privacy policy.

Medallion Maze ("MM", "we", "us") cares about your privacy. This policy explains what we collect, why, and what control you have. Plain language, not lawyer language.

what we collect

account information

• Email address — to create your account and recover access
• Name and photo — shown to people you create with after mutual keeping
• Selected interests and worlds — powers matching
• Optional profile info — driver, quote, location (if you choose to add them)

session and creative content

• Things you make in sessions — drawings, writing, playlists, moodboards, etc.
• Session metadata — partner, timing, what type, whether you kept
• Capsule contents — the lasting record of mutual creations

device and technical data

• Device type, OS, browser — helps us debug and optimize
• IP address — used for security, fraud prevention, geographic personalization
• Push notification tokens — only if you enable notifications
• Photos for face verification — processed by an identity-verification service for safety, not stored long-term

payment information

• If you make a purchase, payment is processed by an industry-standard payment processor that is PCI-DSS compliant. We don't store full card numbers — they're held by the payment processor.
• We retain transaction records (date, amount, item) for accounting and tax compliance.

how we use your data

• To run the product — matching, sessions, capsules, drops, payouts
• To keep things safe — fraud prevention, abuse detection, account recovery
• To communicate — transactional emails (verification codes, purchase receipts), and notifications you opt into
• To improve MM — anonymized analytics on what features people use

what we DON'T do

• We don't sell your data to advertisers
• We don't run ads on MM
• We don't track you across other apps or websites
• We don't share session content with third parties beyond what's needed to deliver the specific feature you requested

categories of third parties we share data with

To run MM, we use a small set of trusted service providers, each bound by data-processing agreements. We share only the minimum data needed for each function:

• Payment processor — processes purchases and creator payouts; receives payment details and transaction metadata
• Cloud hosting and storage providers — store account data, session content, and media; data is encrypted at rest and in transit
• Email delivery service — sends verification codes, receipts, and notifications you've opted into
• Identity verification service — processes selfie images for safety verification; images are not retained long-term
• AI inference provider — generates session prompts and creative content; receives only the input needed for that specific feature

We do not sell, rent, or share your personal data with advertisers, data brokers, or analytics vendors. If you'd like the specific list of providers we use, email contact@medallionmaze.com and we'll share it.

your rights

everyone

• View your data — request a copy by emailing contact@medallionmaze.com
• Delete your account — request full deletion at the same email
• Correct your data — update profile fields directly in the app
• Opt out of notifications — in settings or email preferences

EU/UK residents (GDPR)

• Right to access, rectification, erasure, restriction, portability, and objection
• Right to withdraw consent at any time
• Right to lodge a complaint with your local supervisory authority
• Lawful basis: legitimate interest, contract performance, and consent depending on the data

California residents (CCPA)

• Right to know what personal information we collect, sell, or share (we don't sell or share)
• Right to delete your personal information
• Right to opt-out of sale (not applicable, we don't sell)
• Right to non-discrimination for exercising your rights

data retention

• Active accounts — we keep your data while your account is active
• Session content — ephemeral by design; most things disappear within hours unless preserved by mutual keeping
• Deleted accounts — personal data removed within 30 days of request, except where required for legal compliance (e.g. tax records held 7 years)
• Backups — backups containing deleted data are purged within 90 days

international data transfers

MM is based in the United States. If you're outside the US, your data is transferred to the US for processing. We use industry-standard safeguards including AWS data center security and encryption at rest and in transit.

children's privacy

MM is not intended for users under 13. In the EU/UK, the minimum age is 16. If we discover an underage account, we delete it. Parents who believe their child has signed up can email contact@medallionmaze.com for immediate removal.

security

We employ industry-standard security practices to protect user data and platform integrity:

• Credential protection, passwords are stored using cryptographic hashing with strong work factors; plaintext passwords are never logged or persisted
• Session integrity, authenticated sessions use signed tokens with appropriate expiration policies
• Encrypted transport, all traffic is encrypted in transit using current TLS standards
• Payment security, payment information is processed exclusively by a PCI-DSS compliant third party; we do not store, transmit, or have access to full card numbers, CVVs, or banking credentials
• Abuse prevention, adaptive rate limiting, account lockout policies, and anomaly detection mitigate brute-force, credential-stuffing, and automated attacks

changes to this policy

If we materially change this policy, we'll email registered users at least 30 days before changes take effect. The "last updated" date at the bottom always reflects the current version.

contact

Privacy questions: contact@medallionmaze.com

← back to medallion maze