Terms of Service

Last updated: May 21, 2026

Effective date: June 7, 2026

Welcome to Visiblemiles. These Terms of Service ("Terms") govern your access to and use of the Visiblemiles game, website, and related services (collectively, the "Service"), operated by Visiblemiles Inc, a Delaware corporation ("we", "us", or "our").

By creating an account, signing in, or otherwise using the Service, you agree to be bound by these Terms. If you do not agree, do not use the Service.

1. Eligibility

You must be at least 13 years old to create an account or use the Service. By creating an account, you confirm that you are 13 or older.

We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete it. If you believe we have collected information from a child under 13, contact us at legal@visiblemiles.com.

If you are under the age of majority in your jurisdiction (typically 18), you represent that your parent or legal guardian has reviewed and agreed to these Terms on your behalf.

The Service is currently in Closed Alpha. Access requires an invitation. Invitations are at our discretion and may be revoked.

2. Accounts

2.1 Creating an account

You create an account by registering an email address and password, or by signing in with a supported third-party identity provider (currently Discord). You are responsible for:

Providing accurate information at sign-up
Keeping your account credentials confidential
All activity that occurs under your account

You may create multiple characters within a single account. Account-level actions (suspension, deletion) affect all characters.

2.2 Multi-factor authentication

We support optional time-based one-time password (TOTP) multi-factor authentication with single-use recovery codes. We strongly recommend enabling it. We are not responsible for unauthorized access resulting from your failure to secure your credentials.

2.3 Account security

If you suspect unauthorized access, change your password immediately and contact support@visiblemiles.com. We will assist with account recovery to the extent practicable, but we cannot recover accounts for which credentials have been transferred or sold to third parties.

2.4 One account per person

Each person may maintain one account. Sharing, selling, gifting, or otherwise transferring accounts is prohibited.

3. Acceptable use

You agree not to:

Cheat or exploit. Use of bots, automation, third-party tools that interact with the Service in ways not intended, modified clients, packet manipulation, or any technique that bypasses or undermines the server-authoritative game logic.
Reverse-engineer. Decompile, disassemble, or otherwise attempt to derive the source code or game logic of the Service, except to the extent expressly permitted by applicable law.
Abuse other players. Harass, threaten, dox, stalk, defame, or impersonate other players, our staff, or any third party. This includes via in-game chat, character names, character appearance, or any other in-game medium.
Post prohibited content. Hate speech, sexual content involving minors, content that incites violence, illegal content, or content that infringes intellectual property rights of others.
Disrupt the Service. Conduct denial-of-service attacks, probe for vulnerabilities without coordinating with us first, transmit malware, or otherwise interfere with the Service's operation.
Circumvent moderation. Use techniques to bypass the profanity filter, name filter, or other moderation systems (e.g., unicode obfuscation, leet substitution, deliberately misspelled slurs).
Misrepresent. Claim affiliation with us, our staff, or any third party without authorization. Impersonate moderators or staff.
Commercialize. Sell, rent, or commercially exploit any portion of the Service, your account, in-game characters, in-game currency, or any virtual goods, except as expressly permitted by us in writing.

We may take any action we deem appropriate in response to violations, including warnings, character renames, mutes, account suspensions, account terminations, and refusal of future access. We may take action without prior notice when necessary to protect the Service or other players.

4. Content and intellectual property

4.1 Our content

All game content — including but not limited to artwork, code, characters, world geography, music, narrative, item designs, and gameplay systems — is owned by us or our licensors and is protected by copyright, trademark, and other intellectual property laws.

We grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service for personal, non-commercial entertainment purposes, subject to these Terms.

4.2 User-generated content

You retain ownership of original content you create using the Service (character names, chat messages, reports filed against other players). By submitting such content, you grant us a worldwide, royalty-free, non-exclusive, perpetual, irrevocable license to use, store, display, reproduce, and create derivative works of that content for the purpose of operating, improving, and promoting the Service. This license survives termination of your account to the extent necessary for us to retain backups, audit logs, and moderation records.

