Legal
Privacy Policy
Last updated 1 May 2026
This policy explains what we collect when you use HumanBase, what we do with it, and what your rights are. The short version: we collect what's needed to run your room and nothing else.
1. Who is the controller
The data controller is the maker of HumanBase, contactable at [email protected].
2. What we collect
Account: your email and an encrypted password.
Profile: anything you choose to set — display name, bio, avatar, links, and the public room number we assigned you.
Room data: the items you place, walls, floor, lights, and any custom 3D models you upload.
Usage: minimal server logs (IP, user agent, request path, timestamp) used to diagnose problems and detect abuse, retained for up to 30 days.
3. How we use it
We use your data to run the service: to authenticate you, render your room, let people you share with see it, send essential transactional email (account confirmation, password reset, replies you ask for), and to investigate abuse reports.
4. Cookies
We use cookies that are strictly necessary — your session cookie keeps you signed in, and a language cookie remembers your locale. We do not use advertising or tracking cookies.
5. Sharing
We do not sell your data. We share it only with processors needed to run the service: Supabase (authentication, database, storage) and Resend (transactional email). Each is bound by their own privacy and security commitments.
6. Storage and security
Data is stored on infrastructure we lease. Passwords are hashed by our auth provider — we never see them in clear text. We take reasonable technical and organisational measures to protect your data, but no service is perfectly secure.
7. Your rights
Depending on where you live, you have rights to access, correct, export, or delete your personal data, and to object to or restrict processing. Most of these you can do directly from your dashboard. For anything else, write to [email protected] and we will respond within 30 days.
8. Retention
We keep your account data while your account is active. When you delete your account, we delete your profile, room, and uploaded models within 30 days, except where we are required by law to keep something longer (for example, abuse logs).
9. Children
HumanBase is not intended for children under 13. If you believe a child has signed up, write to [email protected] and we will remove the account.
10. International transfers
If you are outside the country where the service is hosted, your data is transferred there to be processed. We rely on standard contractual clauses or equivalent safeguards where required by your local law.
11. Changes
We may update this policy. If we make significant changes, we'll notify you in-app or by email. The 'last updated' date at the top tells you when the policy last changed.