Wonderland Cloud Privacy Policy

Effective Date: February 11, 2026 · Last Updated: February 12, 2026

Welcome to Wonderland Cloud! This Privacy Policy explains how Create Worlds (DBA of Robot Invader, Inc.), a Delaware C corporation headquartered in California ("Company," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our website, platform, and related services (collectively, the "Services"). Our Services enable communication and data transfer via WebRTC, hosted on Google Kubernetes Engine and Google Cloud Platform.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Services.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create an account we collect your email address, first name, and last name. You may optionally provide your company name.
• Payment Information: Payments are processed by Stripe, Inc. We do not store full credit card numbers. Stripe's collection and use of your data is governed by the Stripe Privacy Policy.
• Communications: If you contact us for support or other inquiries, we retain the content of those communications.
• User Content & Server Code: Code and assets you upload are stored on Google Cloud Platform for execution and delivery.

1.2 Information Collected Automatically

• Usage & Log Data: We automatically collect IP address, browser type, operating system, referring URLs, pages visited, access timestamps, and feature usage.
• Connection Metadata: Data transferred through our servers is monitored for metadata only (e.g., connection times, volumes) for billing and network optimization. DNS and web traffic may additionally be monitored through Cloudflare.
• Device Information: Hardware model, operating system version, unique device identifiers, and network information.
• Cookies & Similar Technologies: We use cookies, local storage, and similar technologies for authentication, site functionality, analytics, and preferences. See Section 7 for details.

1.3 Information from Third Parties

We may receive information from authentication providers (e.g., single sign-on services), analytics providers, and payment processors as necessary to operate the Services.

2. How We Use Your Information

We use the information we collect for the following business purposes:

• Provide, operate, maintain, and improve the Services.
• Process transactions, send billing confirmations, and manage subscriptions.
• Authenticate users and secure accounts.
• Communicate with you about updates, security alerts, and support.
• Monitor usage patterns to optimize performance and detect abuse.
• Comply with legal obligations, enforce our Terms of Service, and protect our rights.
• Conduct analytics and research to improve the Services.

3. Legal Bases for Processing

We process personal information on the following legal bases:

• Performance of a contract: Processing necessary to fulfill our obligations under the Terms of Service.
• Legitimate interests: Improving our Services, preventing fraud, and ensuring security.
• Consent: Where you have given explicit consent (e.g., analytics cookies, error-monitoring session replay, marketing communications). You may manage your cookie preferences at any time via our cookie consent banner.
• Legal obligation: Compliance with applicable laws and regulations.

4. Data Sharing and Disclosure

We do not sell or rent your personal information. We may share data in the following circumstances:

• Service Providers: Stripe (payment processing), Google Cloud Platform (hosting & infrastructure), MongoDB Atlas (database), Cloudflare (DNS & security), and Sentry (error monitoring) — each under strict data protection agreements.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction.
• Protection of Rights: To enforce our Terms of Service, protect our rights, privacy, safety, or property, or that of our users or the public.
• With Your Consent: We may share your information for any other purpose with your explicit consent.

5. Data Storage and Security

Your data, including subscription and account information, is stored on MongoDB Atlas with encryption at rest and in transit. We host Services on Google Kubernetes Engine on Google Cloud Platform, leveraging enterprise-grade security controls, access management, and regular audits.

While we implement commercially reasonable administrative, technical, and physical safeguards to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

6. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer necessary for these purposes, we securely delete or anonymize it.

7. Cookies and Tracking Technologies

When you first visit the Services, a cookie consent banner is presented allowing you to accept or reject non-essential cookies. You may also customize your preferences at any time. We categorize cookies as follows:

• Essential Cookies: Required for authentication, session management, and core functionality. These cannot be disabled and do not require consent.
• Analytics Cookies (opt-in): Google Analytics is used to understand usage patterns and improve the Services. Analytics cookies are only loaded after you grant consent via the cookie banner.
• Monitoring Cookies (opt-in): Sentry Session Replay may record anonymized page interactions to help us diagnose errors. Replay is disabled by default and only activated if you grant monitoring consent. When active, all text is masked and all media is blocked.
• Preference Cookies: Remember your settings and display preferences, including your cookie consent choices (stored in local storage).

You can change your cookie preferences at any time using the cookie consent banner or by clearing your browser storage. Disabling essential cookies may affect the functionality of the Services.

8. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where data protection laws may differ. We take appropriate safeguards to ensure your data remains protected in accordance with this Privacy Policy, including standard contractual clauses and other lawful transfer mechanisms.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, you may:

• Access, correct, or delete your personal information. You may delete your account and all associated data at any time from your account settings. Account deletion is immediate and cascades across all of your servers, pages, projects, APIs, subscriptions, and team memberships.
• Object to or restrict our processing of your data.
• Request a portable copy of the data you provided to us.
• Withdraw consent at any time where processing is consent-based, including cookie consent via the cookie banner.

9.2 California Residents — CCPA / CPRA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

• Right to Know: You may request details about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share data.
• Right to Delete: You may request that we delete the personal information we hold about you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted by the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of Personal Information Collected: Identifiers (name, email, IP address); commercial information (subscription and transaction records); internet or electronic network activity (usage data, logs); and professional or employment-related information (company name, if provided).

Retention: Each category is retained as described in Section 6.

To exercise your CCPA/CPRA rights, email us at privacy@wonderlandengine.com. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

9.3 California "Shine the Light" (Civil Code § 1798.83)

California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

10. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, we do not respond to DNT signals, but you may manage your cookie and tracking preferences via our cookie consent banner or your browser settings.

11. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@wonderlandengine.com.

12. Third-Party Links and Services

The Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

13. Data Breach Notification

In the event of a data breach involving your personal information, we will notify affected individuals and relevant authorities in accordance with applicable law, including California Civil Code § 1798.82 and other applicable state and federal breach notification requirements.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the revised policy on this page with an updated "Last Updated" date and, where required by law, provide additional notice (such as via email). Continued use of the Services after changes become effective constitutes your acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: