Privacy Policy

1. Who we are

Cenrellia Studios Limited is a company registered in England and Wales (company number 17065711). We are the data controller for personal information collected through this website (cenrelliastudios.com) and its associated services.

We have not appointed a Data Protection Officer as we do not meet the threshold requiring one under UK GDPR. For all privacy enquiries, contact us at the email address above or use the Data / Privacy Request subject on our contact form.

We have determined that we are not currently required to appoint a representative in the EEA under Article 27 of the EU GDPR, as our processing of EU/EEA personal data is occasional and does not involve large-scale processing or special category data. We will appoint a representative if our processing activities change.

If you are based in the European Economic Area (EEA) and have concerns about our data practices, you have the right to lodge a complaint with the supervisory authority in your country of residence. A list of EEA data protection authorities is available on the European Data Protection Board website.

2. Information we collect

We collect the following categories of personal data:

• Account information — your username, email address, and hashed password when you register directly.
• OAuth data — when you choose to link a platform account, we receive data from that platform via their API (not from publicly accessible sources). We never store your platform password. The specific data received from each platform is:
  • Google — platform user ID, email address, display name
  • Apple — platform user ID, email address (or Apple's private relay address if you choose to hide your email). We accept and store the relay address as provided and do not attempt to resolve it to your real email. Only transactional messages (account activity, security alerts) are sent to relay addresses. If you revoke Sign in with Apple through your Apple device settings, your session on our site will be invalidated.
  • Steam — Steam ID, display name, profile avatar URL
  • Discord — platform user ID, username, avatar URL
• Game ownership records — platform-verified proof that you own a game, used to unlock ownership-based features.
• Game services data — when you sign in to a Cenrellia Studios game, a unique player identifier ("Player ID") is created by Unity Gaming Services and linked to your website account. This ID is used to provide cloud saves, authentication, and other in-game services.
• User-generated content — forum posts, thread titles, bug reports, comments, and file attachments you submit.
• Contact form submissions — your name, email, and message when you contact us.
• Technical data — IP addresses, session identifiers, browser user-agent strings, and server access logs collected automatically when you use the site.
• Cookies — session and preference cookies. See Section 11 for details.

We do not intentionally collect special category data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation). If you voluntarily include such information in forum posts or bug reports, it is processed on the same basis as other user-generated content. We recommend not sharing sensitive personal details publicly.

3. How we use your information

• Creating and managing your account and keeping it secure.
• Verifying whether you own Cenrellia Studios games on linked platforms so you can access ownership-based features. We only check ownership of our own titles — we do not access or store your full game library. Ownership status may be refreshed periodically.
• Delivering transactional emails — email verification, password reset, and notification emails you have opted into.
• Displaying your forum posts, bug reports, and other content you choose to publish.
• Rate limiting and security monitoring to protect the site and its users.
• Responding to contact form submissions.
• Applying content filters to user-generated content at display time for community safety (stored content is never modified).
• Logging administrative actions (such as moderation decisions and account changes) for audit and accountability purposes.
• Complying with legal obligations.

4. Lawful basis for processing

Where we rely on your consent, you may withdraw it at any time by adjusting your notification preferences in your account settings or by clicking the unsubscribe link in any notification email. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Third parties we share data with

We do not sell your personal data. We share data only with the following service providers who process it on our behalf:

• OVH Cloud — website hosting (EU data centres).
• Resend — transactional email delivery.
• Cloudflare — CAPTCHA (Turnstile) on the contact form and CDN/DDoS protection. Cloudflare processes IP addresses and request headers to route traffic, protect the site from attacks, and verify contact form submissions.
• Google, Apple, Steam, Discord — OAuth providers you voluntarily connect. We receive only the data those platforms expose via their APIs.
• Unity Technologies — in-game authentication and cloud services (Unity Gaming Services). A player identifier is shared when you sign in to a game.

Each provider operates under their own privacy policy and data processing agreements.

