Privacy Policy

Quixotic Bravado LLC, doing business as "Collectivus" ("Collectivus," "we," "our," or "us"), is a limited liability company registered in the State of Texas, United States of America. We operate the Collectivus website, any associated applications, and all related features and services (collectively, the "Service").

Questions, requests, or concerns about this Privacy Policy can be directed to us at: [email protected]

Information you provide directly

• Email address — required when joining the waitlist or creating an account.
• Phone number — required when joining the waitlist or creating an account. Used to send a single early access notification via SMS when access opens, and for account authentication via one-time password.
• Invite code — entered when claiming early access. Not stored as personal data; verified and discarded.

Information collected automatically when you use the Service

• Usage data — which parts of the Service you visit, time spent, navigation paths, and similar interaction data.
• Loop progression data — discoveries, interactions, and session state within Loops. This data powers the persistence mechanic (the world knows what you've found).
• Device and environment information — device type, operating system, browser type and version, screen resolution, and IP address.
• Log data — server logs, error reports, and timestamps associated with your sessions.

Information received from third parties

• Authentication providers — if you sign in using Apple Sign-In, we receive limited profile information (name and email) as permitted under Apple's policies. Clerk, our authentication provider, processes your credentials on our behalf.
• Analytics providers — we may receive aggregated and anonymized data about how users find and interact with the Service from analytics tools. See Section 6 (Cookies and Tracking) for current tools.

We collect information in three ways:

Directly from you — when you join the waitlist, create an account, enter an invite code, or contact us with a question or request.

Automatically — through cookies, local storage, and similar technologies when you access and use the Service. See Section 6 for details.

From third-party providers — authentication providers (Clerk), analytics tools, and other services we use to operate the Service share limited information with us as described in their respective privacy policies and in our agreements with them.

We use the information we collect for the following purposes:

• To provide and operate the Service — creating and managing your account, authenticating your identity, delivering Loop content, and maintaining your session and progression data so the world continues where you left it.
• To send waitlist and early access communications — notifying you of character drops, Loop previews, and your early access invitation via the email address and phone number you provided, where you have opted in to those communications.
• To send a single SMS invitation — when early access opens, we will send one text message to your phone number if you provided it and consented. We do not send recurring SMS marketing without separate consent.
• To improve the Service — analyzing usage patterns, diagnosing technical issues, and understanding how the Service is used in order to make it better.
• To enforce our Terms of Use — investigating potential violations and protecting the security and integrity of the Service.
• To comply with legal obligations — responding to lawful requests from government authorities, courts, or regulators.

We do not sell your personal information. We do not use your personal information for targeted advertising or cross-context behavioral advertising.

We may share aggregated, anonymized audience data (for example, demographic and usage trends that cannot identify any individual) with brand partners for sponsorship and partnership purposes.

We rely on the following third-party services to operate the Service. Each processes personal data on our behalf under agreements that restrict their use of that data. Each is subject to their own privacy policy.

• Clerk — Authentication provider. Handles account creation, magic link login, SMS one-time passwords, and Apple Sign-In. Clerk processes your email address and phone number to operate these features.
  Privacy Policy: https://clerk.com/legal/privacy
• Supabase — Database and backend service. Stores waitlist entries, user account data, and Loop progression data. Data is stored in the United States.
  Privacy Policy: https://supabase.com/privacy
• Google Analytics — Website analytics provided by Google LLC. Collects information about how visitors use the Service, including pages visited, time on site, and general location. Used to improve the Service. Data may be processed by Google in the United States.
  Privacy Policy: https://policies.google.com/technologies/partner-sites
• Amazon Web Services (AWS SES) — Email delivery provider. Used to send waitlist confirmation and account notification emails. AWS processes your email address to deliver messages on our behalf. AWS privacy policy: aws.amazon.com/privacy.

No third-party service listed here is authorized to use your personal information for their own purposes beyond operating the feature for which they were engaged.

We use cookies and similar technologies to operate and improve the Service. The cookies we use fall into the following categories:

• Strictly necessary cookies — Required for the Service to function. These include session tokens and authentication state. You cannot opt out of these while using the Service; they are essential to basic functionality.
• Analytics cookies — We use Google Analytics to understand how visitors use the Service. Google Analytics sets first-party cookies to distinguish users and sessions; IP anonymization is enabled. For EEA and UK users, analytics cookies require prior consent under applicable ePrivacy regulations (PECR in the UK; national implementations of the ePrivacy Directive in the EU). A cookie consent mechanism will be presented to users in these regions before analytics cookies are set.
• We do not currently use advertising cookies, retargeting pixels, or third-party tracking technologies for behavioral advertising purposes.
• Your cookie controls — You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning correctly. Disabling analytics cookies will not affect your ability to use the Service.

All users

You have the following rights with respect to your personal information:

• Access — You may request a copy of the personal information we hold about you.
• Correction — You may request that we correct inaccurate or incomplete information.
• Deletion — You may request deletion of your account and associated personal information.
• Opt out of marketing email — You may unsubscribe from marketing emails at any time using the unsubscribe link in any email we send.
• Opt out of SMS — You may stop SMS messages at any time by replying STOP to any text message we send. You can also request removal via [email protected].