You represent that any content you submit:

Is yours to submit (you own it or have rights to submit it)
Does not violate any third-party rights
Does not violate the Acceptable Use rules in Section 3

4.3 Streaming, screenshots, video, and fan content

You may capture screenshots, record gameplay video, and stream gameplay of the Service for personal, non-commercial purposes, or for non-commercial fan content. Monetized streaming (Twitch subscriptions, YouTube ad revenue, sponsorships) is permitted without prior approval provided the content:

Does not falsely imply official partnership, sponsorship, or affiliation with us
Does not include other players' private information
Does not include exploit demonstrations or instructions for cheating

We reserve the right to issue takedown requests for content that violates these conditions.

4.4 Trademarks

"Visiblemiles" and the Visiblemiles logo are our trademarks. You may not use them without our written permission, except in factual references to the Service (e.g., "I play Visiblemiles") or in fan content that complies with Section 4.3.

4.5 Reporting copyright infringement (DMCA)

We respect the intellectual property rights of others and expect users of the Service to do the same. We respond to clear notices of alleged copyright infringement that comply with the U.S. Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 512.

Designation status (pre-launch notice). Our DMCA designated agent is in the process of being registered with the U.S. Copyright Office. Until that registration is complete and the contact details below are filled in, the procedure in this Section is provided for transparency about how we will handle infringement notices once it goes live. For urgent copyright concerns in the interim, please use the general legal contact in Section 14.7.

To submit a copyright infringement notice, send a written communication to our designated DMCA agent at legal@visiblemiles.com that includes:

A physical or electronic signature (a typed full name is sufficient) of the copyright owner or a person authorized to act on their behalf
Identification of the copyrighted work claimed to have been infringed
Identification of the material on the Service that you claim is infringing, with enough detail for us to locate it (URLs, character names, the approximate date and time the material appeared, or any other context you can provide)
Your contact information (name, address, telephone number, email address)
A statement that you have a good-faith belief that the disputed use is not authorized by the copyright owner, its agent, or the law
A statement, made under penalty of perjury, that the information in your notice is accurate and that you are the copyright owner or are authorized to act on the copyright owner's behalf

Counter-notice. If you believe content you posted to the Service was removed in error, you may submit a counter-notice to the same DMCA agent containing your signature, identification of the removed material and its prior location, a statement under penalty of perjury that you have a good-faith belief the removal was a mistake or misidentification, your contact information, and your consent to jurisdiction in the federal district court for your address (or, if outside the United States, in the federal district court for any judicial district in which we may be found).

Repeat infringers. In appropriate circumstances, we will terminate the accounts of users who are repeat copyright infringers.

Knowingly false notices. Under 17 U.S.C. § 512(f), any person who knowingly materially misrepresents that material is infringing — or that material was removed or disabled by mistake or misidentification — may be liable for damages.

5. Virtual goods and in-game currency

In-game currency, items, equipment, cosmetics, and any other virtual goods (collectively, "Virtual Goods") are licensed to you, not sold. You have no ownership interest in any Virtual Good, nor any right to refund or compensation for Virtual Goods in any circumstance.

We may, at our discretion:

Modify the properties, availability, or appearance of any Virtual Good
Remove or replace Virtual Goods from the Service
Adjust in-game economies and balance
Wipe characters or accounts during Closed Alpha (see Section 6)

Virtual Goods have no real-world monetary value. Selling, trading, or attempting to convert Virtual Goods to real-world currency outside the Service is prohibited and a basis for account termination.

6. Closed Alpha and early access

The Service is currently in Closed Alpha. You acknowledge and agree:

The Service is not feature-complete. Features, content, balance, and systems are subject to change without notice.
Bugs and downtime are expected. We make no warranty as to uptime, data integrity, or stability during Alpha.
Character wipes are possible. We may wipe characters, accounts, or game state during Alpha. We will give reasonable notice when practicable, but we reserve the right to wipe without notice for technical, balance, or security reasons.
Access can be revoked. Alpha access is by invitation and may be revoked at our discretion.