We do not use your personal data to train artificial intelligence or machine learning models, to serve advertising (including retargeting or interest-based advertising), or to determine credit-worthiness.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. Any such successor will be bound by this privacy policy with respect to your data. We will notify you by email and/or a prominent notice on the Site before your data is transferred and becomes subject to a different privacy policy.

Cenrellia Studios is not affiliated with, endorsed by, or operated by Google LLC, Apple Inc., Valve Corporation (Steam), Discord Inc., Unity Technologies, OVH SAS, Resend Inc., or Cloudflare Inc. Use of their names above is solely to identify the services we integrate with.

6. International data transfers

Your personal data is primarily stored on servers within the EU/UK (OVH Cloud). However, some of the third-party services we use are based outside the UK:

• Resend — United States
• Cloudflare — United States
• Google, Apple, Valve (Steam), Discord — United States (OAuth data only, when you choose to link an account)
• Unity Technologies — United States (game authentication and cloud services, when you sign in to a game)

Where data is transferred outside the UK, we ensure appropriate safeguards are in place. For transfers to the United States, our providers participate in or are covered by the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge") where applicable. Where the Data Bridge does not apply, we rely on UK International Data Transfer Agreements (IDTAs) or equivalent contractual protections, in accordance with UK GDPR requirements.

7. How long we keep your data

8. Your rights under UK GDPR

If you are based in the UK or EEA, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data where there is no compelling reason for us to keep it.
• Portability — receive your data in a structured, commonly used, machine-readable format (we provide exports in JSON).
• Restriction — ask us to pause processing your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time (see Section 4).

To exercise any of these rights, use the Data / Privacy Request subject on our contact form or email us at privacy@cenrelliastudios.com. The first copy of your data is provided free of charge. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

If you are based in the European Economic Area, you may lodge a complaint with your local data protection supervisory authority instead of or in addition to the ICO. A directory of EEA supervisory authorities is available at edpb.europa.eu.

9. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These measures include:

• All connections to the site are encrypted using HTTPS/TLS.
• Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• Access to personal data is restricted to authorised personnel only.
• Automated rate limiting and abuse-prevention measures are in place.
• OAuth tokens are stored securely and are not exposed to other users.

For support and debugging purposes, authorised administrators may access the site as if logged in as your account (impersonation). All impersonation sessions are logged, and this capability is restricted to users with explicit administrative permissions.

While we strive to protect your data, no method of transmission or storage is completely secure. If you believe your account has been compromised, please contact us immediately.

We maintain records of our data processing activities in accordance with UK GDPR Article 30.

In the event of a personal data breach, we will notify the ICO within 72 hours of becoming aware of it where required by UK GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. We maintain an internal record of all personal data breaches, including those that do not meet the threshold for reporting to the ICO, in accordance with UK GDPR accountability requirements.

10. File uploads

Bug report attachments are limited to image files (.png, .jpg, .gif, .webp), video files (.mp4, .webm), and text/log files (.txt, .log), with a maximum size of 50 MB per file and a maximum of 3 files per report. Uploaded files are stored on our hosting server and are deleted when the associated bug report is removed or when your account is deleted.

11. Cookies

A cookie is a small text file stored on your device. We use the following cookies:

Strictly necessary cookies (no consent required)

These are essential for the site to function. They are set automatically and cannot be switched off.

Functional cookies (set only after you take an action)

These are set in response to a choice you make (e.g., changing your pagination preference). They are not used for tracking.

Third-party cookies

Cloudflare Turnstile (used on our contact form for anti-spam verification) may set its own cookies. These are classified as strictly necessary for security purposes. For full details, see Cloudflare's Privacy Policy.

We do not use advertising, analytics, or cross-site tracking cookies.

You can also manage and delete cookies through your browser settings. Most browsers allow you to block or delete cookies via their privacy or settings menus. Please note that blocking session cookies will prevent you from logging in, and clearing the cookie_consent cookie will cause the consent banner to reappear. You can change your cookie preferences at any time using the "Cookie Settings" link in the site footer.

