This policy explains what personal data we process when you play InVR or visit invr.be, why we process it, and the rights you have under the EU General Data Protection Regulation (GDPR / RGPD).
Who is responsible
InVR ("InVR", "we", "us") is a virtual-reality game currently operated by a private individual based in Belgium. No company has been incorporated yet, so for all data-protection matters the controller can be reached at [email protected]. For anything else, use [email protected].
What we collect
Account data
When you first launch InVR the game creates an account for you automatically. We do not ask for your name, email address or a password. We store: a randomly-generated account identifier, a randomly-generated login token (which lives on your device so you stay signed in), the username you choose (a default like "sphere-1234" is assigned otherwise), your chosen avatar colour, your comfort settings (stick-turn mode and speed), your in-game token balance, and the date your account was created. If you request an account migration, we also store a temporary migration token linked to your account, which expires after 7 days or once it has been used.
Gameplay data
The cosmetics you own and have equipped, your friend relationships (friend requests and accepted friends), and your in-game currency transactions (tokens earned and cosmetics bought).
Session & technical data
Each time you connect we record: connection and disconnection timestamps, session length, the device type your client reports (e.g. "Quest 2", "Mac"), the distribution channel (e.g. "web", "meta-store"), your country (derived at the network layer through Cloudflare — we do not store your IP address), which of our game servers you were connected to, and how the session ended (you left, an error occurred, or you were removed by a moderator).
Moderation & safety data
If you report or mute another player we log who reported/muted whom, the reason and the time. Username changes and bans (with their reason) are also logged so we can keep the game safe and fair.
Voice chat
InVR has live voice chat. Your microphone audio is compressed and relayed in real time to the other players in your lobby. We do not record or store voice audio.
Technical diagnostics
While you play, the game reports transient technical health data — frame rate, frame timing, network latency, packet-delivery and voice-transmission statistics (never voice content), and on headsets the device's thermal state and battery level — so we can tell server problems apart from device or connection problems. This data lives only in server memory for a few hours and is never stored or shared.
Gameplay session recording (bug replay)
To reproduce and fix gameplay bugs, the game server can keep a rolling recording of the current session: your headset and controller movement, button presses, and your avatar's in-world position, together with your username and avatar appearance. This recording only runs while a developer is actively investigating that game server — nothing is captured the rest of the time. While it runs, only roughly the last 10 to 30 minutes exist at any time — older data is continuously overwritten — and the buffer of a player who leaves is discarded within minutes. It contains no voice audio, no chat, and nothing from outside the game. A developer may export this buffer to investigate a bug; exported recordings are used only for debugging, are not shared with anyone else, and are deleted when the investigation is done.
What we do not collect
- No email address, real name, password or payment information.
- No stored IP addresses — only a country code.
- No server-side logging of your head/hand movement or position.
- No text-chat logs (there is no text chat), and no advertising or cross-site tracking.
Why we process it
- To provide the game — running your account, saving your progress, matchmaking, voice chat and friends. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
- To keep the game safe and fair — moderation, reports, bans and anti-abuse. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR).
- To understand and improve the game through aggregate statistics. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR).
Analytics
We use only our own, self-hosted statistics. We do not use Google Analytics or any third-party advertising or tracking service. The player-activity charts on invr.be show aggregate figures (players online, daily active players, and similar) and never identify an individual player.
Cookies & local storage
The website invr.be does not set any cookies, and the fonts it uses are served from our own servers rather than a third-party font CDN. It uses only temporary session storage for technical purposes (such as retrying a failed load). The game stores your login credentials locally on your device or headset so you stay signed in; that data stays on your device and is only sent to our servers to authenticate you.
Who your data is shared with
- Other players — your username, avatar colour, equipped cosmetics, live voice and in-game presence are visible to players you play with. All gameplay and voice traffic is relayed through our game server, so other players never connect to you directly and cannot see your IP address — they only ever receive a temporary, randomly generated identifier that changes every time you join a server, never your account identifier. Players you are friends with (or who have a pending friend request with you) additionally see your stable friend-list identifier, online status and, while you play, which lobby you are in.
- Sentry — we use Sentry to capture technical errors and crashes in the web client so we can fix bugs; this may include technical error details. Sentry is configured to store our data in its EU region.
- ForwardEmail — we email ourselves operational and moderation alerts (for example when a player is reported) through ForwardEmail, our transactional email provider; such an alert can include the usernames and the reason involved in a report.
- Hetzner — our hosting provider; our game servers and database run on Hetzner infrastructure within the EU (see "Hosting & data location" below).
- Cloudflare — sits in front of our servers as a network and CDN layer and provides the country code described above. Cloudflare processes limited connection metadata (mainly IP addresses) on its edge servers in the EU and the United States; see "Hosting & data location" below. Further information on how Cloudflare processes personal data is available at cloudflare.com/trust-hub/gdpr.
- Meta & Discord — InVR is distributed through the Meta (Quest) store and we run a Discord community. If you use those, their own privacy policies apply; we have no account-linking integration with them.
We never sell your data. We only share it with the service providers listed above, or where the law requires it.
Hosting & data location
Game servers and player data are hosted within the EU on infrastructure provided by Hetzner Online GmbH (data centres in Germany and Finland), which is certified to ISO/IEC 27001:2022 for information security. Our error-tracking data (Sentry) is also stored in the EU. Cloudflare, our network and CDN layer, processes limited connection metadata (mainly IP addresses) in the EU and the United States; for any transfer to the United States it relies on the EU-U.S. Data Privacy Framework and the EU Standard Contractual Clauses as appropriate safeguards.
How long we keep it
Account and gameplay data is kept while your account exists. Session and activity logs are kept to operate and improve the game and for safety. You can ask us to delete your account and the personal data attached to it.
Your rights
Under the GDPR you have the right to access, rectify, erase ("right to be forgotten"), restrict and object to the processing of your data, and the right to data portability. Because accounts are anonymous, to exercise these rights you will need to give us your in-game account identifier so we can locate your data. Contact [email protected]. You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données, www.dataprotectionauthority.be).
Children
InVR is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has an account, contact [email protected] and we will remove it.
Changes
We may update this policy. The "last updated" date above will change and any material changes will be announced in the game or on our Discord.