To exercise any of these rights, contact us at: [email protected]. We will respond within the timeframe required by applicable law.

California residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• The right to know what personal information we have collected about you, including the categories of information, the purposes for collection, and the third parties with whom it has been shared.
• The right to delete personal information we have collected from you, subject to certain exceptions.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising.
• The right to non-discrimination for exercising these rights.

To submit a CCPA request, contact us at [email protected]. We will verify your identity before processing requests. California residents may designate an authorized agent to make requests on their behalf.

Texas residents (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act (effective July 1, 2024), including the right to confirm whether we process your personal data, access it, correct it, delete it, obtain a portable copy of it, and opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling. We do not sell personal data or process it for targeted advertising. To submit a request, contact [email protected].

Your information is stored and processed in the United States through the following services: Clerk (authentication), Supabase (database), Google Analytics (usage analytics), and AWS SES (transactional email).

We implement reasonable technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, and loss. These include encryption in transit (TLS), access controls, and the use of reputable managed services with their own security programs.

No system can guarantee complete security. You are responsible for maintaining the security of your account and the confidentiality of your email address and phone number. If you believe your account has been compromised, contact [email protected] immediately.

Data retention — We retain personal information for as long as your account is active or as long as necessary to fulfill the purposes described in this policy. Upon account deletion, we will delete or anonymize your personal information within a reasonable period, except where retention is required by law or necessary for legitimate business purposes (such as fraud prevention or legal compliance). You may request deletion at any time by contacting [email protected].

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under the age of 13.

If we become aware that a user under 13 has provided personal information, we will take prompt steps to delete that information from our records.

If you are a parent or guardian and believe that a child under 13 has provided personal information to Collectivus without your consent, please contact us at [email protected] and we will investigate and respond promptly.

Users between the ages of 13 and 17 should have a parent or legal guardian review these policies before using the Service.

If you are located in the European Economic Area (EEA) or the United Kingdom, the following applies in addition to the rest of this policy.

Data controller

Quixotic Bravado LLC, doing business as Collectivus, is the data controller for personal information collected through the Service. Contact: [email protected]

EU/UK representative

We have determined that we are not currently required to appoint an EU or UK representative under Article 27 GDPR and Article 27 UK GDPR, respectively. We rely on the exemption for controllers whose processing of EEA/UK personal data is occasional, does not involve large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of natural persons. We will revisit this assessment as the Service grows and will appoint a representative if required.

Lawful basis for processing

We process your personal information on the following lawful bases under Article 6 of the GDPR:

• Performance of a contract (Article 6(1)(b)) — to create and manage your account, authenticate your identity, and deliver the Service.
• Legitimate interests (Article 6(1)(f)) — to improve the Service, ensure security and integrity, diagnose technical issues, and communicate service-relevant updates. Our legitimate interests do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a)) — for marketing communications (email and SMS) and for analytics cookies where consent is required. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Your rights under GDPR

You have the following rights, subject to applicable conditions and limitations:

• Right of access (Article 15) — to obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Article 16) — to correct inaccurate or incomplete personal data.
• Right to erasure (Article 17) — to request deletion of your personal data in certain circumstances.
• Right to restriction of processing (Article 18) — to request that we limit how we process your data.
• Right to data portability (Article 20) — to receive your personal data in a structured, machine-readable format.
• Right to object (Article 21) — to object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact: [email protected]. We will respond within 30 days (one month), with the possibility of extension as permitted by law.

You also have the right to lodge a complaint with your local data protection supervisory authority. In the EU, find your authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, the relevant authority is the Information Commissioner's Office (ICO): https://ico.org.uk.

International data transfers

Your personal data is stored and processed in the United States. Transfers of personal data from the EEA or UK to the United States are subject to safeguards under Chapter V of the GDPR. We rely on the following mechanisms: Clerk participates in the EU–U.S. Data Privacy Framework (DPF) as certified by the U.S. Department of Commerce (verifiable at dataprivacyframework.gov). Supabase makes Standard Contractual Clauses (SCCs) available for transfers under its Data Processing Agreement. You may request a copy of applicable transfer safeguards by contacting [email protected].

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. When we make material changes, we will update the effective date at the top of this page. Where the change is significant — particularly where it affects how we use personal information you have already provided — we will notify you via the email address associated with your account before the change takes effect.

Minor updates that do not materially affect your rights will be effective upon posting.

Your continued use of the Service after any update constitutes your acceptance of the revised Privacy Policy. If you do not agree to a material change, you may request deletion of your account and data before the change takes effect.

For privacy-related questions, requests, or concerns — including requests to access, correct, or delete your personal information — contact us at:

Quixotic Bravado LLC d/b/a Collectivus
[email protected]

We will acknowledge your request within a reasonable period and respond within the timeframe required by applicable law.