Privacy Policy

GodotShield Pro — last updated 2026-04-20. Controller: LOOMIX, Switzerland. Contact: support@godotshield.dev.

GodotShield Pro is an editor plugin for the Godot Engine. It runs on your computer; your source code, project files, and compiled output never leave your machine. This page documents the three network interactions that do occur, and why.

1. What we collect

a) Licence issue (one network call per purchase)

When you claim a Pro licence at licence.godotshield.dev/ we validate your itch.io download_key against itch's API. We receive from itch: your buyer email and purchase metadata. We store only:

the first 16 bytes of SHA-256(lowercase_email) — not the plain email;
the download_key (itch-issued, not personally identifying on its own);
the signed licence blob we return to you;
issue timestamp.

We do not retain your plain email address. Your email is hashed in memory during the Worker call and discarded.

b) Machine activation (one network call per new machine — ADR-008)

Pro licences are bound to one machine at a time. On first use, the plugin POSTs to licence.godotshield.dev/activate with:

your licence blob;
a hashed machine fingerprint derived from your OS's stable hardware UUID — we never see the raw UUID;
a self-chosen machine label (e.g. "MacBook Pro") + platform (e.g. macos-arm64).

We store this row until you (or an admin, at your written request) frees the binding. Your client IP is hashed (SHA-256, truncated to 16 bytes) and stored for audit purposes.

c) Export verification (one network call per export — ADR-008 v1.0)

Every time you run an obfuscated export, the plugin POSTs to licence.godotshield.dev/verify the same three fields (licence, activation, machine id) and receives a short-lived signed permit. We log only a timestamp bump on the existing activation row — no project contents, no file names, no export path.

d) Violation beacon (fires only when a cracker is detected — ADR-007)

When the plugin detects a request to use premium features without a valid licence-and-activation pair, a single POST to beacon.godotshield.dev/v1/event records:

an install-specific UUID (auto-generated, stored in user://godotshield_install_id.txt);
platform + Godot version + plugin version;
project name from ProjectSettings;
SHA-256 of the attempted licence blob (not the blob itself);
which premium flags were requested;
SHA-256 of the client IP.

This event does not fire during normal legitimate use. Legitimate buyers never trigger it. Disclosed in-editor by a banner as required by Swiss FADP Art. 19 & Art. 31.

2. What we do NOT collect

No usage telemetry, analytics, crash reports, or feature-click tracking.
No source code, project files, or export output.
No plain email addresses (hashed-only, irreversibly).
No raw MAC address, hardware UUID, disk serial, or CPU ID (hashed-only).
No cookies, third-party trackers, or ad networks.

3. Legal basis (GDPR Art. 6 / Swiss FADP Art. 31)

Licence issue + activation + verify: performance of a contract (you paid for a licence, we enforce its terms).
Violation beacon: legitimate interest in preventing licence abuse, balanced against data minimisation (hashed IDs + flags only).

4. Retention

Licence rows: kept for the lifetime of the product; required to re-activate on new devices.
Activation rows: deleted on /admin/deactivate; audit trail in activation_history kept 3 years.
Violation events: 2 years from receipt, then purged.

5. Your rights

Under GDPR Art. 15-22 / FADP Art. 25, you may request: access, rectification, erasure, and a copy of records we hold about you. Because we only hold hashed identifiers, erasure is usually instant — we don't know which row matches a given email without you giving us a key or download_key to lookup. Email support@godotshield.dev.

6. Data transfers

Our Worker runs on Cloudflare's global edge. D1 data is stored in the EU region (Helsinki, EEUR). Transit uses TLS 1.3. No data is shared with third parties except Cloudflare (infrastructure provider) and SendGrid (only for email-verified deactivation, when that feature ships in v1.1).

7. Changes

This policy may be updated; material changes will be announced in the plugin's CHANGELOG and on the itch.io product page 14 days before taking effect.