Arena
Privacy Policy — Last updated: March 21, 2026
Carved in Stone: Arena ("Arena", "the game", "we", "us") is developed by an individual developer. This policy explains what data we collect, how we use it, and your rights regarding that data.
1. Information We Collect
Account Data
When you create an account, we collect:
- Username (chosen by you)
- Email address (for verification and password resets)
- Password (securely hashed — we never store or see your plaintext password)
- Account creation timestamp
- Last login timestamp
Security Data
To protect your account, we temporarily store:
- Failed login attempt count (reset after the lockout period)
- IP address associated with your login session
- User agent string (browser/client identifier) associated with your login session
This data is stored alongside your refresh token and deleted when the token expires.
Game Data
When you play, the game server stores:
- Character names, stats, and inventory
- Character position and game state
- Chat messages sent in-game (retained for moderation purposes)
Third-Party Platform Data
If you link a third-party account (such as Steam or Epic Games), we store:
- Your platform-specific user ID (e.g., Steam ID)
- The link status between your Arena account and the third-party account
We do not access your friends lists, purchase history, or any other data from these platforms. You can unlink a third-party account at any time by contacting us.
What We Do Not Collect
- We do not use analytics or tracking services (no Google Analytics or similar)
- We do not use advertising
- We do not currently process payments
- We do not use tracking cookies
2. How We Use Your Information
We use the data we collect for the following purposes:
- Authentication: To verify your identity when you log in
- Email verification: To confirm ownership of your email address
- Password resets: To send password reset links when requested
- Account security: To detect and prevent unauthorized access (login attempt tracking, IP logging)
- Game functionality: To save your progress and enable gameplay
We do not sell, rent, or share your personal data with third parties for marketing purposes.
3. Data Storage & Security
We take the security of your data seriously:
- Passwords are securely hashed using industry-standard algorithms. We never store plaintext passwords.
- All connections between your client and our servers use HTTPS/TLS encryption.
- Refresh tokens are cryptographically generated and stored server-side.
- Access tokens are short-lived and not stored on the server.
While we implement reasonable security measures, no system is perfectly secure. We encourage you to use a strong, unique password for your account.
4. Third-Party Services
We use a limited number of third-party services to operate:
- Resend (transactional email) — processes your email address to deliver verification and password reset emails. Resend Privacy Policy
- Cloudflare (CDN and DNS) — routes web traffic and may log IP addresses as part of standard operations. Cloudflare Privacy Policy
- Hetzner (server hosting) — hosts our servers. Standard server access logs may include IP addresses. Hetzner Privacy Policy
- UptimeRobot (uptime monitoring) — pings our service endpoints to check availability. It does not receive or process any user data.
5. Data Retention
- Refresh tokens: Expire and are deleted after 30 days. Associated IP and user agent data is deleted with the token.
- Failed login attempts: The counter resets automatically after the lockout period.
- Account data: Retained for as long as your account exists.
- Account deletion: When you request account deletion, your account enters a 30-day grace period during which you can cancel the deletion. After 30 days, your account and associated data are permanently deleted.
6. Your Rights
Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights:
- Right to access: You can request a copy of all data we hold about you.
- Right to deletion: You can request deletion of your account. Your account enters a 30-day grace period before permanent deletion.
- Right to cancel deletion: During the 30-day grace period, you can request restoration of your account.
- Right to rectification: You can request updates to your email or other account information.
- Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority.
To exercise any of these rights, contact us at support@stones-online.com.
7. Cookies & Local Storage
We do not use cookies. The game launcher stores authentication tokens locally on your device to keep you logged in. These tokens are not used for tracking and contain no personal information. You can clear them at any time by logging out.
8. Children's Privacy
Arena is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete the account and associated data promptly. If you believe a child under 13 has created an account, please contact us at support@stones-online.com.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Your continued use of Arena after changes are posted constitutes acceptance of the updated policy.
10. Contact
If you have questions about this Privacy Policy or your personal data, contact us at: