Skip to content

legal / privacy policy

privacy policy

Each section below begins with a plain-language summary. Those summaries are reading aids only. The full text that follows each summary is the operative statement and governs in any conflict.

v1.0 · last updated 2026-06-06

who is responsible

in short: the company behind carverjs.dev is the data fiduciary for your information.

MoneyTales EduTech Private Limited (Ahmedabad, Gujarat, India) operates the carverjs marketplace at carverjs.dev. Under the Digital Personal Data Protection Act 2023 (DPDP Act) we are the data fiduciary. Under the General Data Protection Regulation (GDPR) we are the data controller.

For privacy questions, data requests, and grievances, contact our grievance officer:

This policy applies to all personal data processed through the carverjs.dev website and any associated services. It does not apply to third-party websites linked from our pages.

what we collect

in short: we collect what you give us when you sign up and use the service, plus basic technical data needed to keep things running securely.

Account data. When you create an account: email address, display name, handle, and optional avatar. Your email is verified before your account is activated.

Content you publish. Games you upload (files, metadata, descriptions, tags), comments you post, and any other content you create on the platform.

Activity data. Plays, likes, follows, and interactions with games or other accounts on the platform.

Technical and security data. IP address, browser user agent, and server-side request logs. These are collected automatically by our infrastructure for security monitoring and abuse prevention. Cloudflare Turnstile, used on sign-up and sign-in forms, also processes a bot-risk signal on your device during those flows.

Support correspondence. If you contact us by email, we retain the messages to resolve the issue and maintain a record of communications.

What we do not collect. We do not collect precise location data, device contacts, payment card numbers (we have no paid features yet), or behavioral advertising profiles. We do not build interest segments or sell data to advertisers.

why we use it, and the legal basis

in short: we only use your data for the service you signed up for, to keep it secure, and to send account emails you asked for.

The table below maps each purpose to its legal basis under the GDPR and the equivalent basis under the DPDP Act.

running the service
Creating and managing your account, serving game content, processing actions such as plays and follows, and providing the features you use. Legal basis: contract (GDPR Art. 6(1)(b)), consent given when you register under the DPDP Act.
security and abuse prevention
Bot detection via Cloudflare Turnstile, server-side request logging to Axiom (IP, user agent, security events), and enforcement of our content policy. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) for EU and UK users. For users in India, this processing is covered by the consent you give when you create an account and accept this privacy notice, which describes these security purposes. The DPDP Act does not include a general legitimate-interest basis, so we do not rely on one.
account emails
Transactional emails: email verification, password reset, and other messages directly related to your account. Legal basis: contract (GDPR Art. 6(1)(b)), consent under the DPDP Act (the emails are a necessary part of the service you consented to).
product updates and waitlist
Emails about new features, launches, or platform news, sent only if you joined the waitlist or opted in. Legal basis: consent (GDPR Art. 6(1)(a)), consent under the DPDP Act. You can withdraw consent at any time via the unsubscribe link in any such email.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

cookies

in short: we set exactly two cookies, both essential: one for your signed-in session and one for bot detection. No analytics or advertising cookies.

We use essential cookies only. There are currently two:

  • __session (authentication). An httpOnly, secure, server-set cookie containing a signed Firebase session token. It is created when you sign in and deleted when you sign out. Without it the site cannot identify you as signed in.
  • Cloudflare Turnstile cookies (security). The Turnstile widget sets its own short-lived cookies inside the bot-check flow on sign-up and sign-in forms. These are used only for bot detection and do not persist after the challenge completes.

UI preferences (such as dismissed notices) are stored in browser localStorage, not in cookies. localStorage data stays on your device and is never transmitted to our servers.

who we share it with

in short: we use a small set of trusted processors to run the service. We do not sell your data or share it with advertisers.

We share personal data only with service providers (data processors) that are necessary to operate carverjs.dev. Each is bound by data processing agreements or standard contractual clauses. We do not sell personal data, and we have no third-party advertising relationships.

Google Firebase
Authentication, Firestore database, and app hosting. Your account data and content are stored in Firebase. Data may be processed in US, EU, and Asia-Pacific regions depending on your location and Firebase infrastructure routing. Firebase privacy.
Cloudflare
Turnstile bot detection on auth forms, CDN for static assets, and object storage (R2) for uploaded game files. Cloudflare operates a global network; requests may be handled in any region. Cloudflare privacy.
Resend
Transactional email delivery (account verification, password reset). Your email address and the content of transactional emails are processed by Resend. Infrastructure is based in the US. Resend privacy.
Axiom
Server-side log storage for request logs and security events. Log data includes IP addresses and user agent strings. Axiom operates infrastructure in the US and EU. Axiom privacy.

We may also disclose data where required by law, court order, or to protect the rights and safety of users or the public, but only to the extent required and after taking reasonable steps to notify you where legally permitted.

how long we keep it

in short: we keep your data while your account is active and delete it within 30 days after you close your account.

Account and content data is retained for as long as your account is active. After you delete your account, data is removed from production systems within 30 days as backup cycles complete. Content you published may be retained in an anonymized form if it has been incorporated into aggregated platform statistics, but it will not be attributed to you.

