Stan
Privacy Policy

The Stan Constitution: Master Privacy Policy & Data Sovereignty Protocol

Effective Date:

Document ID: STAN-LEGAL-PRIV-2026-V3 Classification: PUBLIC / ENTERPRISE GRADE Effective Date: January 23, 2026

Preamble: The Vibe Manifesto

We, the architects of StaNLink, believe that the future of game development is not compiled locally, but manifested globally. By democratizing the creation of interactive media through the Stan Agent, we are building a world where "Vibe Coding" replaces syntax errors.

However, with great power comes great data responsibility. This document is not merely a legal requirement; it is the Operating System for our trust relationship with you. It details, with excruciating technical precision, how we handle the digital exhaust of your creativity across our Unity, Unreal, and Godot pipelines.

Article I: Definitions & Interpretation

To ensure absolute clarity in this "Cyber-Legal" agreement, the following definitions apply:

  1. "The Architect" (You): The natural person or legal entity utilizing the Stan Agent to generate, modify, or publish interactive content.
  2. "The Agent" (Stan): The proprietary Large Language Model (LLM) and orchestration layer that converts natural language intent into engine-specific bytecode or scripts.
  3. "The Manifest" (Universal Project Manifest): The JSON/YAML-based schema that defines a game's logic, assets, and hierarchy, independent of the underlying engine.
  4. "The Trinity Engines": The supported target runtimes: Unity Technologies' Unity Engine, Epic Games' Unreal Engine, and the Godot Foundation's Godot Engine.
  5. "R2 Warehouse": The distributed object storage system (powered by Cloudflare R2) where assets are cryptographically hashed and stored.
  6. "Vibe Data": The semantic intent, prompt history, and aesthetic preferences exhibited by the Architect during the creation process.

Article II: The Architecture of Collection

We collect data across four distinct "Layers" of the Stan Ecosystem.

Section 2.1: The Neural Layer (Input & Intent)

When you interface with the Stan Agent via the Dashboard or IDE Plugins:

  • Prompt Tokenization: Every text or voice command is tokenized. We store both the raw input (e.g., "Make the sky purple") and the resolved intent (e.g., Skybox.Color = #800080).
  • Context Window Snapshots: To maintain conversation continuity, we cache the active "Context Window" of your session. This includes previous code snippets, error logs, and active variable states.
  • Sentiment Telemetry: We analyze the tone of prompts to adjust the Agent's personality (e.g., switching from "Tutorial Mode" to "Expert Mode").

Section 2.2: The Silicon Layer (Hardware & Telemetry)

Stan is a cloud-native platform, but it optimizes for your end-users (the players). We collect:

  • WebGL/WebGPU Capabilities: When you preview a game, we query the GL_RENDERER string to optimize shader compilation.
  • Latency Triangulation: We measure Round-Trip Time (RTT) between your client and our nearest edge node (using Cloudflare Workers) to ensure low-latency asset streaming.
  • Input Device Profiling: We detect connected peripherals (Gamepads, VR Headsets, Touch Screens) to auto-configure input maps in the generated builds.

Section 2.3: The Asset Layer (Storage & Integrity)

Every file uploaded to the R2 Warehouse is analyzed:

  • Cryptographic Hashing: Files are assigned a SHA-256 hash upon ingress to detect duplicates and prevent storage redundancy.
  • Metadata Extraction: We parse header data from .fbx, .wav, and .png files to extract dimensions, duration, and compression standards.
  • License Fingerprinting: If an asset contains embedded XMP metadata or watermarks, we log this to ensure compliance with copyright laws.

Section 2.4: The Financial Layer (Monetization)

For Architects participating in the Revenue Share Program:

  • Fiscal Identity: We collect Tax IDs (TIN/EIN), banking coordinates (IBAN/SWIFT), and KYC documents via our payment processor (Stripe/PayPal).
  • Ad Impression Logs: We track every ad served in your games via Adsterra, logging the timestamp, ad format, and placement ID to calculate your Fill Rate and eCPM.

Article III: The Purpose of Processing

We process data under the following legal bases (GDPR Art. 6):

Section 3.1: Contractual Necessity

  • To Compile Code: We must process your manifests and assets to trigger the GitHub Action pipelines that build your game. Without this data, the service cannot function.
  • To Distribute Builds: We store your compiled binaries (.apk, .exe, .wasm) to serve them to players via the Stan Games Portal.

Section 3.2: Legitimate Interest

  • Fraud Detection: We analyze build logs to detect malicious code injection (e.g., crypto-miners) attempting to exploit the Stan Runtime.
  • Agent Calibration: We use anonymized "Vibe Data" to train the next iteration of the Stan Agent, improving its ability to understand complex game logic.

