Privacy Policy
Last updated: April 2026
This Privacy Policy explains what limited information we collect when you use RetroGameSpace (the "Service") at retrogamespace.com, why we collect it, how long we keep it, and the rights you have over it. The policy is written to comply with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA (CCPA), and the Personal Information Protection Law of the People's Republic of China (PIPL). Where these laws give you more rights than the others, the most-protective right applies.
Data Controller
RetroGameSpace is operated by an independent individual ("we" / "us") and runs on a third-party global edge-compute infrastructure provider. We do not maintain a physical office that accepts service of process; the only contact channel for privacy questions, data-subject requests, and other legal correspondence is the email address listed in the Contact section below.
Information We Collect
We collect the absolute minimum required to run the Service: (a) request metadata that any web server records (IP address, User-Agent, referrer, requested URL, timestamp) — kept only transiently in our infrastructure provider's edge logs; (b) anonymous, aggregate event counters (page views, ROM load attempts, search terms) used purely to keep the catalogue working; (c) if you create an admin account, a username and a hashed password; (d) if you opt in to cloud save sync, the encrypted save blobs you push to us. We do not collect government IDs, payment data, precise geolocation, biometric data, or any "special category" data under GDPR Art. 9 / sensitive data under PIPL Art. 28.
Legal Basis for Processing
Under GDPR Art. 6(1)(f), our legal basis for processing request metadata and anonymous analytics is our legitimate interest in operating, securing, and improving the Service, balanced against the minimal nature of the data involved. Under Art. 6(1)(b), processing of admin-account data and cloud-save data is necessary for the performance of a contract you enter into when you create an account. Under PIPL Art. 13, the same processing is performed under the equivalent legal bases of "necessary for entering into or performing a contract" and "reasonably necessary for handling public information that you have voluntarily disclosed".
Local Storage on Your Device
Game save states, BIOS files (where applicable), and a transient ROM cache are stored entirely in your browser's IndexedDB. They never leave your device unless you explicitly opt in to the optional cloud save sync feature. Clearing your browser site data deletes all of this immediately.
Cookies
We set only essential cookies: a language preference cookie ("lang", lifetime ~1 year) and, if you log into the admin panel, a session cookie ("admin_session", lifetime 7 days, HttpOnly + Secure). No advertising cookies, no cross-site tracking pixels, no third-party analytics tags are used. Under GDPR Recital 30 and the CNIL "strictly necessary" guidance, no consent banner is required for these cookies.
Analytics
We use a privacy-preserving web analytics product that does not set cookies, does not fingerprint visitors, and does not track users across sites. Aggregate event counters (e.g. how many people opened a particular game page) are written to our infrastructure provider's analytics datastore. No personally identifiable information is collected through analytics.
Service Providers (Sub-Processors)
The Service runs on a third-party global infrastructure provider acting as our data processor (covering edge compute, key-value storage, relational database, object storage, and aggregate analytics). The identity of that provider is disclosed on written request to the address in the Contact section. ROMs and game assets are fetched on demand from publicly accessible third-party archives, primarily the Internet Archive (archive.org). Search Console statistics shown in the admin dashboard are pulled from Google Search Console using a service-account credential we control. We do not sell your data to anyone, in any jurisdiction.
International Data Transfers
Our infrastructure provider operates a global edge network, so request metadata may be processed in whichever region is closest to you. The provider publishes Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) and participates in approved cross-border data-transfer frameworks (including the EU-US Data Privacy Framework). For PIPL data exports, we rely on the "necessary for performance of a contract" basis under Art. 38(1)(3).
Data Retention
Edge access logs: rolling 24 hours at the edge, up to 30 days for sampled retention by our infrastructure provider. Aggregate analytics counters: 90-day rolling window. Admin account records: until the account is deleted, plus 30 days for backup expiry. Cloud-save blobs: until you delete them, or until 12 months of inactivity, whichever comes first. DMCA notices and counter-notices: kept for the longer of 7 years or the duration of any related dispute, as required by 17 U.S.C. § 512.
Your Rights
Depending on your jurisdiction, you have the right to (a) request access to the personal data we hold about you, (b) request correction or deletion, (c) request a portable export, (d) object to or restrict processing based on our legitimate interest, (e) withdraw any consent you have given, (f) opt out of any "sale" or "sharing" of personal information (we do not engage in either), (g) lodge a complaint with your local Data Protection Authority — for EU/UK residents your local DPA, for California residents the California Privacy Protection Agency, for PRC residents the Cyberspace Administration of China. To exercise any of these rights email the address in the Contact section. We will respond within 30 days (GDPR Art. 12(3)) or 45 days (CCPA § 1798.130).
Children
The Service is not directed at and not intended for children under the age of 13 (or 14 in jurisdictions where that is the local age of digital consent). We do not knowingly collect personal information from children under that age. If you are a parent or guardian and believe a child has provided us with personal data, please contact us and we will delete the data immediately.
Data Breach Notification
If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of affected users, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33) and the affected users without undue delay (GDPR Art. 34, CCPA § 1798.82, PIPL Art. 57).
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced by a banner on the homepage at least 30 days before they take effect, and the "Last updated" date at the top of this page will reflect the change.
Contact
For any privacy-related inquiry, including data-subject requests under GDPR / CCPA / PIPL, write to abuse@retrogamespace.com. Please put the words "Privacy Request" in the subject line so we can route it to the correct queue.