Privacy Policy

Last updated: April 7, 2026

        The short version: Gameplay data never leaves your device unless cloud sync is enabled. Adults who create an account share only their email and name with us. Small Universe is operated by CloudForge Ltd, registered in Cyprus, and complies with UK GDPR, EU GDPR, and COPPA. We do not sell data to anyone.
      

Data Controller

CloudForge Ltd (registered in Cyprus), trading as Small Universe, is the data controller for personal data collected through this service. Registered address: Cavo Greco Avenue, Building 475, 007, Protaras, Paralimni, Cyprus. For data protection enquiries, contact us.

COPPA Compliance and Verifiable Parental Consent

Small Universe is used by children and adult learners. For child users, Small Universe complies with the Children's Online Privacy Protection Act (COPPA). Regarding children specifically, we do not:

Collect personal information from children
Require children to create accounts or register
Use cookies, tracking pixels, or analytics within the game
Include links to external websites within the game
Share, sell, or transmit any child data to third parties

All account creation and purchases are performed by the parent or guardian. We use a combination of email verification and payment card ownership as indicators that the account holder is an adult, credit card use is recognised by the FTC as a reliable method of verifiable parental consent under COPPA.

UK ICO Children's Code

As a service likely to be accessed by children in the UK, we apply the principles of the ICO Age Appropriate Design Code (UK Children's Code). We implement high-privacy defaults for all users, do not profile children, and do not use nudge techniques to encourage children to weaken their privacy settings.

Who We Collect Data From

Children: No personal data is collected. All gameplay, progress, and profiles are stored locally on the device.
Adults / parents / guardians: If you create an optional account (for cloud sync or coin purchases), we collect your email address and display name.

Gameplay Data (On-Device)

All game progress, profiles, star ratings, coin balances, creature collections, and settings are stored locally on your device using localStorage. This data never leaves your device unless you create an account and enable cloud sync.

You can clear all local data at any time by clearing your browser's site data for smalluni.com.

Account Data (Optional)

Creating an account is optional. If you choose to create one, we collect:

Email address, for account login and service communications
Display name, shown in your account settings
Game progress, synced to our servers to preserve progress across devices
Coin balance and purchase history, to fulfil and record purchases

We do not collect your phone number, home address, or any financial information directly. Payment details are handled entirely by our payment processor.

Payment Data

When you purchase Stellar Coins, payment is processed securely by our payment processor. We do not store your card number, bank details, or any sensitive payment information. Our payment processor provides us with a transaction reference and confirmation only. The handling of your payment data is governed by the payment processor's own privacy policy, presented at checkout.

Coin Ledger & Purchase Records

Every coin earned, spent, purchased, or refunded is recorded in an append-only ledger on our servers, linked to a pseudonymous profile ID (not your child's real name). This ledger is the source of truth for balances and exists so that coins can never be lost and purchases can always be reconciled or refunded.

Ledger rows: retained indefinitely for purchase, refund, and tax audit integrity. On deletion request, the profile ID is redacted but the amount, reason, and timestamp are preserved as required for financial record-keeping.
Server operation logs (grant/spend/purchase RPC invocations): identifiers stripped or hashed after 30 days.
Purchase receipts are emailed to the account email by default under legitimate interest (transactional communication required for record-keeping). You can turn off receipt emails at any time in Family Dashboard → Receipt preferences; the underlying ledger entry is retained regardless.

How We Use Your Data

Data collected from parent accounts is used only to:

Authenticate your account and allow login
Sync game progress across devices
Fulfil coin purchases and maintain your coin balance
Respond to support requests
Send transactional emails (purchase confirmations, password resets)

We do not use your data for advertising, profiling, or sale to third parties.

Legal Basis for Processing (GDPR)

For users in the UK and European Economic Area, we process personal data on the following legal bases:

Processing activity	Legal basis (Art. 6 UK/EU GDPR)
Account creation, login, cloud sync	Contract performance (Art. 6(1)(b))
Coin purchases and billing records	Contract performance + Legal obligation (Art. 6(1)(b) and (c))
Purchase records for tax compliance	Legal obligation (Art. 6(1)(c))
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Responding to support requests	Legitimate interest (Art. 6(1)(f))
Landing page analytics (GA4)	Legitimate interest, anonymised, opt-out available (Art. 6(1)(f))

Data Retention

Account data is retained for as long as your account remains active. If you request deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g. purchase records may be retained up to 7 years for UK tax compliance).

Local on-device data has no expiry, it persists until you clear your browser's site data.

Progressive Web App (PWA)

When installed as a PWA, the app caches game assets on your device for offline play. No personal data is included in this cache, only game code, images, and audio files.

Third-Party Services

Google Analytics (GA4), Used on this landing page only (not in the game). Collects anonymised usage data: pages visited, referral source, browser type, approximate country. No personal information. You can opt out via Google's opt-out browser add-on. See Google's privacy policy.
Supabase, Our database and authentication provider. Account data and synced progress are stored on EU-region servers. See Supabase's privacy policy.
Payment processor, Handles all payment card data for Stellar Coin purchases. We never see or store your card details. Their privacy policy is presented at checkout.
Google Fonts, Self-hosted on our server. No requests are made to Google's font servers.

Google Analytics runs only on this landing page. The game itself loads no external resources and collects no data whatsoever.

International Data Transfers

CloudForge Ltd is registered in Cyprus, an EU member state, and is subject to EU GDPR directly. Account data is stored on Supabase's EU-region servers. Transfers of personal data from the UK to Cyprus are covered by UK adequacy regulations (Cyprus is an EEA country recognised as adequate by the UK). Where personal data is processed by sub-processors, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

EU Representative

CloudForge Ltd is registered in Cyprus, an EU member state. As an EU-based company, we are not required to appoint a separate EU representative under Article 27 EU GDPR. For all data protection enquiries, please use our contact page.

Cookies

This landing page uses a session cookie set by Google Analytics for traffic analysis. The game does not use cookies. If you create an account, a secure authentication token is stored in your browser to keep you logged in. To opt out of Google Analytics, use Google's opt-out add-on.

Data Breach Notification

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Where required by law, we will also notify affected individuals without undue delay.

Your Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

Access, request a copy of the data we hold about you
Rectification, correct inaccurate or incomplete data
Erasure, request deletion of your data ("right to be forgotten")
Restriction, ask us to pause processing of your data in certain circumstances
Portability, receive your data in a structured, machine-readable format
Object, object to processing based on legitimate interest
Withdraw consent, where processing is based on consent, withdraw it at any time
Lodge a complaint, complain to the UK ICO (ico.org.uk) or, for EU residents, your national Data Protection Authority

To exercise any right, contact us and we will respond within 30 days.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of the sale or sharing of personal information. We do not sell or share personal information. To exercise your CCPA rights, contact us.

Security

Account passwords are hashed and never stored in plain text. All data transmitted between your device and our servers is encrypted via HTTPS. Payment processing is handled by a PCI-DSS compliant payment provider.

Changes to This Policy

If we make material changes, we will update the "Last updated" date and notify account holders by email where appropriate. Continued use of Small Universe after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy or your data? Get in touch.