Security and request logs (Axiom) are retained on a rolling window defined by our operational and security needs, generally 90 days, after which they are deleted automatically.

Legal records such as copyright takedown notices, enforcement actions, and legal correspondence are kept for as long as legally required or reasonably necessary to defend against claims, which may extend beyond the deletion of your account.

Waitlist data (email addresses from pre-launch signups) is retained until the waitlist is closed or until you unsubscribe, whichever comes first.

your rights

in short: you can access, correct, or delete your data. EU users have additional rights including data portability and the right to object.

Under the DPDP Act (all users in India):

  • Access. Request a summary of the personal data we hold about you and how it is being processed.
  • Correction and erasure. Request correction of inaccurate or incomplete data, or erasure of data that is no longer necessary for the purpose it was collected for.
  • Grievance redressal. Raise a complaint with our grievance officer and receive a reasoned response within the timelines set by the DPDP Act.
  • Nomination. Nominate another person to exercise your rights on your behalf in the event of your death or incapacity.

Under the GDPR (users in the European Economic Area and UK):

  • Access (Art. 15). Obtain a copy of your personal data and information about how it is used.
  • Rectification (Art. 16). Correct inaccurate data.
  • Erasure (Art. 17). Request deletion of your data where it is no longer necessary or where you withdraw consent.
  • Restriction (Art. 18). Request that processing be limited while a dispute is resolved.
  • Portability (Art. 20). Receive your data in a structured, machine-readable format.
  • Objection (Art. 21). Object to processing based on legitimate interests.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Complain to a supervisory authority. Lodge a complaint with your local data protection authority.

How to exercise your rights. Most account data can be reviewed and updated in your account settings. For deletion requests, data access reports, portability requests, or any right that cannot be self-served, email support@carverjs.dev from the address linked to your account. We will verify your identity before processing any request, and we will respond within the statutory timelines applicable to your jurisdiction.

children

in short: under-13s are not allowed. Users aged 13 to 17 need parental consent, and we never track or profile children.

Our minimum age for registration is 13. This is a product rule, not a threshold set by any specific law. We do not knowingly collect personal data from anyone under 13. If we discover that an account belongs to someone under 13, we will delete the account and all associated data promptly.

Separately, the DPDP Act 2023 treats everyone under 18 as a child. Users aged 13 to 17 may use the service only with a parent or guardian's verifiable consent. We require such consent as part of the account registration process for users who indicate they are under 18.

We do not conduct tracking, behavioral advertising, interest profiling, or targeted advertising directed at any user, including children and teenagers.

If you believe a child under 13 has created an account on carverjs.dev, please contact us at support@carverjs.dev and we will investigate and delete the account.

where your data travels

in short: our infrastructure is global. We explain the legal safeguards that apply when your data leaves India or the EU.

Operating carverjs.dev requires transferring personal data to processors outside India. The processors involved, and the regions where data may be processed, are:

  • Google Firebase (auth, database, hosting): US, EU, and Asia-Pacific regions.
  • Resend (transactional email): United States.
  • Axiom (server logs): United States and EU.
  • Cloudflare (bot detection, CDN, object storage): global network, nearest point of presence.

For users in the EU and UK. Transfers to processors in countries that the European Commission has not recognized as providing adequate protection rely on the standard contractual clauses (SCCs) published by each processor, or on the EU-US Data Privacy Framework where applicable. Each processor link in section 05 (who we share it with) points to their privacy and data-transfer information.

For users in India. Cross-border transfers of personal data are permitted under the DPDP Act subject to any restrictions notified by the central government. At the time this policy was last updated, no such restriction applies to the countries where our processors operate. If the government notifies a restriction affecting any processor country, we will update our arrangements to comply.

complaints

in short: start with our grievance officer. If that does not resolve your concern, you can escalate to a regulatory authority.

If you have a concern about how we handle your personal data, the first step is to contact our grievance officer:

We acknowledge grievances within the period prescribed by the DPDP Act and aim to resolve them within the statutory resolution timeline. Please include enough detail in your message for us to identify the issue and verify your identity.

If your grievance is not resolved satisfactorily:

  • India. You may lodge a complaint with the Data Protection Board of India once it is operational, as established under Section 18 of the DPDP Act.
  • EU and UK. You may contact the data protection supervisory authority in your country of residence or establishment. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

changes to this policy

in short: we version this document. Material changes are announced before they take effect.

This policy is versioned (currently v1.0, last updated 2026-06-06). Minor clarifications that do not alter your rights or our obligations are reflected with a minor version bump. Changes that affect rights, introduce new data uses, or add new processors are major version bumps and will be announced by email and via a notice on carverjs.dev at least 14 days before they take effect.

The current version is always available at carverjs.dev/legal/privacy. Older versions are archived and available on request.

Continued use of carverjs.dev after a policy change takes effect constitutes acceptance of the updated terms. If you do not agree with a material change, you should stop using the service and may request deletion of your account as described in section 07 (your rights).

Questions about this policy can be sent to support@carverjs.dev.