Privacy Policy
Last Updated: September 10, 2025
Introduction
Mechaverse (Mecha Labs Inc.) is a platform that enables robotics practitioners to visualize, share, and operate robots directly in the browser. We are committed to protecting your privacy and handling your personal information with care. This Privacy Policy explains what information we collect, how we use it, and the measures we take to safeguard it. Our approach is globally aware and aligns with regulations like the EU General Data Protection Regulation (GDPR), meaning we apply strong privacy controls for all users, not just those in specific regions. By using Mechaverse, you agree to the practices described in this policy. If you have any questions or concerns, please contact us using the information in the Contact Us section below.
Information We Collect
We collect information from you when you register on Mechaverse and when you use our services. The types of data we collect include:
Account Information: When you register via Google or GitHub OAuth, we collect the information those services provide (such as your name, email address, and profile avatar). We also ask you to choose a custom username for Mechaverse. If you decide to add optional profile details like a bio or social media links (e.g. Twitter, LinkedIn), we will store those too.
OAuth Tokens: If you sign up or log in with GitHub or Google, we receive OAuth access tokens that allow Mechaverse to verify your identity and possibly access your avatar and email. If you install our GitHub app we may access certain data like your GitHub repositories. Any access tokens are stored in an encrypted form for security and are never exposed publicly. We treat these tokens like passwords and protect them accordingly.
Robot Images and Metadata: A core feature of Mechaverse is letting you upload robot images (pictures or visualizations of robots) and associated metadata (such as image titles, descriptions, or tags). These uploads allow you to share and display robots in your browser. Importantly, we do NOT collect or upload your actual robot files, code, or models – only the images you choose to provide and descriptive data about them.
Usage Data: Like most web platforms, we gather some technical data about how you use Mechaverse. This may include your IP address, browser type, operating system, pages or features you access, and timestamps. We primarily collect this via Google Analytics and server logs to understand aggregate usage patterns (see Cookies and Tracking Technologies below for details). This information helps us improve the service and troubleshoot issues. It is generally collected in anonymized or aggregated form and is not used to identify you personally.
Communications: If you contact us directly (for example, via email to support), we may receive additional information such as your name, email address, and the contents of your message. We use this information only to respond to your inquiries or requests.
How We Use Your Information
We use the collected information for the following purposes:
Providing and Personalizing the Service: We use your account information (like name, username, and avatar) to personalize your experience on Mechaverse. For example, we display your profile picture and username on your account and with any robots you share, so that you and others can recognize your contributions. Robot images and metadata you upload are used to display and share your robotics projects as you intend.
Service Operation and Improvement: Your data allows us to operate Mechaverse’s features. OAuth tokens let you log in securely via Google or GitHub. Uploaded robot images are stored so you and others (if you share publicly) can view them. Usage data (via analytics and logs) helps us understand how practitioners use the platform, so we can improve functionality, user interface, and overall performance.
Communication: We may use your email address to send you important updates or information about Mechaverse. For example, we might send a welcome email, inform you of new features, or alert you to policy updates. We may also send occasional newsletters or robotics-related content, but only if you have opted in. If you choose, you can unsubscribe from non-essential emails at any time. (Rest assured, we won’t spam – communications will be infrequent and relevant to the service.)
Security and Abuse Prevention: Information like OAuth tokens and usage logs are also used to keep the platform secure. We monitor for suspicious login activity or violations of our terms (such as someone attempting unauthorized access). This helps us protect user accounts and the integrity of the service.
Legal Compliance: In rare cases, we may need to use or disclose your information to comply with legal obligations. For instance, if we receive a valid law enforcement request or need to enforce our terms of service, we might have to access or provide certain data. We will only do so in accordance with applicable laws and to the minimum extent necessary.
What We Don’t Do: We do not sell or rent your personal information to third parties for their marketing. We do not use your personal data for advertising targeting. We also do not collect any payment information since Mechaverse does not currently charge for services (no credit card or billing data is collected).
Third-Party Services
Mechaverse relies on a few third-party services to function. We only share data with these providers as needed to run the service, and each of them is under obligations to protect your data:
Google Cloud Platform (GCP): Our backend infrastructure runs on Google Cloud. This means your data (from account info to uploaded images and analytics) is stored and processed on GCP’s servers. GCP is a reputable cloud provider that employs strong security measures. In fact, Google Cloud Platform uses the same security model that Google uses for its own products. Data stored on GCP is encrypted at rest by default using AES-256 encryption, and Google’s data centers are highly secure. Using GCP also means that your data may be stored in data centers located in the United States or other countries (see International Data Transfers below for how we handle that).
Google Analytics: We use Google Analytics (a web analytics service provided by Google) to collect anonymized visitor statistics and understand how users use Mechaverse. Google Analytics may set cookies or use similar technologies to collect usage data (such as which pages you visit and for how long). This helps us improve the site by seeing aggregated usage patterns. Google Analytics mainly uses first-party cookies to report on your interactions on our site. Google does not give us personally identifying information – we only see aggregated data (for example, total number of visits to a page). You can opt out of Google Analytics by using a browser plugin or by disabling cookies (see Cookies and Tracking Technologies).
