PRIVACY POLICY

1. Who We Are

AITEKS SOLUCOES EM TECNOLOGIA LTDA (CNPJ 57.420.480/0001-67), referred to as "Aiteks," "we," or "us," is the data controller for personal information collected through the Upstream Tycoon platform and its associated game editions (Engineering Edition, Drilling Edition, CO2 Storage Edition).

2. Your Consent to Data Collection and Storage

By creating an account, signing in via LinkedIn or any other authentication method, or by continuing to use the platform, you expressly consent to the collection, processing, and storage of your personal data and game data as described in this Privacy Policy.

If you do not consent to the data practices described herein, you must not create an account or use the platform. You may withdraw your consent at any time by deleting your account, but this will not affect the lawfulness of processing based on consent before its withdrawal.

3. Data We Collect

• Account data: name, email address, and profile information provided at registration or obtained from your LinkedIn profile via OAuth authentication.
• Authentication data: OAuth tokens, provider identifiers, and session data necessary to maintain your signed-in state.
• Game progress data: full simulation state (game day, production rates, well data, unlocked technologies, concepts mastered, achievements, crew composition, financial data, ESG score, settings, and preferences), stored locally in your browser (localStorage) and, when signed in, synced to our cloud servers.
• Leaderboard data: nickname, company name, production metrics, and scores submitted to the global leaderboard (publicly visible unless you opt out).
• Usage data: game edition accessed, feature usage, onboarding completion status, and gameplay analytics.
• Technical data: IP address, browser type, operating system, device information, and access timestamps, collected automatically for security and diagnostic purposes.

4. How We Use Your Data

• Creating and managing your user account and authentication.
• Saving and restoring game progress across sessions, devices, and browsers via cloud save synchronization.
• Displaying rankings on the global leaderboard (nickname, company name, and game metrics).
• Generating time-series snapshots of your game progress for analytics and historical tracking.
• Improving the platform, fixing bugs, and developing new features using aggregated and anonymized usage data.
• Ensuring platform security, preventing fraud, and detecting abuse.
• Sending relevant product updates (only with your explicit consent).
• Complying with legal and regulatory obligations.

5. Legal Basis for Processing

Processing is based on the following grounds under applicable law (including Brazil's LGPD, Lei n. 13.709/2018):

• Consent — you provide explicit consent when creating an account or signing in, accepting these terms and agreeing to data storage.
• Contract performance — to provide the platform services, including cloud saves, leaderboards, and game functionality.
• Legitimate interests — for security, fraud prevention, diagnostics, analytics, and product improvement.
• Legal obligation — when required by applicable law or regulatory authority.

6. Data Sharing

We do not sell, rent, or trade your personal data. We may share it only with:

• Infrastructure providers: hosting (Railway), database, and CDN services used solely to operate the platform. These providers process data on our behalf under appropriate contractual safeguards.
• Authentication providers: LinkedIn (via OAuth) for sign-in purposes only. We receive only the data you authorize LinkedIn to share.
• Competent authorities: when required by court order, legal obligation, or to protect our rights.

7. Data Retention

We retain your data for as long as your account is active or as needed to fulfill the purposes described in this Policy. Account data will be deleted within 30 days of a deletion request, unless a legal obligation requires longer retention. Game progress data and anonymized analytics may be retained in aggregated form indefinitely for platform improvement purposes.

8. Local Storage

Game progress is stored in your browser's localStorage under the key upstream-tycoon-save. This data resides on your device and is transmitted to our servers only when you are signed in (for cloud save synchronization). You can export, import, or delete local save data at any time via the in-game settings.

9. Security

We apply appropriate technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure — including HTTPS-encrypted connections, secure OAuth token handling, and role-based access controls. However, no method of electronic storage or transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

• Confirm whether we process your personal data.
• Access the data we hold about you.
• Correct inaccurate or incomplete data.
• Request erasure or restriction of processing where permitted by law.
• Data portability (receive your data in a structured format).
• Withdraw consent at any time (without affecting prior processing).
• Object to processing based on legitimate interests.
• Lodge a complaint with a supervisory authority (e.g., Brazil's ANPD — Autoridade Nacional de Proteção de Dados).

To exercise any of these rights, contact us at the address in Section 14.

11. International Transfers

Data may be processed on servers located outside Brazil (including the United States and other regions where our infrastructure providers operate). In such cases, we ensure an equivalent level of protection through appropriate contractual safeguards, standard contractual clauses, or adequacy decisions as required by applicable law.

12. Minors

Our services are not directed at children under 13 years of age. We do not knowingly collect data from minors. If we identify data collected from a minor without verifiable parental consent, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us immediately.

13. Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Registered users may be notified of material changes by email or an in-platform notice. It is your responsibility to review this Policy periodically. Continued use of the platform after the revised Policy is published constitutes your acceptance of the changes.