Privacy Policy
Project Springfield
Effective Date: August 10, 2025 | Last Updated: August 10, 2025
1. Introduction
This Privacy Policy explains how Project Springfield ("we," "our," or "us") collects, uses, and protects your personal information when you use our TSTO Server platform ("Service"). We are committed to protecting your privacy and ensuring transparency about our data practices.
Related Documents: This Privacy Policy should be read alongside our
Terms of Service, which governs use of the Service.
Policy Acceptance: By using the Service, you agree to the terms outlined in this Privacy Policy.
2. Information We Collect
Personal Information:
- Email Address: Required for account creation and authentication
- Display Name: Optional user-chosen display name
- IP Address: Automatically collected for security and legal compliance
- Authentication Tokens: Secure tokens for maintaining login sessions
Game Data:
- Town Save Files: Your Springfield town data and progress
- Currency Information: In-game currency amounts and items
- Friend Lists: Social connections within the game
- Avatar Images: Profile pictures you upload (subject to content moderation and 30-day upload limits for cost control)
Technical Data:
- Login Timestamps: When you access the service
- API Usage: Interactions with our server for functionality
- Error Logs: Technical issues for service improvement
- Content Moderation Logs: AI scanning results for uploaded images
3. Why We Collect Your Data
Transparency: We only collect data necessary for service operation and legal compliance.
| Data Type |
Purpose |
Legal Basis |
| Email Address |
Account authentication, password recovery, important notifications |
Contractual necessity |
| IP Address |
Security monitoring, abuse prevention, legal compliance |
Legitimate interest |
| Game Data |
Service functionality, save game preservation, social features |
Contractual necessity |
| Upload Content |
Content moderation, community safety, legal compliance |
Legal obligation |
| Display Name |
Personalization of user profile |
User consent |
| Avatar Images |
Optional visual representation, content moderation |
User consent |
| Usage Logs |
Service improvement, technical support, security monitoring |
Legitimate interest |
4. Automated Content Moderation
Important: All uploaded images are automatically scanned by AI for inappropriate content.
- AI Scanning: Google Vision API analyzes all uploaded images
- Content Filtering: Inappropriate content is automatically blocked
- Audit Logging: All uploads and moderation decisions are logged
- Legal Compliance: Logs may be shared with authorities if required
- No Human Review: Moderation is fully automated for privacy
Automated Decision-Making: Users are not subject to legal or significant effects from automated decision-making. All automated moderation is used solely for community safety and compliance purposes. If content is rejected, users may contact us for manual review.
5. Service Limitations & Cost Control
Cost Management: To maintain service sustainability and control operational costs, we implement usage limitations on certain features.
Profile Picture Upload Limits:
- Upload Frequency: Users may upload 1 profile picture every 30 days
- Cooldown Tracking: Upload timestamps are recorded to enforce this limit
- Cost Justification: This limit helps control AI moderation costs (Google Vision API)
- Dashboard Notification: Users can check their upload status on the dashboard
- Fair Usage: This ensures equitable access for all users while maintaining service quality
Upload Attempts: Attempting to upload during the cooldown period will result in rejection with a clear explanation of the remaining time.
Data Collected for Limitations:
- Last Upload Timestamp: When you last uploaded a profile picture
- Upload History: For audit and compliance purposes
- Rejection Logs: When uploads are blocked due to cooldown
6. Data Sharing
We do not sell, rent, or trade your personal information to third parties.
We may share data only in these limited circumstances:
- Legal Requirements: When required by law, court order, or government request
- Safety & Security: To protect users from harm or illegal activity
- Service Providers: With trusted partners who help operate our service (under strict confidentiality)
Data Processors:
Google Cloud Vision API: We use Google Cloud Vision API for automated image moderation. Google acts as a data processor under a strict Data Processing Agreement (DPA) in compliance with GDPR and UK GDPR. Google only processes image data for moderation purposes and does not retain or use this data for any other purpose.
7. Data Retention
- Active Accounts: Data retained while your account is active
- Inactive Accounts: Data may be retained for up to 2 years after last login. Inactive users may request deletion of their data at any time before the 2-year period.
- Legal Compliance: Some data retained longer for legal requirements
- Audit Logs: Security and moderation logs retained for 7 years
- Deleted Accounts: Personal data removed within 30 days of deletion request
8. Your Rights
You have important rights regarding your personal data.
You have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate or incomplete personal data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Limit how we process your personal data
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent where processing is based on consent
8. Data Deletion Requests
What happens when you request deletion:
- Verification: We verify your identity to protect your privacy
- Processing Time: Deletion completed within 30 days
- Account Closure: Your account will be permanently closed
- Data Removal: All personal data removed from active systems
- Legal Retention: Some data may be retained for legal compliance
- Confirmation: You'll receive confirmation when deletion is complete
9. Data Security
- Encryption: Data encrypted in transit and at rest
- Access Controls: Strict access controls and authentication
- Regular Audits: Security practices regularly reviewed
- Incident Response: Procedures in place for security breaches
- Staff Training: Personnel trained on data protection
10. Children's Privacy
Age Restriction: Users must be 18+ or have parental consent.
- We do not knowingly collect data from children under 13
- Users 13-17 must have verifiable parental consent
- Parents can request deletion of their child's data
- Special protections apply to users under 18
11. International Users
- Data is processed and stored in the United States via our secure cloud servers
- We ensure adequate protection regardless of location
- EU users have additional rights under GDPR
- California residents have rights under CCPA/CPRA
11a. California Consumer Privacy Act (CCPA) Notice
California Residents: We do not sell or share your personal information as defined under the California Consumer Privacy Act (CCPA). California residents may request to know what categories of data we collect and request deletion of their personal information as detailed above.
Data Categories Collected (Past 12 Months):
- Identifiers: Email addresses, display names, IP addresses
- Internet Activity: Login timestamps, API usage, error logs
- User-Generated Content: Avatar images, game data, town saves
- Technical Data: Authentication tokens, moderation logs
Do Not Sell or Share: We do not sell, rent, or share your personal information with third parties for monetary or other valuable consideration.
11b. Cookies and Tracking
- Session Cookies: Used for login persistence and authentication
- Local Storage: Stores user preferences and theme settings
- No Third-Party Trackers: We do not use advertising or analytics trackers
- Cookie Control: You can manage cookie preferences through your browser settings
- Essential Only: All cookies are essential for service functionality
12. Policy Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify users of significant changes through email or prominent notice on our service.
13. EU Representative
For EU Users: If you are located in the EU and wish to contact our EU representative for any privacy-related concerns under GDPR, please email:
[email protected] with "EU GDPR Inquiry" in the subject line.