Privacy Policy

Last updated: 21 March 2026

This policy covers all services operated by Ludusy AS, including ludusy.com and Sciasy (collectively "Ludusy Services").

1. Data Controller

Ludusy AS, Skien, Norway is the data controller for all personal data processed across Ludusy Services.

2. What We Collect

Account Data

• Email address, username, hashed password, account status
• Hashed IP address, session tokens (not stored long-term)
• Login timestamps, hashed IP, originating service
• Consent records (terms, marketing, product updates)

Game-Specific Data

• Sciasy — character data, inventory, world state, chat logs

Credits & Payment Data

• Credit balance (paid, free, earned), transaction history
• Purchase records (processed by Stripe — we do not store card details)

3. Legal Basis (GDPR Art. 6)

• Contract (Art. 6.1.b): Account creation, authentication, and service delivery
• Legitimate interest (Art. 6.1.f): Security logging, fraud prevention, service improvement
• Consent (Art. 6.1.a): Marketing communications

4. Cross-Service Data Sharing

When you use your Ludusy account on a connected game, that game receives your Ludusy user ID and email address. Each game stores its own application data linked to this ID. Your credit balance is centralized on ludusy.com.

5. Data Retention

• Account data: retained while account is active
• Session tokens: cleared on logout or new login
• Auth tokens: single-use, expired entries purged automatically
• Login audit logs: retained for 12 months
• IP addresses: hashed for sessions; raw IPs for rate limiting retained 90 days
• Payment records: retained as required by Norwegian bookkeeping law (5 years)

6. Your Rights (GDPR Art. 15-22)

You have the right to:

• Access your data via your account page or by contacting us
• Rectify incorrect information
• Delete your account (cascades to all games)
• Port your data in a machine-readable format on request
• Object to processing based on legitimate interest
• Withdraw consent for marketing at any time

7. Cookies

• Session cookies: Used on ludusy.com and authenticated game pages for login sessions
• No tracking cookies: We do not use third-party analytics, advertising pixels, or social media trackers

8. Security

Passwords are hashed with bcrypt. IP addresses are stored as SHA-256 hashes where possible. Sessions use cryptographically random 256-bit tokens. All connections require HTTPS. Payment processing is handled entirely by Stripe.

9. Third-Party Processors

• ElasticEmail: Transactional email delivery
• Stripe: Payment processing

10. International Transfers

Our servers are located in Europe. Third-party processors may process data outside the EEA under appropriate safeguards.

11. Children

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes

We may update this policy. Material changes will be communicated via email or in-service notice.

13. Contact

Ludusy AS · Skien, Norway · mail@ludusy.com