Site logo
Welcome, Beta Testers!

Untitled Sandbox

Privacy Policy

Last updated: 8 April 2026

This Privacy Policy explains what information Untitled Sandbox collects from you, how we use it, and your rights regarding that data. We've written it in plain language because most of our users are teenagers and young adults, and everyone deserves to understand exactly what happens with their data.

Note: Untitled Sandbox is a small, independently operated community platform based in Europe. We are not a registered legal corporation. This policy represents our genuine, best-effort commitment to your privacy. If you have questions or concerns, please contact us at untitled-support@unsbx.org .

1. Who We Are

Untitled Sandbox (also referred to as "USBX," "we," "us," or "our") is a 3D sandbox platform where users can create, customise, and trade virtual items, interact in forums, and join clubs. The platform is operated by an individual based in Europe, European Union .

Because we are based in the EU, the General Data Protection Regulation (GDPR) applies to how we handle your personal data. We take that seriously.

Contact for privacy matters:

untitled-support@unsbx.org

2. Age Requirements

You must be at least 13 years of age to create an account on this Platform. During registration, you are required to provide your date of birth. If your date of birth indicates you are under 13, your registration will be automatically prevented.

We do not intentionally direct the Platform at children under 13 (United States) or under 16 (European Union). If we become aware that we have collected personal data from a child below these thresholds without appropriate consent, we will take steps to delete that data promptly.

Note for users in the EU aged 13–15: Europe's age of digital consent is 14. If you are between 13 and 14 and located in Europe, or between 13 and 16 in other EU member states with higher age thresholds, you may technically require parental consent under local law. As a small, independent platform we are not in a position to verify parental consent at this time. If you are a parent and have concerns, please contact us at untitled-support@unsbx.org .

3. Information We Collect

We only collect information that is necessary to operate the platform. Here is exactly what we store:

3.1 Account Information

  • Username — your display name (max 20 characters). All past usernames are retained in a history log and are visible to any user on your profile.
  • Password — stored as a secure one-way hash using Argon2, a memory-hard algorithm resistant to brute-force attacks. We never store or see your actual password.
  • Date of birth — used solely to verify that you meet the minimum age requirement of 13. It is not shown publicly.
  • Email addressplanned feature, not yet implemented. When introduced, email will be used exclusively for account recovery and security purposes. We will never use it for marketing.

3.2 Profile Information

  • Bio and blurb — short descriptions you write about yourself (500 and 150 characters respectively). These are public.
  • Avatar and headshot images — image URLs pointing to files you upload to our storage system.
  • Privacy settings — your choices for who can view your profile, creations, and inventory (Everyone, Friends, or Just Me).
  • Avatar customisation data — equipped items, limb colours, outfits, and drafts you save in the avatar editor.

3.3 Social and Community Data

  • Followers and friends — who follows you and your friendship relationships (including pending requests and their status).
  • Forum posts, replies, and reactions — everything you write in the forums, including edit history. Post and reply edits are permanently stored and are publicly visible to all users , not just administrators.
  • Upvotes and emoji reactions — which posts and replies you have upvoted or reacted to.
  • Marketplace comments — comments you post on item listings.
  • Club activity — club membership, roles, announcements, and feed posts. Your membership history is retained even after you leave a club.

3.4 Marketplace and Economy Data

  • Purchase receipts — a permanent, immutable record of all item purchases, including price at time of purchase, currency used, and timestamps. These records exist for platform integrity and cannot be deleted.
  • Bank transaction ledger — a full audit trail of all virtual currency movements (purchases, rewards, refunds, admin adjustments, resale activity). This is permanent and cannot be deleted.
  • Inventory — items you own, including which serial number you hold, how you acquired each item, and any folders or PIN-protected vaults you organise them into. Vault PINs are hashed with Argon2.
  • Resale listings — items you list for resale, including asking price, sale status, and buyer/seller information.

3.5 Reward and Engagement Data

  • Daily reward progress — your current streak, longest streak, last claim time, and a log of every reward you have claimed.

3.6 Moderation Records

  • Warnings and bans — if you receive a moderation action, we store the type of action, reason, notes, timestamps, and acknowledgement status. These are clearly disclosed to you through an explicit acknowledgement flow (including two checkboxes and a confirmation button) before you can continue using the platform.

3.7 Data Collected Automatically

  • IP address — we do not store IP addresses in our own database. However, our infrastructure providers (Railway and Cloudflare) may log IPs as part of their standard server and network operations — see Section 6.
  • Basic analytics data — collected via Umami, a privacy-focused analytics tool that does not use cookies, does not collect personally identifiable information, and does not track individuals across sites.

3.8 Data We Do Not Collect

  • Browser or device information — not stored.
  • Location data — we do not track where you are.
  • Real payment information — all currency on the platform is virtual. We do not currently process real-money transactions. If real payments are introduced in the future, this policy will be updated before launch.
  • Marketing data — we do not run advertising and do not collect data for advertising purposes.