If we begin charging for the Service in the future (Open Beta, full release, subscription tiers, etc.), we will give you notice and you will have the opportunity to decline.

7. Privacy

Your privacy is important to us. Our Privacy Policy describes what personal information we collect, how we use it, who we share it with, and the rights you have over your data. The Privacy Policy is incorporated by reference into these Terms.

8. Chat and communications

The Service includes player chat features (zone, say, whisper, emote). Chat messages are:

Logged and retained for moderation purposes (see Privacy Policy for retention period)
Filtered automatically for profanity, slurs, hate speech, and certain harmful content
Subject to moderator review when reports are filed or automated systems flag content

We may suspend or revoke chat privileges for violations of Section 3 without affecting your ability to play.

9. Termination

9.1 Termination by you

You may stop using the Service at any time. You may permanently delete your account from the account panel in the launcher (the "Delete Account" option). Account deletion removes your account record, all character data, and most associated personal information. The exact mechanism and the categories of data that persist beyond account deletion (for example, chat messages and player reports keyed by character name rather than account ID) are described in the Privacy Policy under "Data retention". Some retention is also required by law or for legitimate security and fraud-prevention purposes.

9.2 Termination by us

We may suspend or terminate your account at any time for:

Violation of these Terms
Conduct that harms other players, our staff, or the Service
Suspected fraud, payment disputes (if and when payment is introduced), or chargebacks
Inactivity (with reasonable advance notice)
Legal or regulatory requirement
Discontinuation of the Service

Termination does not entitle you to refund or compensation for Virtual Goods, character progress, or other content.

9.3 Effect of termination

On termination, your right to access the Service ends immediately. Sections of these Terms that by their nature should survive termination (Sections 4, 5, 10, 11, 12, 13, 14) will survive.

10. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR CONTINUITY OF OPERATION.

WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, SECURE, ERROR-FREE, FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR THAT DEFECTS WILL BE CORRECTED. WE MAKE NO WARRANTY REGARDING THE ACCURACY OR RELIABILITY OF ANY INFORMATION OBTAINED THROUGH THE SERVICE.

Some jurisdictions do not allow the exclusion of certain warranties. In such jurisdictions, the above exclusions apply only to the extent permitted by law.

11. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL WE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATING TO YOUR USE OF OR INABILITY TO USE THE SERVICE.

OUR AGGREGATE LIABILITY FOR ANY CLAIM ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU HAVE PAID US IN THE TWELVE MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS (US$100).

Some jurisdictions do not allow limitations of liability for personal injury, gross negligence, or wilful misconduct, or for certain consumer-protection breaches. Nothing in these Terms limits our liability where the law prohibits such limitation.

12. Indemnification

You agree to defend, indemnify, and hold harmless us and our officers, employees, and agents from and against any claims, damages, obligations, losses, liabilities, costs, or debts, and expenses (including reasonable attorney's fees) arising from:

Your use of and access to the Service
Your violation of these Terms
Your violation of any third-party right, including without limitation any intellectual property right, privacy right, or contract right
Any content you submit to the Service

13. Governing law and disputes

These Terms are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law principles.

Any dispute arising out of or relating to these Terms or the Service will be resolved exclusively in the courts of the State of Delaware, United States, and you consent to the personal jurisdiction of those courts.

If you are located in the European Union, the European Economic Area, the United Kingdom, or another jurisdiction with mandatory consumer-protection laws, the law of your country of habitual residence may apply to the extent it grants you greater consumer protection than the law specified above, and you may bring claims in the courts of your country of habitual residence.

14. General

14.1 Entire agreement

These Terms, together with the Privacy Policy, constitute the entire agreement between you and us regarding the Service and supersede any prior agreements.

14.2 No waiver

Our failure to enforce any provision of these Terms is not a waiver of our right to do so later.

14.3 Severability

If any provision of these Terms is held invalid or unenforceable, the remaining provisions remain in effect.

