Last updated: May 31, 2026
This Privacy Policy explains what information Userplay collects, how we use it, who we share it with, how long we keep it, and what choices you have.
It applies to:
- Studio members who use the Userplay web application.
- Testers who participate in playtests created by studios using Userplay.
- Visitors to the Userplay marketing site.
For a plain-language summary, see Privacy for Humans. For our commitments as a data processor on your behalf, see the Data Processing Addendum.
1. Who We Are#
Userplay is operated by the legal entity behind userplay.io. For privacy questions or to exercise your rights, contact privacy@userplay.io.
2. Information We Collect#
From Studio Members#
When you create an account or use Userplay as a studio member, we collect:
- Account information — name, work email, hashed password (when password auth is used), and workspace details you configure.
- Billing details when you subscribe to a paid plan.
- Playtest configuration you create, including objectives, prompts, capture toggles, and tester invite lists.
- Activity logs of administrative and content actions you take in the application.
- Support communications you send through our support channels.
From Playtests#
When your team runs a playtest, Userplay captures — on your instructions and with the tester’s consent — the following:
- Screen recordings, microphone audio (where the tester consents), and optionally webcam video.
- Transcripts of audio (when AI processing is enabled).
- Structured AI analysis of the recording (when AI processing is enabled).
- Optional in-game telemetry through the Userplay Chrome extension (when both the studio and the tester opt in). The extension captures only post-gameplay content and never captures credentials, tokens, cookies, or browsing history.
- Basic device and browser metadata required for playback.
Userplay does not capture any data from testers during active gameplay through the Chrome extension. The screen recorder, which the tester explicitly starts and stops, is the only live capture path.
From Site Visitors#
When you visit userplay.io, we collect pseudonymous web analytics — page views, referrers, device class, and performance metrics — to operate and improve the site.
What We Do Not Collect#
- Tester credentials, tokens, or cookies for the games being tested.
- Browsing history outside the playtest.
- Personal data of individuals under the age of majority — see Section 9 (Children).
- Personal data unrelated to operating the Service.
A full breakdown of data categories, sources, purposes, and retention is in Data Processed.
3. How We Use Information#
We use information to:
- Provide the Userplay service to studios and testers.
- Process playtest sessions, produce transcripts, and generate AI analysis.
- Authenticate users and enforce access controls.
- Bill subscribing customers.
- Provide customer support and respond to inquiries.
- Operate, monitor, and secure the Service.
- Improve product quality using aggregate and de-identified data.
- Comply with legal obligations.
We do not sell personal information. We do not use personal information for advertising.
4. Playtest Participants#
If you invite people to a playtest, you are the data controller for what is captured in their session. You are responsible for giving them appropriate notice and having a lawful basis for the recording. Userplay shows testers a clear consent screen describing what will be captured, by which studio, and under what retention policy, before any recording begins.
Studios have controls to minimize what is captured:
- Microphone and webcam are off by default.
- Sensitive screen regions can be masked or blurred.
- AI processing can be turned off per workspace or per playtest.
- The Chrome extension requires explicit double opt-in (studio and tester).
5. Sharing#
We share information only with:
- Subprocessors that help us host, deliver, and operate Userplay. The current list — including data location and retention — is in Subprocessors. Active subprocessors include Render (hosting), Vercel (frontend), Cloudflare (CDN/edge), Mux (video), OpenAI (transcription, when enabled), and Google Gemini (video analysis, when enabled).
- Service providers for billing, transactional email, and support, under appropriate contractual protections.
- Authorities and third parties when required by law, to enforce our agreements, protect rights and safety, or in connection with a corporate transaction (merger, acquisition, or asset sale) — in which case we will provide affected customers reasonable notice where legally permitted.
We do not sell personal information. We do not share recordings or derived AI analysis with third parties except subprocessors operating on our behalf under written agreements that prohibit use for model training.
6. International Transfers#
Userplay hosts production data in the United States. If you access Userplay from outside the United States, information may be transferred to and stored in the US. Where applicable law requires a legal mechanism for international transfers (for example, for EEA or UK data subjects), Userplay relies on Standard Contractual Clauses or equivalent mechanisms as incorporated into the Data Processing Addendum.
Userplay does not currently offer regional data residency (for example, EU-only hosting). If your organization requires this, contact sales@userplay.io.
7. Retention#
We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
Default retention windows:
| Data type | Default retention |
|---|---|
| Session recordings | 12 months from session completion (workspace-configurable, can be shorter) |
| Transcripts and AI analysis | Tied to the parent recording |
| Audit logs | 365 days inside Userplay |
| Account data | Lifetime of the workspace; deleted within 30 days of confirmed closure |
| Support communications | Up to 24 months from last contact |
| Web analytics (raw events) | 90 days |
For details on deletion procedures, see Deletion Policies.
8. Security#
Userplay uses administrative, technical, and organizational safeguards designed to protect information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Role-based access control, multi-factor authentication, and the principle of least privilege.
- Tamper-evident audit logging.
- Documented incident response procedures.
- A small engineering team with quarterly access reviews.
No method of transmission or storage is completely secure. In the event of a confirmed breach involving your data, we will notify affected customers within 72 hours of confirmation.
9. Children#
Userplay is not intended for individuals under the age of majority in their jurisdiction, and we do not knowingly collect their personal information. Studios must not invite anyone below the applicable age into a playtest without verifiable parental or guardian consent and their own independent legal basis. If you believe we have inadvertently collected information from a minor, contact privacy@userplay.io.
10. Your Rights#
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your information (subject to retention required by law or legitimate business purposes).
- Object to or restrict certain processing.
- Receive a portable copy of your information.
- Opt out of the “sale” or “sharing” of personal information — Userplay does not sell or share personal information for cross-context behavioral advertising.
- Withdraw consent where we rely on consent (for example, tester microphone capture).
Studio members can exercise most rights directly in the Userplay application. Testers and other individuals should contact privacy@userplay.io. We will respond within the timeframes required by applicable law (typically 30–45 days).
Userplay does not discriminate against individuals for exercising privacy rights.
Regional Notes#
- California (CCPA/CPRA). California residents have the rights listed above, including the right to limit use of sensitive personal information. We do not sell personal information. Categories of personal information collected, sources, purposes, and recipients are described above and in Data Processed.
- European Economic Area and United Kingdom. Our legal bases for processing include performance of a contract, legitimate interests (operating and securing the Service, aggregate product improvement), and consent where required (for example, tester microphone capture). For data we process on your behalf, the Data Processing Addendum applies and you are the controller.
- Other jurisdictions. Where local law confers additional rights, we honor them.
11. Cookies and Similar Technologies#
Userplay uses a small number of cookies and local-storage entries that are necessary to operate the application — for authentication, session management, and preference storage. We do not use third-party advertising cookies on the application or the marketing site.
12. Changes to This Policy#
We may update this Privacy Policy from time to time. Material changes will be communicated to workspace owners by email and reflected at the top of this page with a new “Last updated” date. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact#
- Privacy and data subject requests: privacy@userplay.io
- Security incidents and reports: security@userplay.io
- General support: support@userplay.io