OAuth Providers (Google & GitHub): When you choose to register or log in via Google or GitHub, you will be redirected to those providers to authenticate. These third parties will share with us certain information from your account (like your email, display name, and profile picture) as per the OAuth process. We use that information to create or log in to your Mechaverse account. We do not send any of your Mechaverse data back to Google or GitHub, except what’s necessary for the login process. Your use of Google’s or GitHub’s authentication is also governed by those companies’ privacy policies. We recommend reviewing Google’s and GitHub’s privacy policies for information on how they treat your credentials and any data they may collect during the OAuth process.
Other Service Providers: Aside from Google services, we currently do not integrate with other third-party services that would receive your personal data. If this changes in the future (for example, if we add an email sending service or a cloud function by another provider), we will update this policy. In any case, any third-party integration will be carefully vetted for security and will only be given information necessary to perform its function on our behalf.
Cookies and Tracking Technologies
Like most websites and web applications, Mechaverse uses cookies and similar technologies to ensure the service works correctly and to analyze usage. Here’s how we use them:
What Are Cookies: Cookies are small text files stored on your browser when you visit a website. They serve various purposes, like keeping you logged in or remembering your preferences.
Essential Cookies: Mechaverse uses essential cookies to enable core site functionality. For example, once you log in, a cookie might store your session so you don’t have to re-authenticate on every page. These cookies are required for the website to operate (e.g. for secure account access).
Analytics Cookies: We use Google Analytics, which sets first-party cookies (such as _ga and others) to collect information about how visitors use our site. This includes information like what pages you visit, how long you stay, and what country you are in. This data is anonymous – it does not include your name or email or other direct personal info. We use it to gather statistical information (for instance, total number of users, popular features, usage trends) so we can understand and improve Mechaverse. Google Analytics cookies may have varying lifespans (some last for the session, others persist for months or years unless cleared). You can learn more about how Google Analytics works in Google’s documentation, and you can opt out if you wish (see below).
No Advertising or Tracking Pixels: We do not use any advertising networks, third-party ad trackers, or social media pixels that track you across other sites. We also don’t use cookies for advertising or marketing purposes. All cookies we use are solely to provide or analyze our own service.
Your Choices for Cookies: You have the right to control or block cookies. Most web browsers allow you to refuse cookies or delete them. However, be aware that if you disable cookies entirely, Mechaverse’s essential features (like staying logged in) may not work properly. If you want to opt out of Google Analytics specifically, you can install the Google Analytics Opt-out Browser Add-on, which prevents Analytics from running. You can also use browser settings or plugins to block or clear cookies. We respect “Do Not Track” signals; if your browser is set to DNT, we will disable non-essential analytics tracking for your session.
Your Rights and Choices
We believe you should have control over your personal data. Regardless of where you live, you have certain rights and choices regarding the information you provide to us. We strive to honor these rights for all users, including those protected by GDPR (Europe) and CCPA (California):
Access and Portability: You have the right to access the personal data we hold about you. In practice, most of your data on Mechaverse is accessible by logging into your account (for example, you can see your profile info and any robot images you’ve uploaded). If you require a full export of your data, you can contact us and we will provide you with a copy in a common format.
Correction: If any of your information is incorrect or outdated, you can edit your profile at any time to correct things like your name, bio, or social links. If you need to update something that’s not editable via the interface, contact us and we’ll help make the correction.
Deletion (Right to be Forgotten): You can delete your account at any time, and this will remove your personal data from our systems. We provide an account deletion option in your user settings. Once you confirm deletion, we will permanently erase or anonymize your personal information, including your profile and any robot images and metadata associated with you. (Note: Content you shared publicly may no longer be accessible to others after deletion. However, non-personal derivative data like aggregate usage stats will remain, since they are not linked to an individual.) If you have trouble finding or using the self-service deletion, you can request account deletion by contacting us at our support email. Account deletion is our primary method for honoring data deletion requests globally – this satisfies GDPR requirements for erasure and CCPA rights for deletion in one simple step.
Withdrawal of Consent: In cases where you have explicitly given us consent to use your information (for example, if in the future we ask permission to use your content for a testimonial or to send a newsletter), you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the specific use that you allowed. (Note: Using Mechaverse’s core features is generally based on fulfilling a service, not consent, so this mainly applies to optional uses of data.)
Objection and Restriction: If you believe we are processing your data in a way you object to, you have the right to object. For instance, if you object to us using analytics, you can disable it as described in Cookies above. If you object to any other processing, let us know. In certain circumstances, you can also request that we restrict processing your data (for example, stop using it but not delete it until an issue is resolved). We will evaluate such requests and comply if applicable.
No Discrimination: If you exercise any of these privacy rights, we will not treat you any differently. Users who choose to delete data or opt out of certain uses will still receive equal service (though obviously, if you delete your account entirely, you will no longer be able to use the service – but that’s your choice).
California Residents – CCPA: We do not sell personal information, so the typical “Do Not Sell My Info” provision is not applicable. Nonetheless, California users have the right to know what personal data we collect and how we use it (which is all explained in this policy), and the right to request deletion (which you can do by deleting your account). You can also send us a verifiable request for information about your data up to twice a year free of charge – although, again, we’ve aimed to make this policy comprehensive as to “what” and “why” we collect.