14.4 Assignment

You may not assign or transfer these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets, or by operation of law.

14.5 Changes to these Terms

We may modify these Terms from time to time. When we make material changes, we will notify you by:

Posting the updated Terms at the same URL
Updating the "Last updated" date at the top
Notifying account holders by email or in-game notification for material changes

Continued use of the Service after material changes become effective constitutes acceptance of the updated Terms. If you do not agree to updated Terms, you must stop using the Service and may delete your account.

14.6 Force majeure

We are not liable for any failure or delay in performing our obligations under these Terms when the failure or delay results from causes outside our reasonable control. These causes include but are not limited to: acts of God, natural disasters, fire, flood, earthquake, severe weather, pandemic or epidemic, war, terrorism, riot, embargo, strikes or other labor disputes, governmental action or inaction, network or telecommunications failures, denial-of-service attacks or other cyberattacks, and outages or service disruptions of any of our infrastructure or third-party service providers (the full list is in Privacy Policy Section 4.1; today this includes hosting providers Railway, Supabase, and Vercel, CAPTCHA provider Cloudflare, transactional-email provider Google Workspace, and the optional Discord OAuth sign-in). The Service depends on these providers; their outages will affect availability of all or part of the Service and are excused under this Section.

Nothing in this Section limits liability that cannot be excluded under applicable consumer-protection law.

14.7 Contact

Questions about these Terms can be sent to legal@visiblemiles.com.

For general support inquiries, contact support@visiblemiles.com.

For copyright infringement notices, see Section 4.5.

For our mailing address: available on request by emailing legal@visiblemiles.com (Visiblemiles Inc is a Delaware corporation in formation; a registered address will be published once formed)

Privacy Policy

Last updated: May 21, 2026

Effective date: June 7, 2026

This Privacy Policy describes how Visiblemiles Inc, a Delaware corporation ("we", "us", or "our") collects, uses, shares, and protects personal information when you use the Visiblemiles game and related services (the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

We have written this in plain English where possible. Technical and legal terms are defined inline.

1. Who we are

The Service is operated by Visiblemiles Inc, a Delaware corporation, located at available on request by emailing legal@visiblemiles.com (Visiblemiles Inc is a Delaware corporation in formation; a registered address will be published once formed).

For privacy-related questions, contact us at legal@visiblemiles.com.

2. Information we collect

We collect information in three ways: information you give us, information we collect automatically, and information from third parties.

2.1 Information you give us

When you create an account or use the Service, you provide:

Email address — used for sign-in, transactional email (password reset, security notifications), and to contact you about service issues
Password — stored as a cryptographic hash; we never have access to the plaintext
Age confirmation — a single boolean flag confirming you are 13+ at sign-up
Terms acceptance — a flag in your account metadata recording that you accepted these Terms (the acceptance date is implicit via your account-creation timestamp recorded by Supabase Auth)
Discord identity (optional) — if you sign in with Discord, we receive your Discord user ID, display name, and email per Discord's OAuth scopes
Multi-factor authentication (optional) — if you enable TOTP, Supabase Auth (our authentication processor — see Section 4.1) stores your TOTP factor with at-rest encryption. We additionally store your single-use recovery codes as one-way scrypt hashes (we never have access to the plaintext codes after you generate them)
Character data — names you choose, appearance selections (skin tone, hair color, gender, hair style), subclass, and other character creation choices
In-game communications — chat messages you send (zone, say, whisper, emote), reports you file against other players
Support communications — anything you send us by email or other support channels

2.2 Information we collect automatically

When you use the Service, we automatically collect:

