跳到内容

Privacy Policy

Last updated July 11, 2026

This policy describes what Pixcadia (operated by Oekaki Connect) actually stores and why. Short version: an email address, your library, and as little else as we can get away with.

What we store

  • Account: your email address, optional display name, a password hash (Argon2, so we never see your password), optional two-factor secret, and login sessions.
  • Profile: your unique handle, optional display name, and whether your small player profile is public, friends-only, or private. Profiles are private-by-default until you choose otherwise. Accepted friends can view a friends-only profile; requests alone never grant profile access.
  • Friends: your current random friend code, pending and accepted connections, ignored-request cooldowns, and accounts you block. A code can only request a connection; it cannot log in or grant game access. Blocks and ignored requests are private, and online/game presence is not retained as history.
  • Library: which games you own or have passes for, when keys were redeemed, and per-game play counts (used for "last played" style features and abuse prevention, with no gameplay telemetry).
  • Wallet verification (optional): if you verify a wallet, we store its public address and a snapshot of qualifying NFT holdings, read from OpenSea's public API. We never receive keys and never can move anything.
  • Game devices: devices you link (label, created/last-used times) so you can review and revoke them in Settings.
  • Abuse prevention: rate-limit counters keyed by pseudonymized values. Emails and network prefixes are hashed before storage, and full IP addresses are not kept.
  • Audit trail: administrative and security-relevant actions (key created, account suspended…) with identifiers, never with secrets or full personal data.

What we don't do

  • No advertising, no tracking pixels, no third-party analytics scripts.
  • No selling or sharing data with data brokers, ever.
  • Games you play receive your player id, display name, and perk tags. They never get your email.

Who touches data on our behalf

  • bunny.net handles hosting, storage, and content delivery.
  • Resend sends account email (login links, receipts).
  • OpenSea answers public wallet data reads during NFT verification you initiate.

Cookies

One signed session cookie to keep you logged in, plus a local-storage theme preference. That's the whole list, which is why there is no cookie banner.

Your rights

  • Export: Settings → "Your data" downloads everything we hold about you as JSON, self-serve, instantly.
  • Deletion: Settings → "Delete account" schedules your account for deletion after a 30-day grace period. It keeps working meanwhile, and you can cancel from Settings until it runs. When it runs, your email, profile, handle reservations, password, wallets, tags, library, devices, friend code, connections, and blocks are erased and everything is signed out. Retained afterward: anonymized audit and key-redemption records (fraud and accounting) that no longer reference any personal data, and encrypted database backups that expire on a rolling ~24-hour window.
  • For anything else (correction, questions, complaints): hello@pixcadia.com.