Section 3.3: Legal Obligation

  • Tax Compliance: We are required by law to report earnings over specific thresholds (e.g., IRS Form 1099-K) to relevant tax authorities.
  • COPPA/GDPR-K: We process age-gate data to ensure children are routed to the specific Stan Kids Zone.

Article IV: The Vibe Coding Protocol & AI Training

Section 4.1: The Training Loop (RLHF)

Stan is an evolving organism. By using the platform, you acknowledge that your anonymized project structures contribute to the collective intelligence.

  • What is used: Successful code patterns, efficient shader graphs, and optimized scene hierarchies.
  • What is NOT used: Your proprietary assets (art/music), your specific storylines, or personally identifiable strings.

Section 4.2: Opt-Out Mechanisms

Enterprise clients may request a "Siloed Training Environment" where their project data is excluded from the global training set. This requires a specific Enterprise Service Agreement.

Article V: Third-Party Processors (The Supply Chain)

We maintain strict Data Processing Agreements (DPAs) with the following sub-processors:

ProcessorPurposeData SharedLocation
CloudflareEdge Hosting, R2 Storage, DDoS ProtectionIP Addresses, Asset Binaries, TLS HandshakesGlobal (Anycast)
GitHubCI/CD Build PipelinesSource Code (Ephemeral), Build Logs, SecretsUSA
AdsterraAd Inventory & MonetizationImpression Data, User Agents, Geo-LocationCyprus/Global
Google FirebaseAuth & Realtime DatabaseUser IDs, Game State, Leaderboard ScoresUSA/Global
StripePayout ProcessingBanking Details, Tax IDs, Transaction HistoryUSA/Global
SentryError TrackingStack Traces, Device State at CrashUSA

Article VI: Data Sovereignty & Cross-Border Transfers

Section 6.1: The "Follow-the-Sun" Storage

To ensure speed, your game assets are replicated across Cloudflare's global network. However, the "Master Record" of your account data resides in secure data centers in the United States (East Coast).

Section 6.2: Transfer Mechanisms

Transfers of personal data from the EEA/UK to the US are protected by Standard Contractual Clauses (SCCs) and the Data Privacy Framework (DPF) certification where applicable.

Article VII: The Stan Kids Zone (COPPA Shield)

For the kids.games.stanl.ink subdomain:

Section 7.1: The Zero-Data Doctrine

We have architected the Kids Zone to be "Stateless" regarding user identity.

  • No Persistent Cookies: We use ephemeral session storage only.
  • No Behavioral Ads: Ads are Contextual ONLY (e.g., "This is a racing game, show a toy car ad").

Section 7.2: Developer Obligations

Architects publishing to the Kids Zone warrant that their content:

  1. Contains no external links.
  2. Contains no uncontrolled chat features.
  3. Collects no PII from players.

Article VIII: Obsidian-Grade Security

Section 8.1: Encryption Standards

  • At Rest: AES-256-GCM encryption for all database rows and R2 objects.
  • In Transit: TLS 1.3 with HSTS (Strict Transport Security) enforced on all subdomains.

Section 8.2: Access Control

  • Principle of Least Privilege: Stan engineers have zero access to your raw assets unless explicitly granted via a "Support Token" for debugging.
  • MFA: Multi-Factor Authentication is enforced for all administrative access.

Article IX: User Rights & The "Right to Eject"

Section 9.1: The Eject Button

You are not locked into Stan. You have the Right to Portability.

  • Export to Engine: You can download your project as a standard Unity Project, Unreal Project, or Godot Project folder structure.
  • JSON Dump: You can request a raw JSON dump of all your "Vibe Data" and manifests.

Section 9.2: The Right to Be Forgotten

Upon request to legal@stanl.ink, we will:

  1. Delete your account metadata.
  2. Purge your assets from R2 (allow 30 days for global cache clearance).
  3. Remove your games from the Public Portal.

Article X: Dispute Resolution

Section 10.1: Binding Arbitration

Any dispute arising from this Policy shall be resolved by binding arbitration conducted by the American Arbitration Association (AAA), rather than in court.

Section 10.2: Class Action Waiver

You agree to resolve disputes with StaNLink on an individual basis and waive any right to participate in a class action lawsuit.

Article XI: Contact The High Council

If you believe your data sovereignty has been breached, or if you wish to exercise your rights:

  • General Counsel: legal@stanl.ink
  • Data Protection Officer (DPO): dpo@stanl.ink
  • Security Emergency: security@stanl.ink
  • Physical Notice Address: StaNLink Legal Department 123 Tech Avenue, Innovation City State of Digital flux, 12345

"We code the vibes, you own the dream."

Copyright © 2026 StaNLink. All rights reserved. No part of this manifesto may be reproduced without the express "Vibe Check" of the authors.

OverviewTerms of Service