EU Residents – GDPR: Under GDPR, in addition to the above rights, you also have the right to lodge a complaint with your local Data Protection Authority if you believe your rights are being infringed. We encourage you to contact us first so we can address any issue. We want to emphasize that by design, Mechaverse implements measures (like data isolation and strong security) to protect all users’ data and meet compliance standards.
To exercise any rights or make any requests regarding your data, you can usually do so directly through the Mechaverse interface (for example, profile editing and account deletion). If you need any assistance or have a special request, please email us at vmold@mechaverse.dev. We will respond as soon as possible, and certainly within any timeframe required by applicable law (e.g. within 30 days for GDPR requests).
Data Security
We take the security of your data very seriously and implement industry best practices (both technical and organizational) to safeguard it. Here are some of the key security measures in place at Mechaverse:
Encryption (At Rest and In Transit): All communications between your browser and Mechaverse are encrypted via HTTPS/TLS. This ensures that data in transit (for example, when you log in or upload an image) is protected from eavesdroppers. Additionally, all data stored in our databases and servers on Google Cloud is encrypted at rest by default. Google Cloud Platform automatically applies AES-256 encryption to data stored on disk, adding multiple layers of protection. In short, whether your data is moving or staying in storage, it is encrypted.
OAuth Token Security: Any sensitive tokens or credentials (such as the OAuth access tokens from Google/GitHub) are stored in our database in an encrypted form. This means even if someone gained unauthorized access to the database, those tokens would be unreadable without the proper decryption keys. We also periodically expire and refresh tokens as needed and follow security best practices for authentication.
Database Row-Level Security (RLS): Our SQL database is configured with Row-Level Security policies to ensure that each user can only access their own data. RLS is a database feature that enforces access rules at the row level; in our case, your records are tagged to your user ID, and the database will only return data belonging to that ID. This provides an extra layer of data isolation and prevents any accidental mix-up of user data. Even if a bug occurred in our application, RLS at the database level ensures users cannot read data that isn’t theirs. This fine-grained control is aligned with strict compliance standards and helps protect your private information.
Private Storage for Robot Images: Private repository images that you upload are stored in private buckets on Google Cloud Storage. These storage buckets are not public; they require a secure, time-limited access URL to retrieve the images. When you (or someone you’ve shared a robot with) needs to fetch an image, our system generates a signed URL – a special link containing a cryptographic signature that grants temporary access to that specific image. Only users with the correct signed URL (which includes permissions and an expiration time) can download the image. This means your robot images are safe from unauthorized access – nobody can just browse or find them without going through Mechaverse and getting a valid signed URL. The signed URLs expire after a short time, so even if one was somehow leaked, it would soon become invalid.
Access Controls and Employee Access: Internally, access to user data is strictly limited. The Mechaverse team is small, and team members will only access user data if absolutely necessary to support you or maintain the service. For example, if you open a support ticket and we need to investigate an issue with your account, we might look at relevant data. All access is logged and monitored. We have role-based access control in place so that only authorized personnel (e.g., a site administrator) can access production databases or storage, and even then, they use secure methods to do so.
Google Cloud Security Practices: By using Google Cloud, we inherit many of Google’s world-class security measures. Google’s data centers feature 24/7 monitored security, biometric access controls, redundant systems, and are certified for standards like ISO 27001, ISO 27017 (cloud security), ISO 27018 (cloud privacy) and SOC 2/3 compliance. Google Cloud’s infrastructure is regularly tested, audited, and improved. Our projects in GCP benefit from the same infrastructure and security model that protects Google’s own services. This includes protections against DDoS attacks, hardware failures, and more.
Regular Updates and Patching: We keep our software and dependencies up to date with security patches. Our servers and databases are configured to receive updates, and we review any security advisories relevant to our technology stack.
Backups: We perform regular backups of critical data to prevent data loss. Backups are encrypted and stored securely (also on GCP). In the event of a disaster or data loss scenario, we have the ability to restore from backups, and we test this process periodically.
Monitoring and Incident Response: We monitor the platform for any unusual activity or potential vulnerabilities. If any security incident were to occur, we have a response plan to contain and fix the issue, notify affected users if relevant, and learn from the incident to prevent future issues.
While no service can guarantee 100% security, we believe we have taken strong measures appropriate for the sensitivity of the data we handle. We also encourage you to play a role in security: use a strong, unique password for your Google/GitHub accounts (since they secure your Mechaverse login), keep your OAuth accounts safe, and immediately let us know if you suspect any unauthorized access to your Mechaverse account.
##Data Retention
Currently, Mechaverse does not have a fixed data retention schedule – we generally retain your information for as long as your account is active or as needed to provide you with the service. Here’s how we approach retention:
Account Data: All personal data you provide (profile info, OAuth credentials, robot images, etc.) is kept until you choose to delete it or delete your account. We won’t delete your data just because of inactivity, so you can safely come back to Mechaverse after some time and find your projects intact. That said, if our practices change (for example, we may decide to purge accounts that have been inactive for many years), we will update this policy and, if appropriate, notify affected users in advance.