IP address — used for rate limiting, abuse detection, and security event logging
Game session data — character position, level, experience, inventory, equipment, loadouts, wardrobe, quest progress, completed objectives, unlocked map regions ("fog of war"), in-game currency, cooldowns, runtime flags, and any other state the server is authoritative over
Connection metadata — WebSocket connection timestamps, disconnect reasons, message types and rates (for rate-limit enforcement), and per-session network-quality measurements (round-trip latency in milliseconds and jitter, computed by your client and reported on its periodic ping). These metrics are technical timing values, not content; we use them to tune server tick rate, broadcast cadence, and interest radius for real player connection conditions, and to investigate "the game feels laggy" reports from testers
Client error reports — if your browser encounters a JavaScript error or unhandled rejection, the error message, stack trace, browser type and version, current game zone, and account ID are sent to us so we can diagnose and fix bugs
Security event logs — failed sign-in attempts, suspected fraud, MFA challenges, and other security-relevant events, with IP and timestamp
Moderation logs — chat messages that triggered automatic filters, manual moderator actions taken against your account
Browser local storage — game settings (volume, reduced motion preference, large text, keybinds) and your Supabase Auth session token

2.3 Information from third parties

Cloudflare Turnstile — when you complete the CAPTCHA challenge at sign-in, sign-up, or password reset, Cloudflare provides us a verification token confirming you are a human. Cloudflare may process additional signals (IP, browser characteristics) to make that determination — see Cloudflare's Privacy Policy
Supabase Auth — when you sign in, Supabase confirms your credentials and issues a JWT session token
Discord (optional) — if you use Discord to sign in, Discord provides the profile information described in Section 2.1

We do not currently use analytics, advertising, or marketing tracking services. If we add any in the future, we will update this Policy and notify account holders.

3. How we use information

We use the information we collect to:

Provide the Service. Authenticate you, load your character state, run gameplay, enable chat, persist progress between sessions.
Secure the Service. Detect and prevent fraud, abuse, cheating, account takeover, denial-of-service, and other threats.
Moderate content. Filter prohibited chat content, review reports filed against accounts, take action against accounts that violate the Acceptable Use rules.
Fix bugs and improve. Investigate client-side errors, monitor game balance, diagnose performance issues.
Communicate with you. Send transactional emails (password reset, security alerts, account notifications), service updates, and respond to support inquiries.
Comply with law. Respond to lawful legal process, enforce our Terms, defend against legal claims.

We do not use your information for advertising, profiling, or automated decision-making with legal effect.

3.1 Legal bases for processing (EU/EEA/UK users)

If you are in the European Union, the European Economic Area, or the United Kingdom, our legal bases under GDPR / UK GDPR are:

Contract (Article 6(1)(b)): processing necessary to provide the Service you signed up for — account, gameplay, communications about your account
Legitimate interests (Article 6(1)(f)): security event logging, fraud detection, abuse moderation, client error reporting. Our interest is operating a safe service; your interest in the Service depends on it being safe.
Legal obligation (Article 6(1)(c)): retaining records required by law, responding to lawful legal process
Consent (Article 6(1)(a)): only where we explicitly ask — we don't currently rely on consent for any processing other than your acceptance of these Terms and the age confirmation

You may object to processing based on legitimate interests at any time by contacting us — see Section 7.

3.2 Communications you receive from us

We distinguish two types of email we may send you:

Transactional and service email. Password reset, security notifications (new sign-in from a new device, MFA changes, account-deletion confirmation), maintenance windows, character-data warnings, service-status alerts, material changes to these legal documents, and replies to your support inquiries. These emails are essential to operating the Service and to your security; you cannot opt out of them while your account is active. To stop receiving them, delete your account (see Section 7).
Marketing and promotional email. Announcements about new features, public-beta or full-release transitions, content updates, community events, and any future newsletters. We do not currently send marketing email. If we begin to, you can opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us at legal@visiblemiles.com. Opting out of marketing email does not affect transactional email or your access to the Service. We will not enroll you in marketing email without your prior express consent where required by applicable law — notably under EU/EEA/UK PECR / ePrivacy rules and under Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23), both of which require opt-in. For U.S. users we follow the CAN-SPAM Act's notice-and-opt-out model. Where the applicable law requires opt-in (EU/EEA/UK/Canada) you will not receive marketing email unless you have actively opted in.

4. How we share information

We share personal information only in the limited circumstances below.

