legal / bunpav
Privacy
A product-specific account of the data bunpav processes across sign-in, workspaces, billing, Primitive Lab, Game Lab, and website analytics.
Last updated July 19, 2026
1. Scope and who is responsible
This Privacy Policy applies to bunpav.com, its dashboards, creative studios, public content, emails, and related services (collectively, the “Services”). The Services are operated by AISOLO Technologies Private Limited (“bunpav”, “we”, “us”). For applicable privacy law, we act as the controller or data fiduciary for the personal data described here.
This policy should be read with our Terms, Cookie Policy, and Data Rights page. It does not govern third-party websites or services you open from bunpav.
2. Data we process
| Category | Examples | Primary purpose |
|---|---|---|
| Account and authentication | Name, email, profile image, email-verification state, authentication provider identifiers, session tokens, and session expiry. | Create and secure your account, deliver magic links, maintain sessions, and prevent unauthorized access. |
| Workspace and team data | Organization name and slug, membership and role, invite email, inviter, invite token, expiry, and acceptance status. | Operate shared workspaces, permissions, invitations, and organization-level usage views. |
| Billing and credits | Credit pack, amount, currency, order status, Stripe Checkout Session and Payment Intent identifiers, credits granted or spent, ledger balance, and receipt email. | Complete purchases, issue receipts, reconcile webhooks, maintain the credit balance, investigate errors, and meet accounting obligations. Stripe—not bunpav—collects full card details. |
| Primitive Lab activity | Asset identifier, event type, seed, organization, export statistics, material mode, and up to 200 characters of a prompt used for a prompt variation. | Operate the studio, meter meaningful activity, provide team reporting, diagnose problems, and improve templates. |
| Game Lab state | Selected template, seed, difficulty, world size, enemy density, speed, pickup count, palette, and prompt controls. | Generate the playable preview and exported recipe. In the current beta these controls and recipe generation run in your browser and are not recorded by the Game Lab server action. |
| Browser preferences | Primitive Lab favorites and your analytics-consent choice stored in local storage. | Remember your settings on the same browser. These values remain on your device unless you clear browser storage. |
| Website analytics | Page and session activity, a pseudonymous client identifier, device/browser details, traffic source, and approximate location. | Understand aggregate use and improve the site. Google Analytics loads only after you allow analytics cookies. |
| Communications and security | Emails, support requests, transactional messages, IP-derived request information, timestamps, and technical logs. | Respond to you, deliver service notices, prevent abuse, investigate incidents, and protect the Services. |
3. Creative inputs and outputs
When an AI generation workflow accepts a text prompt, reference image, or other source asset, that content and the resulting model may need to be transmitted to infrastructure or an inference provider to fulfill the request. The active workflow may provide an additional notice where its provider or retention behavior differs materially from this policy. Do not submit secrets, regulated data, biometric data, or material you are not authorized to use.
Primitive Lab currently generates geometry and GLB exports in the browser. Game Lab currently generates playable levels and JSON recipes in the browser. Exported files are downloaded to your device; bunpav does not receive the file merely because you click export.
4. How and why we use data
- Provide accounts, workspaces, studios, exports, purchases, credit balances, and customer support.
- Authenticate users, enforce permissions, secure sessions, prevent fraud, and investigate misuse.
- Send magic links, invitations, receipts, security notices, and other transactional messages.
- Measure aggregate usage, diagnose performance, improve templates, and plan product capacity.
- Comply with tax, accounting, legal-process, consumer-protection, and data-protection obligations.
- Establish, exercise, or defend legal claims and enforce our agreements.
Where a legal basis is required, we rely on contract performance, consent, compliance with law, and legitimate interests such as security, fraud prevention, service improvement, and business operations, balanced against your rights.
5. When data is shared
We do not sell personal data. We may disclose limited data to:
- Infrastructure and database providers that host the application and its records.
- Authentication providers, including email delivery and any OAuth provider you choose.
- Stripe for checkout, fraud prevention, payment processing, refunds, and receipts.
- Google Analytics after analytics consent, for site measurement.
- Generation or storage providers when needed to process a creative request you initiate.
- Professional advisers and authorities where reasonably necessary or legally required.
- A successor organization in a merger, financing, reorganization, or sale, subject to appropriate protections.
Providers process data under their own legal obligations and, where applicable, agreements with us.
6. Cookies and local storage
Essential cookies support authentication, request integrity, and security. Local storage remembers studio favorites and your cookie choice. Analytics storage is optional and disabled until you select “Allow analytics.” You can change that selection through Cookie settings and policy.
7. Retention
We retain data only as long as reasonably necessary for the purpose described above:
- Account and workspace records generally remain while the account is active.
- Sessions and verification tokens expire or are removed as part of normal authentication operations.
- Expired or accepted invitations may be kept for a limited audit and abuse-prevention period.
- Orders, receipts, payment references, and credit-ledger records may be retained for tax, accounting, dispute, and fraud-prevention periods required or permitted by law.
- Studio usage records may remain while needed for metering, team reporting, security, support, and aggregate product analysis.
- Analytics data follows the retention controls configured in Google Analytics.
- Backups and security logs are removed on a rolling schedule, unless subject to a legal hold or active incident.
After a valid deletion request, we delete or de-identify eligible data and isolate any record that must be retained.
8. International processing
bunpav is operated from India. Our service providers may process data in India, the United States, Europe, or other countries. Where applicable law requires transfer safeguards, we use contractual or other recognized mechanisms and assess provider protections appropriate to the data involved.
9. Security
We use reasonable administrative, technical, and organizational safeguards, including access controls, signed payment webhooks, scoped sessions, encrypted transport, and least-necessary data collection. No internet service is completely secure. You are responsible for protecting access to your email account and promptly reporting suspicious activity.
10. Your choices and rights
Depending on where you live, you may have rights to access, confirm, correct, delete, restrict, object to, or receive a portable copy of personal data; withdraw consent; opt out of certain sharing; or complain to a regulator. We extend core access, correction, and deletion request paths to all users. See the Data Rights page for the request process and regional details.
11. Children
bunpav is not directed to children under 18 or the age of legal majority where they live. We do not knowingly create accounts for children. If you believe a child provided personal data, contact us so we can investigate and take appropriate action.
12. Automated decisions
bunpav does not currently make solely automated decisions about individuals that produce legal or similarly significant effects. Generated assets, game configurations, recommendations, and rankings are creative or informational outputs and should be reviewed by you before use.
13. Changes to this policy
We may update this policy when the product, providers, or law changes. We will revise the date above and, for material changes, may provide additional notice in the Services or by email. Earlier versions may be requested where reasonably available.
14. Contact and privacy grievances
Send privacy questions, rights requests, and grievances to [email protected]. Use “Privacy request” or “Privacy grievance” in the subject and contact us from the email tied to your account where possible.
AISOLO Technologies Private Limited
1003, Kamdhenu Commerz, Sector 14, Kharghar, Navi Mumbai 410210, Maharashtra, India