Deleted Account: If you delete your account, we will promptly delete or anonymize the personal data associated with your account. This includes removing your profile information from our user database and your robot images from our storage. (As noted earlier, any public content you had provided will either be deleted or disassociated from you so it no longer identifies you.) We might retain non-personal data like aggregated usage stats or backup copies for a limited time, but those cannot be linked back to an individual. Backups that contain personal data are also purged on a rolling basis, so even in backup archives your data will be removed after a short period.
Communication Data: If you emailed us or had a support conversation, those communications may be retained for a period of time (to maintain continuity in support history, or as required by law). We protect any such correspondence just like other data.
Analytics Data: Google Analytics retains aggregated site data for our analysis. We haven’t set a specific retention limit in Google Analytics yet, so data might be kept indefinitely to allow long-term trend analysis. However, this data is not personally identifiable. We may periodically review and adjust the retention settings in Analytics according to our needs and legal requirements.
Legal Requirements: In certain cases, we might need to retain data for longer to comply with legal obligations or resolve disputes. For instance, if there’s an investigation into fraudulent or abusive activity, we might preserve relevant data until it is resolved. Similarly, if required by law (e.g., tax or audit requirements, though currently we don’t process payments), we would retain the necessary records for the legally mandated period.
In summary, we aim to keep your data only as long as necessary and no longer. Since we give you control to delete your data at any time, the ultimate retention period is largely in your hands. We will not keep personal data indefinitely “just because” – if it’s no longer needed and not required for our service or by law, we will securely dispose of it.
International Data Transfers
Mechaverse is a global service, and by using it, your personal information may be transferred to or stored in servers located in countries other than your own. In particular, since we use Google Cloud Platform, your data will likely be processed in the United States (where many of Google’s data centers are) and possibly in other regions where Google or its subcontractors maintain infrastructure. If you are located in the European Economic Area (EEA) or another region with data transfer restrictions, we take steps to ensure that your data remains protected when it crosses borders:
Adequacy and Safeguards: Whenever we transfer personal data out of the EEA, we rely on legal mechanisms to ensure an adequate level of protection. Google Cloud, as our data processor, has committed to EU Standard Contractual Clauses (SCCs) for such data transfers. These SCCs are standard EU-approved contracts that legally bind the parties to protect privacy and security of personal data, even when it’s transferred to a country that may not have the same privacy laws. In plain language: even if your data is stored in the U.S. or elsewhere, Google and Mechaverse will treat it with the same care as if it stayed in Europe.
Google’s Compliance: Google Cloud is certified under multiple international frameworks and standards (like ISO 27018 for cloud privacy). They also were certified under the EU-U.S. Privacy Shield framework (before it was invalidated) and are likely to adopt any new approved transfer frameworks that arise. While technical legal frameworks can change, what remains constant is our commitment and Google’s commitment to protecting your data wherever it is processed.
Your Consent and Alternatives: By using Mechaverse and providing your information, you consent to the transfer of your data to other countries as described. We understand that different countries have different privacy laws; however, our global approach means we apply the same high standards of privacy and security to your data no matter where it’s handled. If you prefer not to have your data transferred or stored in the United States or other countries, unfortunately using a cloud-based global service like Mechaverse might not be suitable for you. We respect that and are happy to answer any specific questions you might have about data location.
Processing in the EU (if possible): In the future, we may offer options or select infrastructure to store certain data in specific regions (for example, if we choose a European data center for EU users). If we do so, we will update this policy. But even today, a lot of Google Cloud’s processing is distributed, and some services (like analytics) might use global infrastructure. Please assume your data could leave your home country so that you can make an informed decision.
Our goal is to be transparent about these transfers and ensure they are done in compliance with applicable law. We want you to have peace of mind that, even if your data travels internationally, it remains protected to a high standard.
Changes to This Policy
We may update this Privacy Policy from time to time as our services and legal requirements evolve. If we make changes, we will do so transparently and will update the “Last Updated” date at the top of the policy. For any significant or material changes (especially any that would broaden how we use your data or affect your rights), we will provide a prominent notice, such as an email notification or an alert on the website, before the changes take effect. This will give you the opportunity to review the revised policy and decide if you are comfortable with it.
Some changes might be minor – for example, if we add a new feature and need to describe new data collection related to that feature, or if we improve wording for clarity. Other changes could be more significant – for instance, if we decide to start using a new third-party service or if legal regulations change in a way that affects our practices.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. Your continued use of Mechaverse after any changes to this policy will be deemed acceptance of those changes. If you do not agree with an upcoming change, you are free to stop using the service or request deletion of your data at any time.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help and address any issues related to privacy or security.
You can reach us by email at vmold@mechaverse.dev.
Alternatively, you may contact us through any official support channels listed on our website.
We will do our best to respond promptly to your inquiry – typically within a few business days. If you are contacting to exercise a privacy right (such as accessing or deleting your data) or have a complaint, please provide sufficient detail so we can effectively address your request.
Thank you for reading our Privacy Policy. We value your trust, and we are continuously working to ensure your data is safe and your privacy is respected while you use Mechaverse. Happy robotics building and visualizing!