4.1 Service providers (processors)

We use third-party companies to operate the Service. Each acts as a "processor" of your information on our behalf, under contractual obligations to protect it.

Provider	What they handle	Location	Privacy policy
Supabase	Account database, authentication	United States (Amazon Web Services)	Supabase Privacy
Railway	Game server hosting	United States (Google Cloud Platform)	Railway Privacy
Vercel	Static asset hosting, serverless functions	United States (multi-region)	Vercel Privacy
Cloudflare	CAPTCHA challenge (Turnstile)	Global edge network	Cloudflare Privacy
Discord (optional)	OAuth sign-in for accounts that use it	United States	Discord Privacy
Google Workspace	Outbound transactional email (SMTP relay)	Global	Google Privacy

These processors may store and process information in the United States or other countries. See Section 9 for international transfers.

4.2 Other players

In-game information visible to other players includes:

Your character names
Your characters' appearance and equipment
Your characters' positions in shared world zones
Chat messages you send in the say, zone, and emote channels (visible to nearby players or all players in the same zone, depending on channel)
Whisper messages sent to a specific player (visible only to you and that player)
Party chat messages (visible only to your party members; the party system is a stub during Closed Alpha and not yet active, but the channel is reserved)
Reports you file (visible to moderators; the reported player is notified only of action taken, not the identity of the reporter)

We do not display your email, IP address, or other account information to other players.

4.3 Legal disclosure

We may disclose personal information when we believe in good faith it is necessary to:

Comply with a lawful subpoena, court order, or government request
Enforce these Terms or investigate violations
Protect the rights, property, or safety of us, our users, or the public
Defend against legal claims

Where lawful, we will notify affected users of legal disclosure requests.

4.4 Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of the transaction. We will notify you (by email or in-game notification) and give you the opportunity to delete your account before the transfer takes effect.

4.5 What we do NOT do

We do not:

Sell personal information to third parties (for any consideration, monetary or otherwise)
Share personal information with advertisers or ad networks
Use personal information for advertising profile-building
Rent, lease, or trade contact lists

This includes for CCPA purposes — we have not sold or shared personal information in the preceding 12 months and do not anticipate doing so.

5. Data retention

We retain personal information only as long as necessary for the purposes described in this Policy. Specific retention practices:

Data	Retention	Why
Account record (email, password hash, MFA state)	Until you delete your account. Deletion removes the `auth.users` row and cascade-deletes `account_profiles`, `recovery_codes`, `players` (and through `players` all 10 character-keyed child tables), `chat_messages.sender_account_id` rows, and `player_reports.account_id` rows (`ON DELETE CASCADE`)	Required to authenticate you
Character data and game state (inventory, equipment, quests, fog, wardrobe, etc.)	Until you delete the character. Per-character deletion uses the `hard_delete_character` RPC, which removes the character row and 10 dependent tables in a single transaction. Account deletion calls this RPC for every character on the account, then deletes the `auth.users` row, which cascade-removes any remaining character rows and all account-keyed data	Required to provide the game
Chat messages (zone, say, whisper, emote)	Up to 180 days. When you delete your account, your sent messages are cascade-deleted via the `sender_account_id` FK to `auth.users`. Messages older than 180 days are purged by a daily server-side retention job regardless of account status. Messages sent before the migration that added `sender_account_id` (any message earlier than the FK rollout) are still keyed only by character name and rely on the daily purge for removal	Moderation, abuse investigation
Security event logs (`suspicious_activity` table — sign-in attempts, IP, failed MFA)	Anonymized on account deletion (the FK to `auth.users` uses `ON DELETE SET NULL`, so the row persists but the link to your identity is severed).	Fraud and abuse detection
Client error reports (`client_errors` table — JS exceptions, stack traces)	Anonymized on account deletion (same `ON DELETE SET NULL` pattern as security logs — row persists, identity link severed).	Bug diagnosis
Moderation logs (chat messages flagged by automated filters)	Same as Chat messages above: up to 180 days, purged daily by the server-side retention job, plus cascade-delete on account deletion via the `sender_account_id` FK	Pattern detection, defense in legal disputes
Player reports you have filed (`player_reports` table, your row)	Cascade-deleted on account deletion via the `account_id` FK to `auth.users`. Reports older than 365 days are purged daily by the retention job regardless of account status	Moderation review, ban-evasion detection
Player reports filed against your characters (`player_reports` table, target row)	Up to 365 days. The row persists until either the reporter deletes their account (cascade) or the daily retention job ages it out, whichever comes first. Reporter identity stays anonymized to you per Section 4.2	Moderation review, ban-evasion detection
Recovery codes (hashed, single-use)	Cascade-deleted on account deletion (FK to `auth.users` `ON DELETE CASCADE`)	Required for MFA recovery
Backup snapshots	Current Supabase plan tier determines retention: Free plan has no automatic backups (manual `db dump` exports only); Pro plan provides daily backups with 7-day retention. Backups follow our hosting provider's retention policy (a short rolling window) before being overwritten.	Disaster recovery

