelines, the User should describe the circumstances as precisely as practicable without disclosing sensitive information. RLS will determine and advise on the applicable framework.