Privacy Policy
Last Updated: September 10, 2025
Introduction
Mechaverse (Mecha Labs Inc.) is a platform that enables robotics practitioners to visualize, share, and operate robots directly in the browser. We are committed to protecting your privacy and handling your personal information with care. This Privacy Policy explains what information we collect, how we use it, and the measures we take to safeguard it. Our approach is globally aware and aligns with regulations like the EU General Data Protection Regulation (GDPR), meaning we apply strong privacy controls for all users, not just those in specific regions. By using Mechaverse, you agree to the practices described in this policy. If you have any questions or concerns, please contact us using the information in the Contact Us section below.
Information We Collect
We collect information from you when you register on Mechaverse and when you use our services. The types of data we collect include:
Account Information: When you register via Google or GitHub OAuth, we collect the information those services provide (such as your name, email address, and profile avatar). We also ask you to choose a custom username for Mechaverse. If you decide to add optional profile details like a bio or social media links (e.g. Twitter, LinkedIn), we will store those too.
OAuth Tokens: If you sign up or log in with GitHub or Google, we receive OAuth access tokens that allow Mechaverse to verify your identity and possibly access your avatar and email. If you install our GitHub app we may access certain data like your GitHub repositories. Any access tokens are stored in an encrypted form for security and are never exposed publicly. We treat these tokens like passwords and protect them accordingly.
Robot Images and Metadata: A core feature of Mechaverse is letting you upload robot images (pictures or visualizations of robots) and associated metadata (such as image titles, descriptions, or tags). These uploads allow you to share and display robots in your browser. Importantly, we do NOT collect or upload your actual robot files, code, or models – only the images you choose to provide and descriptive data about them.
Usage Data: Like most web platforms, we gather some technical data about how you use Mechaverse. This may include your IP address, browser type, operating system, pages or features you access, and timestamps. We primarily collect this via Google Analytics and server logs to understand aggregate usage patterns (see Cookies and Tracking Technologies below for details). This information helps us improve the service and troubleshoot issues. It is generally collected in anonymized or aggregated form and is not used to identify you personally.
Communications: If you contact us directly (for example, via email to support), we may receive additional information such as your name, email address, and the contents of your message. We use this information only to respond to your inquiries or requests.
How We Use Your Information
We use the collected information for the following purposes:
Providing and Personalizing the Service: We use your account information (like name, username, and avatar) to personalize your experience on Mechaverse. For example, we display your profile picture and username on your account and with any robots you share, so that you and others can recognize your contributions. Robot images and metadata you upload are used to display and share your robotics projects as you intend.
Service Operation and Improvement: Your data allows us to operate Mechaverse’s features. OAuth tokens let you log in securely via Google or GitHub. Uploaded robot images are stored so you and others (if you share publicly) can view them. Usage data (via analytics and logs) helps us understand how practitioners use the platform, so we can improve functionality, user interface, and overall performance.
Communication: We may use your email address to send you important updates or information about Mechaverse. For example, we might send a welcome email, inform you of new features, or alert you to policy updates. We may also send occasional newsletters or robotics-related content, but only if you have opted in. If you choose, you can unsubscribe from non-essential emails at any time. (Rest assured, we won’t spam – communications will be infrequent and relevant to the service.)
Security and Abuse Prevention: Information like OAuth tokens and usage logs are also used to keep the platform secure. We monitor for suspicious login activity or violations of our terms (such as someone attempting unauthorized access). This helps us protect user accounts and the integrity of the service.
Legal Compliance: In rare cases, we may need to use or disclose your information to comply with legal obligations. For instance, if we receive a valid law enforcement request or need to enforce our terms of service, we might have to access or provide certain data. We will only do so in accordance with applicable laws and to the minimum extent necessary.
What We Don’t Do: We do not sell or rent your personal information to third parties for their marketing. We do not use your personal data for advertising targeting. We also do not collect any payment information since Mechaverse does not currently charge for services (no credit card or billing data is collected).
Third-Party Services
Mechaverse relies on a few third-party services to function. We only share data with these providers as needed to run the service, and each of them is under obligations to protect your data:
Google Cloud Platform (GCP): Our backend infrastructure runs on Google Cloud. This means your data (from account info to uploaded images and analytics) is stored and processed on GCP’s servers. GCP is a reputable cloud provider that employs strong security measures. In fact, Google Cloud Platform uses the same security model that Google uses for its own products. Data stored on GCP is encrypted at rest by default using AES-256 encryption, and Google’s data centers are highly secure. Using GCP also means that your data may be stored in data centers located in the United States or other countries (see International Data Transfers below for how we handle that).
Google Analytics: We use Google Analytics (a web analytics service provided by Google) to collect anonymized visitor statistics and understand how users use Mechaverse. Google Analytics may set cookies or use similar technologies to collect usage data (such as which pages you visit and for how long). This helps us improve the site by seeing aggregated usage patterns. Google Analytics mainly uses first-party cookies to report on your interactions on our site. Google does not give us personally identifying information – we only see aggregated data (for example, total number of visits to a page). You can opt out of Google Analytics by using a browser plugin or by disabling cookies (see Cookies and Tracking Technologies).