12. Minimum age

This site is not directed at children under the age of 13. If you are under 13, please do not create an account or submit personal data. If we become aware that we have collected data from a child under 13 without parental consent, we will delete it promptly.

In accordance with the ICO's Age Appropriate Design Code, all accounts default to the most privacy-protective settings. We do not profile users for advertising, use nudge techniques to encourage users to weaken their privacy settings, or collect geolocation data.

We have conducted a Data Protection Impact Assessment for our processing of data from users under 18, in accordance with the ICO's Age Appropriate Design Code and UK GDPR Article 35.

13. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you. Rate limiting and spam prevention measures are applied uniformly to all users and do not constitute profiling within the meaning of UK GDPR Article 22.

14. Third-party links

This site may contain links to external websites (for example, platform privacy policies, the ICO website, or game store pages). This privacy policy applies only to cenrelliastudios.com. We are not responsible for the privacy practices of other websites, and we encourage you to read their privacy policies before providing them with your data.

15. Information for California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

Do Not Sell or Share My Personal Information

We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioural advertising. Because we do not sell or share personal information, we have not offered an opt-out mechanism, but if this changes in the future, we will provide one.

We honour Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we will treat it as a valid opt-out of any future sale or sharing of personal information.

Categories of personal information collected

In the preceding 12 months, we have collected the following categories of personal information:

Categories disclosed to third parties for a business purpose

In the preceding 12 months, we have disclosed the following categories of personal information to service providers for the business purposes described in Section 3:

• Identifiers (email address) — to Resend for transactional email delivery.
• Internet/network activity (IP address, challenge response) — to Cloudflare for anti-spam verification.
• Identifiers (platform user IDs) — to OAuth providers when you initiate a platform link.
• Identifiers (account identifier via signed token) — to Unity Technologies for in-game authentication.

We have not sold or shared (for cross-context behavioural advertising) any personal information in the preceding 12 months.

Sensitive personal information

We do not collect categories of personal information classified as "sensitive" under the CPRA (such as Social Security numbers, financial account details, precise geolocation, racial/ethnic origin, or biometric data). Accordingly, we do not offer a "Limit the Use of My Sensitive Personal Information" mechanism.

Your CCPA/CPRA rights

• Right to know — request what personal information we collect, use, disclose, and sell/share.
• Right to delete — request deletion of your personal information.
• Right to correct — request correction of inaccurate personal information we hold about you.
• Right to opt-out — opt out of the sale or sharing of your personal information (we do not currently sell or share).
• Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

How to submit a request

To exercise these rights, use the Data / Privacy Request subject on our contact form or email us at privacy@cenrelliastudios.com. We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days for complex requests, with notice).

You may also designate an authorised agent to submit requests on your behalf. We may require the agent to provide proof of their authorisation (such as a signed written authorisation or power of attorney) and may verify your identity directly before processing the request.

For retention periods applicable to each category of personal information listed above, see Section 7.

We do not offer financial incentives (such as discounts, loyalty programmes, or premium features) in exchange for the collection, sale, or retention of your personal information.

16. Information for Brazilian residents (LGPD)

If you are based in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you the following rights regarding your personal data:

• Confirmation and access — confirm whether we process your data and request a copy.
• Correction — request correction of incomplete, inaccurate, or outdated data.
• Anonymisation, blocking, or deletion — of unnecessary or excessive data, or data processed in breach of the LGPD.
• Portability — request transfer of your data to another service provider.
• Deletion — request deletion of personal data processed on the basis of your consent.
• Information about sharing — know which public and private entities we share your data with.
• Information about consent — be informed about the possibility and consequences of not providing consent.
• Revocation of consent — withdraw your consent at any time.

The lawful bases for our processing activities are described in Section 4. Where we rely on legitimate interests, you may request additional information about the balancing test we have conducted.

To exercise any of these rights, use the Data / Privacy Request subject on our contact form or email us at privacy@cenrelliastudios.com. You may also lodge a complaint with Brazil's national data protection authority (ANPD) at gov.br/anpd.

17. Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will notify registered users by email.