4. How We Use Your Information

We use the information we collect only to operate and improve the platform:

  • Operating the platform — providing access to your account, inventory, forums, clubs, and the marketplace.
  • Age verification — your date of birth is checked at registration to prevent users under 13 from creating accounts.
  • Account security — detecting and limiting brute-force login attempts, managing session validity, and protecting against cross-site request forgery.
  • Platform integrity — maintaining accurate records of virtual economy transactions so that ownership, purchase history, and balances cannot be manipulated or disputed.
  • Moderation and safety — enforcing our community rules, issuing warnings and bans, and maintaining an internal audit trail of administrator actions. All uploaded images and assets are reviewed by administrators before publication.
  • Displaying your content — making your profile, avatar, forum posts, and created items visible to other users according to your privacy settings.
  • Bot and spam prevention — Cloudflare Turnstile (a CAPTCHA alternative) is used during registration and other sensitive flows to verify that you are human.
  • Understanding usage trends — through privacy-respecting, cookieless analytics (Umami).

We do not sell your data, use it for advertising, or share it with any marketing services.

4.1 Legal Basis for Processing (GDPR)

For users in the European Economic Area and the United Kingdom, our legal bases for processing are:

  • Contract: Processing necessary to provide the Platform and its services to you as a registered user.
  • Legitimate interest: Platform security, abuse prevention, moderation, analytics, and maintaining the integrity of the virtual economy.
  • Legal obligation: Compliance with applicable laws, including responding to lawful requests.

5. Cookies and Similar Technologies

We use a minimal set of cookies — only what is strictly necessary to run the platform securely. We do not use advertising or tracking cookies.

CookiePurposeDurationEssential?
authKeeps you logged in. Contains a signed JSON Web Token that identifies your session. Marked HttpOnly so it cannot be read by JavaScript.7 daysYes
_csrfProtects against Cross-Site Request Forgery (CSRF) attacks. Required for any action that modifies data. Marked HttpOnly .SessionYes
maintenance_bypassAllows authorised staff to access the site during maintenance mode. Only set when a valid maintenance bypass key is entered.SessionYes

All cookies are set with SameSite=Lax and Secure attributes in production, meaning they are only sent over HTTPS and are protected against most cross-site attacks.

We use Cloudflare Turnstile as a bot-protection mechanism during certain interactions. Cloudflare may set its own strictly necessary cookies to perform this function. For details, refer to Cloudflare's Privacy Policy .

6. Third-Party Services

Running a platform requires a small number of third-party providers. We do not sell, rent, or trade your personal data. Here is each provider we use, what they receive, and why:

Cloudflare

We use Cloudflare for our domain, to protect and proxy traffic to our servers, to store uploaded files (Cloudflare R2), and to verify that users are human (Cloudflare Turnstile). Because Cloudflare acts as a proxy between you and our servers, your IP address and request metadata pass through their network and are subject to Cloudflare's Privacy Policy .

Railway

Our backend application and database (MySQL) are hosted on Railway. As a hosting provider, Railway processes server-side request logs which include IP addresses. We are not in control of Railway's internal data retention period; their practices are governed by Railway's Privacy Policy .

Umami Analytics

We use Umami to understand general platform usage (e.g., which pages are visited). Umami is a privacy-friendly analytics tool that does not use cookies and does not collect personally identifiable information. No data is shared with advertising networks. See Umami's Privacy Policy .

Future: Real-Money Payment Processors

We are planning to introduce optional real-money purchases. When this happens, we intend to use a payment processor such as Stripe or Lemon Squeezy. Payment processors handle your financial details directly and under their own data processing agreements; we would never receive or store raw card numbers. This policy will be updated with full details before any payment feature launches.

Beyond the above, we do not share your personal data with any other third parties.

7. Content Uploads and Moderation

Pre-Publication Review

All images and assets uploaded to the Platform undergo administrative review before they are made available. This includes avatar images, headshot images, and 3D assets submitted by asset creators. No user-uploaded content is published without prior moderation.

File Storage

Uploaded files are stored on Cloudflare R2. Files use randomised, hashed filenames and are not listed publicly, but any user who has the direct URL can access the file. There is no additional access control layer. Since all stored files consist exclusively of non-sensitive content such as textures and 3D models (all of which have been reviewed by administrators), this does not constitute a disclosure of personal data.

Content You Post

Forum posts, replies, club posts, and marketplace comments you create are stored on our servers. If you delete a post, it is soft-deleted (hidden from public view) but the record is retained in our database for moderation and audit purposes. Edit history for forum posts and replies is permanently stored and visible to all users .

8. Content Ownership

Ownership of Renders

Rendered item preview images generated by Untitled Sandbox's rendering pipeline are the exclusive property of Untitled Sandbox .

