Privacy Policy

1. Who We Are

BsAP (Build Share And Play) is a digital museum and game platform for toy builders, primarily focused on LEGO creations. We operate the website www.bsaplay.com. Our platform allows users to upload photos of their builds, display them in a virtual museum, unlock game content, and donate sets to other builders.

BsAP is committed to protecting the privacy of all our users, with particular attention to the privacy and safety of children. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

2. Data We Collect

2.1 Account Data

When you register for an account, we collect:

• Email address (for authentication and communication)
• Full name
• Display name (shown publicly in the museum and game)
• Country of residence
• Date of birth (to verify age and ensure COPPA compliance)

2.2 Exhibition Data

When you upload builds to the virtual museum, we collect:

• Photos of LEGO builds that you upload
• LEGO set information (set number, name, theme, piece count)
• Descriptions and titles you provide for your exhibits
• Upload timestamps and exhibition metadata

2.3 Game Data

As you participate in the game features, we track:

• Experience points (XP) and level progression
• Unlocked content and achievements
• Awards earned (Medals, Trophies, Statues)

2.4 Donation Data

If you participate in our set donation program, we additionally collect:

• Shipping addresses (for sending and receiving donated sets)
• Age verification information
• Theme and set preferences (for matching donors and recipients)

3. How We Use Your Data

We use your personal data for the following purposes:

• Museum Display: Showing your builds in the public virtual museum, associated with your display name
• Game Progression: Calculating XP, levels, and unlocking content based on your activity
• Donation Matching: Using our matching algorithm to connect donors with recipients based on theme preferences, geographic proximity, and queue fairness
• AI Illustrations: Generating artistic illustrations of your builds using AI services. Only set names are shared with the illustration provider; no personal data is transmitted
• Account Management: Authentication, password resets, and communication about your account
• Platform Improvement: Analyzing usage patterns to improve the user experience (in aggregate, not individually)

4. Third-Party Services

We use the following third-party services to operate BsAP. Each service receives only the minimum data necessary for its function:

5. COPPA Compliance (Children Under 13)

BsAP complies with the Children's Online Privacy Protection Act (COPPA). We take the following measures to protect children's privacy:

• Adult Registration Required: Account registration on BsAP requires users to be at least 18 years of age. Only adults (parents or guardians) may create accounts.
• Parental Consent: For any features that may involve minors (such as children using the platform under parental supervision), we require verifiable parental consent before collecting any personal information from children under 13.
• No Direct Data Collection from Children: We do not knowingly collect personal information directly from children under the age of 13 without verifiable parental consent.
• No Chat or Messaging: BsAP does not include any chat, messaging, or direct communication features between users, further protecting children from potential risks.
• Parental Rights: Parents or guardians may review, delete, or refuse further collection of their child's information at any time by contacting us at privacy@bsaplay.com.

If we discover that we have collected personal information from a child under 13 without proper parental consent, we will promptly delete that information.

6. Your Rights Under GDPR (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct any inaccurate or incomplete personal data.
• Right to Erasure: You may request that we delete your personal data (subject to certain legal obligations).
• Right to Data Portability: You may request a machine-readable copy of your data to transfer to another service.
• Right to Restrict Processing: You may request that we limit the processing of your personal data.
• Right to Object: You may object to the processing of your personal data for certain purposes.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@bsaplay.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Israeli Privacy Protection Law

In accordance with the Israeli Privacy Protection Law, 5741-1981 and its regulations:

• You are not legally required to provide us with personal information; you do so voluntarily and with your consent.
• You have the right to access your personal data and request its correction or deletion.
• We maintain our database in compliance with applicable Israeli data protection requirements.
• Your data may be transferred outside of Israel (to the United States) for the purpose of operating the platform, as described in Section 10 below.

8. Data Retention

We retain your personal data as follows:

• Account Data: Retained for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law.
• Exhibition Data: Photos and set information are retained for as long as your account is active. Upon account deletion, your exhibits will be removed from the public museum.
• Game Data: XP, levels, and achievement data are retained for as long as your account is active.
• Donation Records: Donation transaction records may be retained for up to 3 years after completion for dispute resolution and legal compliance purposes. Shipping addresses are deleted within 30 days of successful delivery.
• Server Logs: Standard web server logs are retained for up to 90 days.

9. Cookies and Local Storage

BsAP uses minimal cookies and browser storage:

• Authentication Cookies: Session cookies are used to keep you logged in. These are essential for the platform to function and cannot be disabled.
• Local Storage: We use browser local storage to store parental consent records (COPPA compliance) and user preferences. This data stays on your device and is not transmitted to our servers.

We do not use any tracking cookies, advertising cookies, or third-party analytics cookies.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: All data is encrypted in transit using TLS/SSL and at rest on our database servers.
• Row-Level Security (RLS): Our database implements row-level security policies ensuring that users can only access their own data, while museum exhibits are publicly readable.
• Secure File Storage: Uploaded photos are stored in a secure cloud storage bucket with access controls.
• Authentication: We use industry-standard authentication provided by Supabase, including secure password hashing and session management.
• Service Role Separation: Our API routes use a separate service role key that is never exposed to the client, ensuring server-side operations are performed securely.

11. International Data Transfers

Your personal data is stored and processed in the United States through our use of Supabase and Vercel. If you are accessing BsAP from outside the United States (including the EU or Israel), please be aware that your data will be transferred to, stored, and processed in the United States.

For EU users: These transfers are conducted in compliance with GDPR requirements. We rely on the service providers' appropriate safeguards (including Standard Contractual Clauses where applicable) to ensure your data is protected.

12. Children's Privacy

Protecting children's privacy is especially important to us. BsAP is designed as a family-friendly platform with the following safeguards:

• Only adults (18+) may register accounts. Children may use the platform only under direct parental or guardian supervision using the parent's account.
• We do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with COPPA.
• The platform does not include any social features (chat, messaging, forums) that could expose children to contact from other users.
• Photos uploaded to the museum display LEGO builds only. We encourage users not to include people (especially children) in uploaded photos.
• If you believe we have inadvertently collected information from a child under 13, please contact us immediately at privacy@bsaplay.com and we will promptly delete the information.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your information is handled, please contact us:

14. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email for significant changes
• Obtain fresh consent where required by law (particularly for changes affecting children's data processing)

Your continued use of BsAP after any changes to this Privacy Policy constitutes your acceptance of the updated policy.