When you delete your account, the in-game delete-account handler runs in this order: (a) the auth.users row is deleted via the Supabase Admin API, which triggers Postgres ON DELETE CASCADE to remove account_profiles, recovery_codes, players (and through players all 10 character-keyed child tables — inventory, equipment, quests, fog, wardrobe, etc.), chat_messages.sender_account_id rows, and player_reports.account_id rows; ON DELETE SET NULL anonymizes client_errors and suspicious_activity (rows persist, identity link severed); (b) the handler then runs the in-game hard_delete_character cascade as a belt-and-suspenders pass, which is a no-op after the FK cascade but guarantees logging and session eviction. Direct deletion of an auth.users row from the Supabase Dashboard fires the same cascade chain — there is no longer a "Dashboard path" that orphans character data. Some data may also persist in backup snapshots for the backup retention window before being overwritten.

6. Security

We protect personal information using:

TLS encryption in transit between your browser and our servers (HTTPS + WSS)
Bcrypt password hashing (handled by Supabase Auth; we never store plaintext passwords)
Encrypted storage at rest on Supabase database infrastructure
Multi-factor authentication available to all accounts (optional but recommended)
Bot protection via Cloudflare Turnstile on sign-in, sign-up, and password reset
Row-level security policies on database tables, audited regularly
Rate limiting on authentication and gameplay actions to prevent abuse
Maintenance gates that block gameplay during service maintenance
Restricted admin access with audit logging for all administrative actions

No system is perfectly secure. If we discover a breach of personal information, we will notify the applicable supervisory authority within the timeframe required by law (under GDPR / UK GDPR Article 33: within 72 hours of becoming aware where required). When the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (under GDPR / UK GDPR Article 34).

7. Your rights

Depending on where you live, you have some or all of the following rights:

7.1 All users

Access. Request a copy of the personal information we hold about you.
Correction. Ask us to correct inaccurate information.
Deletion. Ask us to delete your account and associated data, subject to the exceptions in Section 5.
Export. Request a copy of your data in a portable format.

To exercise these rights:

Deletion is self-serve from the launcher account panel ("Delete Account"). The flow re-validates your session, evicts any active in-world session for your account, and cascades to remove your account row, character rows, chat messages you sent, reports you filed, and all account-keyed audit data. Some data (security event logs, client error reports) is anonymized rather than deleted — the row persists but the link to your identity is severed.
Access and Export requests are honored within 30 days of receipt under GDPR / CCPA. Email legal@visiblemiles.com from the email address associated with your account; we will verify your identity, build a JSON export across every table holding your personal data, and deliver it via an encrypted channel.
Correction requests are honored via the same email channel.