Ownership of Creator Assets

Original item assets created and uploaded by asset creators (wearables, limbs, and other user-created content) remain the intellectual property of the creator . By uploading content to the platform, you grant Untitled Sandbox a non-exclusive licence to display, host, and distribute that content to users on the platform. Creators may request removal of their assets from the platform with a minimum 14-day notice period, as specified in the Contributors Agreement.

User-Created Clothing

Shirts, pants, and similar user-created clothing items are subject to separate terms outlined in the Platform's Terms of Service.

9. Publicly Visible Information

Certain information on the Platform is visible to all users by design:

  • Your username, display name, avatar, headshot, and profile biography.
  • Forum posts, comments, and other content you publish.
  • Your complete edit history on forum posts and replies.
  • Your username change history.

You should be aware that any content you post or any username you choose may remain publicly visible in its historical form even after changes are made.

10. Data Retention

Active Accounts

Data is retained for as long as your account exists and is active.

Inactive Accounts

We currently retain inactive account data indefinitely. We do not automatically delete accounts due to inactivity. This policy may change in the future, and we will notify users if it does.

Account Deletion

If you request deletion of your account, we apply a selective anonymisation process:

  • Your username is scrubbed and replaced with an anonymised identifier.
  • All forum posts and replies are anonymised (content removed, author replaced) and hidden from public view.
  • Profile information (bio, avatar, headshot) is removed.

To request account deletion, email us at untitled-support@unsbx.org or submit a request via our Discord server.

Permanently Retained Records

The following records are permanent and cannot be deleted, even upon account deletion, because they are essential for the integrity of the virtual economy:

  • Purchase receipts — anonymised if the account is deleted.
  • Bank transaction ledger entries — anonymised if the account is deleted.

Moderation Records

Moderation records (warnings, bans, reasons) are retained indefinitely for platform integrity purposes.

Server Logs

Server logs held by Railway and Cloudflare are subject to those providers' own data retention policies.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right to Access

You can request a copy of the personal data we hold about you.

Right to Rectification

If any data we hold about you is inaccurate, you can ask us to correct it. You can update most profile data directly in your account settings.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and personal data, subject to the retention exceptions described in Section 10 (economy records required for platform integrity).

Right to Data Portability

You can request an export of your personal data in a commonly used, readable format.

Right to Object

You can object to certain processing of your data. Because we do not use your data for marketing or profiling, this is unlikely to arise in practice.

Right to Restriction

You may request that we restrict processing of your data in certain circumstances.

Right to Lodge a Complaint

If you believe we have mishandled your data, you have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD) at aepd.es .

To exercise any of these rights, email us at untitled-support@unsbx.org or submit a request via our Discord server. We will respond to verified requests within 30 days (or within any shorter period required by applicable law).

12. Security

We take reasonable technical measures to protect your data:

  • Passwords are hashed with Argon2 , a memory-hard algorithm resistant to brute-force attacks. Inventory vault PINs are also hashed with Argon2.
  • Session tokens (JWT) are signed and validated server-side. Sessions can be remotely invalidated by staff in the event of a compromise.
  • CSRF tokens protect all data-modifying requests.
  • All connections to the platform use HTTPS .
  • Cookies are set with HttpOnly , Secure , and SameSite=Lax .
  • All uploaded content is reviewed by administrators before publication.
  • Administrative actions are logged for internal auditing.

While we take security seriously, no system is completely immune to risk. We have an internal data breach response process. In the event of a breach that affects your personal data, we will notify affected users and, where required by law, the relevant supervisory authority within 72 hours, in accordance with GDPR requirements.

Responsible Disclosure

We operate a responsible disclosure (bug bounty) policy. If you discover a security vulnerability, please report it to us at untitled-support@unsbx.org before disclosing it publicly.

13. International Users

The Platform is operated from Europe (European Union). If you access the Platform from outside the EU, please be aware that your data may be transferred to and processed in the EU. By using the Platform, you consent to this transfer. We do not knowingly transfer personal data outside the European Economic Area without appropriate safeguards.

14. Future Payment Processing

We intend to introduce optional real-money purchases in the future. When this occurs, we will update this Privacy Policy to disclose the payment processor(s) used, the financial data collected, and the purposes for which it is processed. No financial data will be collected until this policy has been updated and users have been notified.

15. Changes to This Policy

We may update this Privacy Policy from time to time, particularly as new features are introduced (such as email verification or real-money payments). When we make significant changes, we will update the "Last updated" date at the top of this page. For changes that materially affect how we handle your data, we will make reasonable efforts to notify active users. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions about this Privacy Policy, want to exercise your rights, or want to report a concern, please reach out:

Untitled Sandbox

Email: untitled-support@unsbx.org

Based in Europe, European Union

Last updated: 8 April 2026