OAuth Providers (Google & GitHub): When you choose to register or log in via Google or GitHub, you will be redirected to those providers to authenticate. These third parties will share with us certain information from your account (like your email, display name, and profile picture) as per the OAuth process. We use that information to create or log in to your Mechaverse account. We do not send any of your Mechaverse data back to Google or GitHub, except what’s necessary for the login process. Your use of Google’s or GitHub’s authentication is also governed by those companies’ privacy policies. We recommend reviewing Google’s and GitHub’s privacy policies for information on how they treat your credentials and any data they may collect during the OAuth process.
Other Service Providers: Aside from Google services, we currently do not integrate with other third-party services that would receive your personal data. If this changes in the future (for example, if we add an email sending service or a cloud function by another provider), we will update this policy. In any case, any third-party integration will be carefully vetted for security and will only be given information necessary to perform its function on our behalf.
Cookies and Tracking Technologies
Like most websites and web applications, Mechaverse uses cookies and similar technologies to ensure the service works correctly and to analyze usage. Here’s how we use them:
What Are Cookies: Cookies are small text files stored on your browser when you visit a website. They serve various purposes, like keeping you logged in or remembering your preferences.
Essential Cookies: Mechaverse uses essential cookies to enable core site functionality. For example, once you log in, a cookie might store your session so you don’t have to re-authenticate on every page. These cookies are required for the website to operate (e.g. for secure account access).
Analytics Cookies: We use Google Analytics, which sets first-party cookies (such as _ga and others) to collect information about how visitors use our site. This includes information like what pages you visit, how long you stay, and what country you are in. This data is anonymous – it does not include your name or email or other direct personal info. We use it to gather statistical information (for instance, total number of users, popular features, usage trends) so we can understand and improve Mechaverse. Google Analytics cookies may have varying lifespans (some last for the session, others persist for months or years unless cleared). You can learn more about how Google Analytics works in Google’s documentation, and you can opt out if you wish (see below).
No Advertising or Tracking Pixels: We do not use any advertising networks, third-party ad trackers, or social media pixels that track you across other sites. We also don’t use cookies for advertising or marketing purposes. All cookies we use are solely to provide or analyze our own service.
Your Choices for Cookies: You have the right to control or block cookies. Most web browsers allow you to refuse cookies or delete them. However, be aware that if you disable cookies entirely, Mechaverse’s essential features (like staying logged in) may not work properly. If you want to opt out of Google Analytics specifically, you can install the Google Analytics Opt-out Browser Add-on, which prevents Analytics from running. You can also use browser settings or plugins to block or clear cookies. We respect “Do Not Track” signals; if your browser is set to DNT, we will disable non-essential analytics tracking for your session.
Your Rights and Choices
We believe you should have control over your personal data. Regardless of where you live, you have certain rights and choices regarding the information you provide to us. We strive to honor these rights for all users, including those protected by GDPR (Europe) and CCPA (California):
Access and Portability: You have the right to access the personal data we hold about you. In practice, most of your data on Mechaverse is accessible by logging into your account (for example, you can see your profile info and any robot images you’ve uploaded). If you require a full export of your data, you can contact us and we will provide you with a copy in a common format.
Correction: If any of your information is incorrect or outdated, you can edit your profile at any time to correct things like your name, bio, or social links. If you need to update something that’s not editable via the interface, contact us and we’ll help make the correction.
Deletion (Right to be Forgotten): You can delete your account at any time, and this will remove your personal data from our systems. We provide an account deletion option in your user settings. Once you confirm deletion, we will permanently erase or anonymize your personal information, including your profile and any robot images and metadata associated with you. (Note: Content you shared publicly may no longer be accessible to others after deletion. However, non-personal derivative data like aggregate usage stats will remain, since they are not linked to an individual.) If you have trouble finding or using the self-service deletion, you can request account deletion by contacting us at our support email. Account deletion is our primary method for honoring data deletion requests globally – this satisfies GDPR requirements for erasure and CCPA rights for deletion in one simple step.
Withdrawal of Consent: In cases where you have explicitly given us consent to use your information (for example, if in the future we ask permission to use your content for a testimonial or to send a newsletter), you have the right to withdraw that consent at any time. If you withdraw consent, we will stop the specific use that you allowed. (Note: Using Mechaverse’s core features is generally based on fulfilling a service, not consent, so this mainly applies to optional uses of data.)
Objection and Restriction: If you believe we are processing your data in a way you object to, you have the right to object. For instance, if you object to us using analytics, you can disable it as described in Cookies above. If you object to any other processing, let us know. In certain circumstances, you can also request that we restrict processing your data (for example, stop using it but not delete it until an issue is resolved). We will evaluate such requests and comply if applicable.
No Discrimination: If you exercise any of these privacy rights, we will not treat you any differently. Users who choose to delete data or opt out of certain uses will still receive equal service (though obviously, if you delete your account entirely, you will no longer be able to use the service – but that’s your choice).
California Residents – CCPA: We do not sell personal information, so the typical “Do Not Sell My Info” provision is not applicable. Nonetheless, California users have the right to know what personal data we collect and how we use it (which is all explained in this policy), and the right to request deletion (which you can do by deleting your account). You can also send us a verifiable request for information about your data up to twice a year free of charge – although, again, we’ve aimed to make this policy comprehensive as to “what” and “why” we collect.
EU Residents – GDPR: Under GDPR, in addition to the above rights, you also have the right to lodge a complaint with your local Data Protection Authority if you believe your rights are being infringed. We encourage you to contact us first so we can address any issue. We want to emphasize that by design, Mechaverse implements measures (like data isolation and strong security) to protect all users’ data and meet compliance standards.
To exercise any rights or make any requests regarding your data, you can usually do so directly through the Mechaverse interface (for example, profile editing and account deletion). If you need any assistance or have a special request, please email us at vmold@mechaverse.dev. We will respond as soon as possible, and certainly within any timeframe required by applicable law (e.g. within 30 days for GDPR requests).
Data Security
We take the security of your data very seriously and implement industry best practices (both technical and organizational) to safeguard it. Here are some of the key security measures in place at Mechaverse:
Encryption (At Rest and In Transit): All communications between your browser and Mechaverse are encrypted via HTTPS/TLS. This ensures that data in transit (for example, when you log in or upload an image) is protected from eavesdroppers. Additionally, all data stored in our databases and servers on Google Cloud is encrypted at rest by default. Google Cloud Platform automatically applies AES-256 encryption to data stored on disk, adding multiple layers of protection. In short, whether your data is moving or staying in storage, it is encrypted.
OAuth Token Security: Any sensitive tokens or credentials (such as the OAuth access tokens from Google/GitHub) are stored in our database in an encrypted form. This means even if someone gained unauthorized access to the database, those tokens would be unreadable without the proper decryption keys. We also periodically expire and refresh tokens as needed and follow security best practices for authentication.
Database Row-Level Security (RLS): Our SQL database is configured with Row-Level Security policies to ensure that each user can only access their own data. RLS is a database feature that enforces access rules at the row level; in our case, your records are tagged to your user ID, and the database will only return data belonging to that ID. This provides an extra layer of data isolation and prevents any accidental mix-up of user data. Even if a bug occurred in our application, RLS at the database level ensures users cannot read data that isn’t theirs. This fine-grained control is aligned with strict compliance standards and helps protect your private information.
Private Storage for Robot Images: Private repository images that you upload are stored in private buckets on Google Cloud Storage. These storage buckets are not public; they require a secure, time-limited access URL to retrieve the images. When you (or someone you’ve shared a robot with) needs to fetch an image, our system generates a signed URL – a special link containing a cryptographic signature that grants temporary access to that specific image. Only users with the correct signed URL (which includes permissions and an expiration time) can download the image. This means your robot images are safe from unauthorized access – nobody can just browse or find them without going through Mechaverse and getting a valid signed URL. The signed URLs expire after a short time, so even if one was somehow leaked, it would soon become invalid.
Access Controls and Employee Access: Internally, access to user data is strictly limited. The Mechaverse team is small, and team members will only access user data if absolutely necessary to support you or maintain the service. For example, if you open a support ticket and we need to investigate an issue with your account, we might look at relevant data. All access is logged and monitored. We have role-based access control in place so that only authorized personnel (e.g., a site administrator) can access production databases or storage, and even then, they use secure methods to do so.
Google Cloud Security Practices: By using Google Cloud, we inherit many of Google’s world-class security measures. Google’s data centers feature 24/7 monitored security, biometric access controls, redundant systems, and are certified for standards like ISO 27001, ISO 27017 (cloud security), ISO 27018 (cloud privacy) and SOC 2/3 compliance. Google Cloud’s infrastructure is regularly tested, audited, and improved. Our projects in GCP benefit from the same infrastructure and security model that protects Google’s own services. This includes protections against DDoS attacks, hardware failures, and more.
Regular Updates and Patching: We keep our software and dependencies up to date with security patches. Our servers and databases are configured to receive updates, and we review any security advisories relevant to our technology stack.
Backups: We perform regular backups of critical data to prevent data loss. Backups are encrypted and stored securely (also on GCP). In the event of a disaster or data loss scenario, we have the ability to restore from backups, and we test this process periodically.
Monitoring and Incident Response: We monitor the platform for any unusual activity or potential vulnerabilities. If any security incident were to occur, we have a response plan to contain and fix the issue, notify affected users if relevant, and learn from the incident to prevent future issues.
While no service can guarantee 100% security, we believe we have taken strong measures appropriate for the sensitivity of the data we handle. We also encourage you to play a role in security: use a strong, unique password for your Google/GitHub accounts (since they secure your Mechaverse login), keep your OAuth accounts safe, and immediately let us know if you suspect any unauthorized access to your Mechaverse account.
##Data Retention
Currently, Mechaverse does not have a fixed data retention schedule – we generally retain your information for as long as your account is active or as needed to provide you with the service. Here’s how we approach retention:
Account Data: All personal data you provide (profile info, OAuth credentials, robot images, etc.) is kept until you choose to delete it or delete your account. We won’t delete your data just because of inactivity, so you can safely come back to Mechaverse after some time and find your projects intact. That said, if our practices change (for example, we may decide to purge accounts that have been inactive for many years), we will update this policy and, if appropriate, notify affected users in advance.
