← back

Privacy Policy

Last updated: 19 April 2026

1. Who we are

Drone Foundry (“we”, “us”, the “Service”) is a free-to-play browser game operated by Marin Brouwers, based in Staden, West-Vlaanderen, Belgium. For privacy-related questions you can reach us at marinbrouwers@hotmail.com.

We are the “data controller” for the personal data described below, as defined by the EU General Data Protection Regulation (GDPR) and the Belgian Data Protection Act of 30 July 2018.

2. What we collect

When you create an account and use the Service, we collect:

  • Email address — to create your account, send you password-reset links, and (if we ever need to) contact you about the Service.
  • Username — chosen by you, shown on leaderboards and next to your in-game posts.
  • Game data — drones you own, components, credits, race entries and results, market activity, hangar posts. This is stored against your account.
  • Technical data — IP address, browser type, and timestamps are processed by our hosting providers (Vercel, Supabase) for security, abuse prevention, and service delivery. We do not use this data to profile you.
  • Cookies / local storage — see section 7 below.

We do not collect any special categories of personal data (health, politics, religion, etc.). We do not ask for payment information — the game is currently free.

3. Why we process it (purpose & legal basis)

  • Running your account and the game — legal basis: performance of a contract (our Terms of Service) under GDPR Art. 6(1)(b).
  • Keeping the Service secure (rate limiting, abuse detection, logs) — legal basis: legitimate interest under GDPR Art. 6(1)(f).
  • Complying with law (responding to valid legal requests, tax, fraud investigations) — legal basis: legal obligation under GDPR Art. 6(1)(c).

4. Who we share it with

We do not sell your personal data. We share it only with the service providers (“processors”) strictly needed to run the Service:

  • Vercel Inc. — hosts the web application (servers and CDN) and provides Vercel Web Analytics and Speed Insights: privacy-friendly, cookieless aggregate page-view and performance measurements that do not identify individual users or track them across sites. EU/US data transfers rely on Standard Contractual Clauses and Vercel’s EU-US Data Privacy Framework certification.
  • Supabase Inc.— hosts our database and authentication. Your account email and hashed password are stored by Supabase on our behalf. EU/US data transfers rely on Standard Contractual Clauses and Supabase’s EU-US Data Privacy Framework certification.

Both providers are contractually bound (Data Processing Agreements) to process your data only on our instructions and to keep it secure.

5. How long we keep it

  • Account data — kept as long as your account exists. If you delete your account (by emailing us), we erase your personal data within 30 days, except data we must keep for legal reasons.
  • Server logs — kept for up to 90 days for security purposes, then deleted.
  • Backups — may contain your data for up to 30 additional days after account deletion, after which they roll over.

6. Your rights (GDPR)

Under GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Request erasure of your data (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where consent is the legal basis.

To exercise any of these, email marinbrouwers@hotmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at gegevensbeschermingsautoriteit.be.

7. Cookies & local storage

We use a small number of strictly necessary storage items. These do not require your consent under Belgian/EU law because they are essential to make the Service work:

  • Authentication cookies (set by Supabase) — keep you signed in.
  • df-remembercookie — remembers your “remember me” preference.
  • localStorage — stores your tutorial-completed flag and UI preferences.

We use Vercel Web Analytics and Vercel Speed Insights for aggregate page-view counts and page-load performance measurements. Neither sets cookies, identifies individual users, nor tracks you across websites — they rely on legitimate interest under GDPR Art. 6(1)(f). We do not use advertising or third-party tracking cookies. If that ever changes we will ask for your consent first.

8. Children

The Service is not directed at children under 16. Under Belgian law, children under 16 need verifiable consent from a parent or legal guardian before their personal data can be processed on the basis of consent. We do not knowingly collect personal data from children under 16 without such consent. If you are under 16, please do not create an account. If we learn that we have collected data from someone under 16 without the required parental authorisation, we will delete it without undue delay.

9. Security

We protect your data with industry-standard measures: HTTPS everywhere, hashed passwords, scoped database access, rate limiting, and backups. No system is perfectly secure, but we take it seriously. If a breach affects your data, we will notify you and the Belgian Data Protection Authority as required by GDPR Art. 33–34.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-game or by email. The “Last updated” date at the top tells you when the current version took effect.