Privacy Policy
Effective 2026-06-27
This Privacy Policy describes how AlphaZero Studios LLC (“we”, “us”) collects, uses, discloses, and protects personal information when you use our website, admin, or storefronts powered by our platform.
1. Information we collect
From merchants
- Account info: name, email, business name, billing address, payment method.
- Identity / KYC: when you enable payments, Stripe collects legal name, address, date of birth, last four of SSN/EIN, bank account, and supporting documents. We don't store these directly — they live in your Stripe Connect account.
- Usage data: pages visited, features used, AI prompts, error logs, IP, browser.
We use Plaid Inc. (“Plaid”) to verify your bank account information for payouts. By connecting your account, you grant us and Plaid the right to access and use that information per this Privacy Policy and Plaid's End User Privacy Policy.
From shoppers (acting as a processor on behalf of merchants)
- Order info: name, shipping/billing address, email, phone, items purchased, totals.
- Payment info: handled by Stripe; we receive only a token, brand, and last four.
- Browsing data: session cookies, cart contents, pages viewed on the storefront.
From visitors entering the Virtual World (identity & biometric verification)
Entering our immersive “Virtual World” (the walkable 3D mall and avatar experience) is optional. If you choose to enter it, we ask you to verify your identity first, to confirm you are a real, unique person and to keep the space free of bots and duplicate accounts. Ordinary (non-immersive) shopping does not require this.
- What is collected, and by whom: our verification provider, Stripe Identity (Stripe, Inc.), collects a photo of your government ID and a selfie that includes a biometric facial scan used to match you to the ID. This collection and the biometric matching are performed and stored by Stripe as our service provider — see Stripe's Privacy Policy and Identity documentation.
- What AlphaZero Studios LLC receives and stores: we do not receive or store your ID images, selfie, facial geometry, full date of birth, or ID/document numbers. We store only: (a) a pass/fail verification result; (b) a coarse age-threshold flag (e.g. “over 18/21”); (c) your verified name and address, which you may edit; and (d) a one-way, non-reversible hashed token used solely to detect and prevent one person creating multiple accounts.
- Purpose: confirming you are a real, unique human for Virtual World access, and preventing duplicate or fraudulent accounts. We use it for nothing else.
- Consent: we obtain your informed consent before verification begins. You may decline — you simply won't enter the Virtual World, and can continue to shop normally.
- Retention & destruction: biometric identifiers and images are retained and destroyed by Stripe under its policies and our data-processing terms; AlphaZero Studios LLC never holds them. The verification result and hashed token are kept while your account is active and deleted within 90 days of account deletion, and in any case any biometric-derived data is permanently destroyed when the verification purpose is satisfied or within 3 years of your last interaction with us, whichever occurs first.
- No sale or profit: we do not sell, lease, trade, or otherwise profit from biometric identifiers or biometric information, and we do not disclose them except to Stripe to perform the verification or where required by law.
2. How we use information
- To provide, operate, and improve the Service.
- To process payments and prevent fraud.
- To send transactional email (receipts, password resets, order updates).
- To send service announcements; marketing email only with your consent.
- To comply with legal obligations and enforce our Terms.
3. How we share information
- Service providers: Stripe (payments), Plaid (bank verification for payouts), Amazon SES (email), Cloudflare (CDN/edge), Hetzner (hosting), Anthropic/Google (AI). They process data on our behalf under contract.
- Merchants: shopper personal data is shared with the merchant operating the storefront — they're the controller for that data.
- Legal: when required by law, court order, or to protect rights/safety.
- Business transfers: as part of a merger, sale, or financing, subject to notice.
We don't sell personal data.
4. Cookies and similar tech
We use strictly necessary cookies (session, cart) and, with your consent where required, analytics cookies. You can disable cookies in your browser, but parts of the Service won't work without session cookies.
5. Data retention
We retain account data for the life of your account and for up to 7 years after termination for tax/audit purposes. Shopper data is retained per the merchant's instructions and applicable law. Backups are pruned within 90 days. Identity-verification data is retained and destroyed as described in the “identity & biometric verification” subsection of Section 1.
6. Security
We use industry-standard practices: TLS for data in transit, encryption at rest for sensitive fields, audit logging, least-privilege access, and regular vulnerability scanning. Card data is handled in SAQ-A scope — it never touches our servers.
7. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to processing or withdraw consent. You can exercise these by emailing privacy@alphazerostudios.com. For data we hold as a processor on behalf of a merchant, contact the merchant directly.
8. International transfers
We may transfer data to the United States and other countries. For EEA/UK transfers we rely on Standard Contractual Clauses and equivalent safeguards.
9. Children
The Service is not directed to children under 16, and we don't knowingly collect their personal data.
10. Connected social accounts
Some AlphaZero Studios LLC products let you connect your own third-party social media accounts — such as YouTube, TikTok, Instagram, Facebook, Threads, Pinterest, LinkedIn, Reddit, and X — so you can publish content you create to those accounts. Connecting an account is optional and is done through each platform's official OAuth sign-in.
What we access and store
- Authorization tokens: when you connect an account we receive and store the OAuth access and refresh tokens that let us act on your behalf for the permissions you grant. We never receive or store your social-account password.
- Account details: basic profile and channel/page information the platform returns (such as account name, handle, and id) so we can show you which account is connected and route your posts to it.
- Content you choose to publish: the videos, images, captions, titles, and tags you submit for publishing.
How we use it
- To publish or schedule the content you choose, to the connected accounts you choose, on your behalf.
- To show the connection status of your accounts and the status of your posts.
We use this access only to provide the publishing features you request. When you publish, the content and metadata you provide are transmitted to the relevant platform through its API; your use of each platform is governed by that platform's own terms and privacy policy (for example Google/YouTube, Meta/Facebook/Instagram/Threads, TikTok, Pinterest, LinkedIn, Reddit, and X). Our access to and use of information received from these platforms complies with their developer and platform policies, including the Google API Services User Data Policy (including its Limited Use requirements) and the Meta, TikTok, and other applicable platform developer terms.
Disconnecting
You can disconnect a social account at any time from within the product, which deletes the tokens we hold for that account. You can also revoke our access directly from the social platform's own app or security settings.
11. Changes
We'll update this policy and post the new effective date. Material changes will be flagged via email or in-product banner.
12. Contact
privacy@alphazerostudios.com
AlphaZero Studios LLC
6538 W 64th Pl, Chicago, IL 60638, USA