Deleted Account: If you delete your account, we will promptly delete or anonymize the personal data associated with your account. This includes removing your profile information from our user database and your robot images from our storage. (As noted earlier, any public content you had provided will either be deleted or disassociated from you so it no longer identifies you.) We might retain non-personal data like aggregated usage stats or backup copies for a limited time, but those cannot be linked back to an individual. Backups that contain personal data are also purged on a rolling basis, so even in backup archives your data will be removed after a short period.
Communication Data: If you emailed us or had a support conversation, those communications may be retained for a period of time (to maintain continuity in support history, or as required by law). We protect any such correspondence just like other data.
Analytics Data: Google Analytics retains aggregated site data for our analysis. We haven’t set a specific retention limit in Google Analytics yet, so data might be kept indefinitely to allow long-term trend analysis. However, this data is not personally identifiable. We may periodically review and adjust the retention settings in Analytics according to our needs and legal requirements.
Legal Requirements: In certain cases, we might need to retain data for longer to comply with legal obligations or resolve disputes. For instance, if there’s an investigation into fraudulent or abusive activity, we might preserve relevant data until it is resolved. Similarly, if required by law (e.g., tax or audit requirements, though currently we don’t process payments), we would retain the necessary records for the legally mandated period.
In summary, we aim to keep your data only as long as necessary and no longer. Since we give you control to delete your data at any time, the ultimate retention period is largely in your hands. We will not keep personal data indefinitely “just because” – if it’s no longer needed and not required for our service or by law, we will securely dispose of it.
International Data Transfers
Mechaverse is a global service, and by using it, your personal information may be transferred to or stored in servers located in countries other than your own. In particular, since we use Google Cloud Platform, your data will likely be processed in the United States (where many of Google’s data centers are) and possibly in other regions where Google or its subcontractors maintain infrastructure. If you are located in the European Economic Area (EEA) or another region with data transfer restrictions, we take steps to ensure that your data remains protected when it crosses borders:
Adequacy and Safeguards: Whenever we transfer personal data out of the EEA, we rely on legal mechanisms to ensure an adequate level of protection. Google Cloud, as our data processor, has committed to EU Standard Contractual Clauses (SCCs) for such data transfers. These SCCs are standard EU-approved contracts that legally bind the parties to protect privacy and security of personal data, even when it’s transferred to a country that may not have the same privacy laws. In plain language: even if your data is stored in the U.S. or elsewhere, Google and Mechaverse will treat it with the same care as if it stayed in Europe.
Google’s Compliance: Google Cloud is certified under multiple international frameworks and standards (like ISO 27018 for cloud privacy). They also were certified under the EU-U.S. Privacy Shield framework (before it was invalidated) and are likely to adopt any new approved transfer frameworks that arise. While technical legal frameworks can change, what remains constant is our commitment and Google’s commitment to protecting your data wherever it is processed.
Your Consent and Alternatives: By using Mechaverse and providing your information, you consent to the transfer of your data to other countries as described. We understand that different countries have different privacy laws; however, our global approach means we apply the same high standards of privacy and security to your data no matter where it’s handled. If you prefer not to have your data transferred or stored in the United States or other countries, unfortunately using a cloud-based global service like Mechaverse might not be suitable for you. We respect that and are happy to answer any specific questions you might have about data location.
Processing in the EU (if possible): In the future, we may offer options or select infrastructure to store certain data in specific regions (for example, if we choose a European data center for EU users). If we do so, we will update this policy. But even today, a lot of Google Cloud’s processing is distributed, and some services (like analytics) might use global infrastructure. Please assume your data could leave your home country so that you can make an informed decision.
Our goal is to be transparent about these transfers and ensure they are done in compliance with applicable law. We want you to have peace of mind that, even if your data travels internationally, it remains protected to a high standard.
Changes to This Policy
We may update this Privacy Policy from time to time as our services and legal requirements evolve. If we make changes, we will do so transparently and will update the “Last Updated” date at the top of the policy. For any significant or material changes (especially any that would broaden how we use your data or affect your rights), we will provide a prominent notice, such as an email notification or an alert on the website, before the changes take effect. This will give you the opportunity to review the revised policy and decide if you are comfortable with it.
Some changes might be minor – for example, if we add a new feature and need to describe new data collection related to that feature, or if we improve wording for clarity. Other changes could be more significant – for instance, if we decide to start using a new third-party service or if legal regulations change in a way that affects our practices.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. Your continued use of Mechaverse after any changes to this policy will be deemed acceptance of those changes. If you do not agree with an upcoming change, you are free to stop using the service or request deletion of your data at any time.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help and address any issues related to privacy or security.
You can reach us by email at vmold@mechaverse.dev.
Alternatively, you may contact us through any official support channels listed on our website.
We will do our best to respond promptly to your inquiry – typically within a few business days. If you are contacting to exercise a privacy right (such as accessing or deleting your data) or have a complaint, please provide sufficient detail so we can effectively address your request.
Thank you for reading our Privacy Policy. We value your trust, and we are continuously working to ensure your data is safe and your privacy is respected while you use Mechaverse. Happy robotics building and visualizing!