7.2 EU/EEA/UK users (GDPR rights)

In addition to the rights above, you have:

Right to restrict processing of your data in certain circumstances
Right to object to processing based on legitimate interests (Section 3.1)
Right to data portability — receive in a structured, machine-readable format the data you have provided to us that we process under the "Contract" or "Consent" legal bases (Section 3.1). This right does NOT cover data we process under legitimate interests (security event logs, moderation logs, abuse-detection records, client error reports) per GDPR Article 20(1)
Right to lodge a complaint with your national data protection authority

Contact details for EU and EEA supervisory authorities: European Data Protection Board list. Contact for the UK: Information Commissioner's Office.

7.3 California users (CCPA rights)

If you are a California resident, you have the right to:

Know what personal information we collect, use, and share
Delete the personal information we hold about you
Correct inaccurate personal information
Opt out of "sale" or "sharing" of personal information — we do not sell or share personal information as defined by the CCPA, so there is nothing to opt out of, but you may file a request anyway and we will confirm in writing
Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised your CCPA rights

To exercise CCPA rights, contact legal@visiblemiles.com. We will verify your identity (typically by confirming you can sign in to the email address associated with your account) before responding. We respond within 45 days.

7.4 Other jurisdictions

If your local law provides additional rights, those apply. Contact us and we will do our best to honor them.

8. Cookies and local storage

We do not set first-party cookies on visiblemiles.com for analytics, advertising, or marketing. We use browser local storage instead to:

Store your Supabase Auth session token (so you don't have to sign in on every page load)
Save your game settings (volume, accessibility preferences, keybinds, panel layouts, world-map filters, character-name autofill)

You can clear local storage in your browser's settings. Doing so will sign you out and reset your settings to defaults.

Third-party services we use may set their own cookies on their own domains as part of providing their service. Specifically, Cloudflare Turnstile (our CAPTCHA provider) may set cookies on challenges.cloudflare.com for bot detection while the CAPTCHA widget is active — see Cloudflare's Privacy Policy linked in Section 4.1.

The Service does not use analytics, advertising, or marketing tracking cookies or pixels.

9. International transfers

We operate in the United States. The processors listed in Section 4.1 may store and process your information in the United States and other countries.

For users in the European Union, the European Economic Area, the United Kingdom, or other jurisdictions with cross-border-transfer rules, transfers are made under:

Standard Contractual Clauses approved by the European Commission for transfers to processors in countries without an adequacy decision (Supabase, Railway, Vercel use these where applicable)
The UK International Data Transfer Agreement for UK personal data
Adequacy decisions where they exist (e.g., the EU–US Data Privacy Framework, where applicable to the specific processor)

By using the Service from outside our country of establishment, you understand that your information will be transferred to and processed in countries with different data protection laws.

10. Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. Sign-up requires confirming you are 13 or older.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, contact legal@visiblemiles.com. We will delete the information promptly.

For users between 13 and the age of majority in their jurisdiction (typically 18), the Terms of Service require parental or guardian agreement on your behalf — see Terms of Service Section 1.

11. Automated decision-making and profiling

We do not engage in solely automated decision-making that produces legal effects or similarly significantly affects you. Our automated systems (chat profanity filter, rate limiters, anti-fraud heuristics) may take immediate protective action — for example, suppressing a chat message that contains a slur, or temporarily blocking sign-in attempts from a specific IP — but these are reversible and subject to human review on appeal.

If you believe an automated system has incorrectly acted against your account, contact support@visiblemiles.com.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will:

Post the updated Policy at the same URL
Update the "Last updated" date at the top
Notify account holders by email or in-game notification

Continued use of the Service after material changes constitutes acceptance of the updated Policy. If you do not agree, you may stop using the Service and delete your account.

We will not retroactively reduce your privacy rights or use your data in ways that were not described at the time you provided it, without seeking your explicit consent.

13. Contact

For privacy-related questions, requests, or complaints:

Email: legal@visiblemiles.com
Mail: Visiblemiles Inc, available on request by emailing legal@visiblemiles.com (Visiblemiles Inc is a Delaware corporation in formation; a registered address will be published once formed)

For general support: support@visiblemiles.com.

We aim to respond to privacy requests within 30 days. For complex requests, we may extend this period by an additional 60 days, with notice to you.