PRIVACY POLICY / EFFECTIVE JULY 15, 2026
Private research stays private.
This policy covers Patchloop accounts, game and build records, playtests, private findings, release-room messages, safety records, and public credit.
Discord supplies basic account identity only. Patchloop stores the profile and workflow records a user deliberately creates, keeps private rooms scoped to authorized participants, discards provider tokens after identity verification, and exposes public credit only after the affected contributor opts in.
OUR COMMITMENTS
What the service collects
Account creation stores a Discord identifier and basic identity fields needed to recognize the account. OAuth requests the identify scope only; Patchloop does not request provider email, servers, posting, or direct-message access.
The service stores information users deliberately submit: work-profile fields, games, immutable build versions, missions, reservations, run timing and outcomes, structured findings, creator decisions, patch receipts, verification, scoped messages, preferences, connections, and safety actions. It also stores the account access state and the time of its latest operator change.
- Evidence can include URLs a tester deliberately attaches to a finding. Do not submit secrets or unrelated personal information.
- Private safety reports retain their category, detail, relevant room context, status, and timestamps for operator review. A suspension appeal stores the requester account, submitted detail, case status, review authority and time, and the response shown to that requester. The appeal record does not store an email address, IP address, or Discord provider identifier.
- The product does not ask for legal identity, exact date of birth, street address, or precise location.
Use and visibility
Account and playtest data powers authentication, matching, Signal accounting, assignments, release rooms, finding decisions, runbacks, safety review, and the user’s durable work history.
Private builds, findings, messages, reports, blocks, and claim evidence are not public feed content. A public Hall receipt or named contribution requires the affected contributor’s explicit approval and no unresolved safety hold.
- Creator questions may not request sensitive personal information.
- Unclaimed public source references are dated research records, not member profiles or endorsements.
- Clearing demo browser storage removes demo state but does not affect a real signed-in account.
Retention and security
Patchloop retains durable build, mission, finding, decision, verification, Signal, access-case, and safety audit records so the tested history cannot be silently rewritten. Access remains limited by account, role, room, and record scope. Operator suspension, appeal-review, and reinstatement records are append-only and include the acting authority, target, substantive note, and sequence. Appeal resolution does not reinstate an account.
OAuth state expires within minutes and provider access tokens are discarded after identity verification. Production data is protected through encrypted transport, restricted service access, and managed database backups.
- Leaving or blocking stops future access where applicable without deleting the user’s own authorized permanent history.
- Account suspension revokes existing browser and realtime sessions. Reinstatement permits a fresh sign-in but does not restore a revoked session.
- Report detail remains private to the reporter, authorized safety review, and any minimum disclosure required to resolve the incident.
- Do not place passwords, reusable keys, access tokens, or irreplaceable material in profiles, messages, or evidence URLs.
Your controls
The signed-in Profile and Settings views support profile correction, notification preferences, public-credit preferences, block review, and report-history review. Release rooms provide report, leave, and block actions.
Account export and deletion are not currently self-service. A legacy withdrawal form remains available only for applications submitted before public account creation opened.
- A matching legacy withdrawal scrubs the application email, private build URL, note, and contact consent while retaining a minimal anti-abuse audit record.
- A valid and invalid legacy withdrawal request receive the same generic response to avoid revealing stored data.
- Project ownership claims require a separate site, store, or manual verification; Discord identity alone is not proof of ownership.