Compliance & Data Handling
This page covers how Playprint handles data privacy and compliance, and what your studio needs to know when integrating.
Architecture Overview
Playprint achieves compliance by not collecting personal information in the first place. Our architecture ensures that:
- All user IDs are hashed (SHA-256) before they reach our systems
- Only gameplay decisions are processed — never chat, voice, or account data
- Player profiles contain trait scores (0-1 numbers) and archetype labels, not raw data
- We cannot reverse-engineer hashed IDs back to players
COPPA Compliance
The Children's Online Privacy Protection Act (COPPA) applies to games with users under 13 in the United States.
Why Playprint is COPPA-compliant:
- We do not collect "personal information" as defined by COPPA
- No parental consent is required for the Playprint component of your game
- No persistent identifiers that could be linked to a child's identity
- No social features that enable direct communication between users
If your game has a Playprint integration and targets children, you do not need additional age-gating or consent flows specifically for Playprint.
GDPR & GDPR-K
For users in the European Economic Area:
- Legal basis: Legitimate interest (providing the contracted service)
- Data minimisation: We only process the minimum data needed — gameplay decisions and hashed IDs
- Right to erasure: Players or studios can request deletion via the API (
DELETE /api/telemetry/profile). Processed within 30 days. - Data portability: Profiles are exportable in JSON format
- DPA: Data Processing Agreements available on Comply and Enterprise tiers
What Studios Need to Do
- Hash user IDs before sending to Playprint (the SDK does this automatically with
pp.hashUserId()) - Only send gameplay decisions through the SDK — never chat messages, account info, or other PII
- Update your privacy policy to mention that gameplay decisions are processed by a third-party service (Playprint) to create behavioural profiles. Template language available on request.
- Provide a way for players to request data deletion if required by your jurisdiction. You can call our deletion API endpoint on their behalf.
Data Retention
| Tier | Retention Period |
|---|---|
| Build | 90 days |
| Launch | 1 year |
| Grow | 2 years |
| Comply | 2 years + audit log |
| Enterprise | Custom |
After the retention period, telemetry data and computed profiles are automatically purged.
Security
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- API keys are scoped per game and per environment (production / development)
- Role-based access control for studio accounts
- Security reviews and pen testing (Enterprise tier)
Questions?
If your legal or security team has questions about Playprint's compliance posture, get in touch. We're happy to schedule a technical walkthrough.
See also: Privacy Policy and Terms of Service.