public record / privacy

Privacy Policy

Last updated: 20 May 2026

1. Who We Are

ChromeCreatures is operated by Gray Systems Ltd (company number 17149412), registered in England and Wales at 50 Essex Street, London, WC2R 3JF ("we", "us", "our").

For the purposes of UK GDPR and the Data Protection Act 2018, Gray Systems Ltd is the data controller for personal data collected through the ChromeCreatures website, web app, browser extension, and related services (the "Service").

If you have any questions about this policy or want to exercise your rights, contact us here or write to the address above.

2. What We Collect

We've tried to be specific here rather than vague. The Service collects the following categories of data:

Account data

Email address (stored in plaintext so we can contact you)
Password, stored only as a bcrypt hash — we never store or have access to your plaintext password
Display name
A generated agent ID (used for your public profile)
Account creation timestamp

Browser extension data

For each browser where you install and link the extension, we store:

A unique install ID (UUID) per installation
A SHA256 hash of the API token used by that install — the raw token is sent to your browser once at link time and never stored by us in recoverable form
A device label you assign (e.g. "Work Laptop")
A last_seen_at timestamp, updated on every API call from that extension install
The last IP address and user-agent used by that extension install, so you can recognise unusual linked-device activity

If you set up a passkey (WebAuthn) to sign in, we also store the passkey's public key, credential ID, a device name you choose, and a sign count. The credential itself stays on your device; we only hold what's needed to verify a sign-in.

Browsing-related data (please read this section carefully)

Each time the extension considers spawning a creature on a page, it sends us a per-install HMAC-SHA256 hash of the page's domain (for example, a keyed hash of example.com). We store that domain hash, along with a timestamp, against every encounter and every creature you capture.

We want to be straightforward about what this means in practice:

We do not receive the full URL, page content, page title, text, images, or anything else on the page.
We do not receive your browsing history.
The HMAC key is generated and stored locally by your extension. It is not stored in our database, so a database-only breach cannot run a simple public-domain dictionary against the stored domain hashes.
This is still browsing-derived metadata, not anonymous data. A compromised browser extension install, your own device, or any future change that exposes the local HMAC key could make the hashes easier to interpret.

We also store normalised spawn coordinates (two floats between 0 and 1) representing where on the page a creature appeared.

Gameplay data

The Service permanently stores a fairly detailed record of your play. Specifically:

Encounter history: the creature, the hashed domain, spawn coordinates, the creature's health, hit count, individual hit timestamps, capture attempts (including the exact success probability the server calculated), the outcome, and timestamps.
Capture attempts: the item used, the creature's health at the moment of the attempt, the calculated success chance, the result, and the timestamp.
Collection entries: the creature, the domain where it was caught, variant, level, XP, any nickname you give it, and when it was caught. If you release or process a creature, that collection entry is permanently deleted.
Work slot activity: which creature is assigned to which slot, when, and when resources were last collected.
Shop purchases: the item slug, any active buff expiry times, and your coin balance.

Technical and session data

Session cookies for authentication (HttpOnly, Secure in production, SameSite=Lax)
Server logs needed to operate and secure the Service (e.g. timestamps, request paths, error data)

What we don't collect

To make the boundaries clear, the Service does not collect:

Page content, text, images, or any URL beyond the domain
Your browser history
Keystrokes, mouse position, or general user activity
Analytics or behavioural tracking data — we run no analytics platforms and no third-party tracking on the web app or extension
Payment data — there are currently no real-money transactions, and we do not use a payment processor

3. How and Why We Use Your Data

Purpose	Data used	Lawful basis
Creating and authenticating your account	Email, password hash, display name, agent ID, session cookies, passkey data	Contract
Running gameplay (encounters, captures, collection, work slots, shop)	Gameplay data, collection entries, coin balance	Contract
Sending transactional emails (welcome email, password reset)	Email, display name, password reset URL	Contract
Recording where creatures spawn and were caught (domain hash + spawn coordinates)	Domain hash, timestamps, spawn coordinates	Legitimate interests — this is core to how the game works, but we acknowledge the privacy trade-off described in Section 2
Securing the Service, preventing abuse, debugging	Technical logs, last-seen timestamps, token hashes, security events, admin audit records, last extension IP/user-agent	Legitimate interests
Complying with law	Any of the above	Legal obligation

We do not sell your personal data, and we do not use it for advertising or profiling.

4. Who We Share Data With

We use a small number of third-party services, listed here so you know exactly who touches your data:

Microsoft Azure (Graph API) — used only to send transactional emails (welcome emails and password resets). Microsoft receives your email address, display name, and (for resets) a password reset URL. Microsoft acts as a data processor on our behalf.

That's it. We do not use:

Any analytics or product-analytics platforms
Any third-party advertising or tracking services
A payment processor (no real-money transactions)
A third-party CDN that proxies your traffic

We may also disclose data where required by law, court order, or to protect our legal rights or the safety of others.

5. Public Profile

Each account has a public agent profile, viewable by anyone who knows your agent ID, showing:

Your display name
Your join date
Total creatures caught and seen
Counts by rarity

Your public profile does not expose any browsing data, domain hashes, encounter history, or other private gameplay records.

6. Cookies and Local Storage

The web app uses only strictly necessary cookies — session and authentication cookies needed to keep you signed in. These are set as HttpOnly, Secure (in production), and SameSite=Lax. We do not use analytics, advertising, or non-essential cookies, so no cookie consent banner is shown.

The extension stores its install ID, API token, and cached spawn configuration in your browser's extension storage. You can clear this by unlinking the extension from the account settings page, or by uninstalling the extension.

7. How Long We Keep Data

We want to be honest about this:

Account and gameplay data is currently retained indefinitely until you ask us to delete it. We do not currently run automated deletion jobs.
Releasing or processing a caught creature permanently deletes that specific collection entry from our database.
You can revoke individual extension installs and delete passkey devices yourself from your account settings. Doing so removes the associated install records or passkey credentials.
There is currently no self-serve account deletion flow. If you want your account deleted, contact us here and we'll process the request. We expect to add a self-serve deletion option in future.

If you exercise your right to erasure (see Section 9), we will delete or anonymise your personal data within one month, except where we're required to keep certain records for legal reasons.

8. Security

We take reasonable technical and organisational measures to protect your data, including:

Passwords stored only as bcrypt hashes
API tokens stored only as SHA256 hashes; the raw token is shown to your extension once at link time and is not recoverable from our database
Browsing-domain metadata stored as per-install HMAC-SHA256 hashes rather than raw domains or unsalted public hashes
Session cookies set as HttpOnly, Secure (production), SameSite=Lax
HTTPS enforced in production

No system is perfectly secure, and you're responsible for keeping your password and any device that's linked to your account safe.

9. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

Access — request a copy of the data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — ask us to delete your data (also known as "the right to be forgotten")
Restriction — ask us to limit how we use your data
Objection — object to processing based on legitimate interests
Portability — receive your data in a structured, machine-readable format
Withdraw consent — where we relied on consent for a specific purpose

To exercise any of these rights, contact us here. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.

10. International Transfers

Microsoft Azure may process email-sending data outside the UK. Where data is transferred outside the UK, we rely on appropriate safeguards (such as adequacy regulations or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses).

11. Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, contact us here and we will delete it.

12. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top will reflect any changes. For material changes (for example, adding a new category of data collection or a new processor), we'll notify you by email or in-app.

13. Contact

For privacy questions, data requests, or to exercise any of your rights, contact us here.

Post: Gray Systems Ltd, 50 Essex Street, London, WC2R 3JF