Privacy Policy

Effective Date: May 1, 2026 · Last Updated: May 20, 2026 · Version 3.0

🛡️ Sovereign Zero Data Retention (ZDR) Pathway

LumenForge runs on a zero-retention memory framework. Your intellectual property—including source code, local assets, prompt inputs, and compiled game binaries—is processed dynamically in-memory and is never stored, cached, or retained on our persistent systems unless explicitly requested by you for cloud hosting or targeted model fine-tuning.

1. Introduction

LumenForge (lumenforge.io), operated by Studio PxG LLC ("LumenForge", "we", "us", or "our"), is a premier browser-native 3D game orchestration environment. As a registered Service-Disabled Veteran-Owned Small Business (SDVOSB) based in Honolulu, Hawaiʻi, we adhere to strict standards of operational integrity, security, and absolute transparency. This Privacy Policy details how we handle information in connection with our services, application, and public web portals.

2. Information We Process

To provide our browser-native IDE and coordinate our generative AI agents, we process specific categories of data:

Proprietary Workspace Data (ZDR Protection): All files, codebases, 3D meshes, shaders, and text prompts fed into the LumenForge IDE are processed on-demand in-memory. They are never written to long-term storage or used to train general public models.
Account Details: Authentication is handled securely through our identity partner, Clerk. We collect your account email address, primary name, and authentication tokens to authorize access to paid features.
Transaction Data: Payments are processed dynamically by our Merchant of Record, Paddle.com Market Limited. We receive transactional status metadata and hashed identifiers, but we never see or store credit card credentials, card numbers, or raw payment profiles.
Performance & Telemetry Logs: Technical system metrics, compilation speeds, and anonymized user behavior logs are monitored via Sentry and PostHog. This telemetry strictly excludes user code, prompt contents, or game assets.

3. Grounding Principles & Security Architecture

We implement a defense-in-depth security approach to ensure that your digital workspace remains private:

Zero-Trust Authorization: All client calls utilize JSON Web Tokens (JWT) with a maximum lifetime of 1 hour. Refresh tokens are SHA-256 hashed and stored securely in GCP Memorystore with automated 7-day TTL rotation.
Safe Environment Parity: Secrets, API keys, and model coordination credentials are never hardcoded and are strictly injected at execution time using GCP Secret Manager.
Encrypted Transport: All data in transit is encrypted using TLS 1.3. Back-end operations run in isolated sandbox environments on containerized Google Kubernetes Engine (GKE) clusters.

4. How We Use and Share Information

We do not sell, rent, or trade your personal information or codebase assets. Information is shared strictly with essential sub-processors required to operate our platform:

Sub-Processors: Paddle (Billing orchestration), Clerk (Identity management), and Google Cloud Platform (Host infrastructure, in-memory AI inference clusters).
Legal Mandates: We may disclose information only if required to do so by federal court order or to comply with explicit statutory mandates under the Hawaii Revised Statutes.

5. Data Retention

We keep account records for as long as your account remains active. Anonymized operational logs and telemetry records are kept for no longer than 30 days to facilitate system health monitoring. If you delete your LumenForge account, all related identity parameters will be purged from our authentication databases within 48 hours.

6. Your Rights & Regional Compliance

We comply fully with major international privacy frameworks, providing equivalent rights to all developers regardless of location:

GDPR (European Union): You maintain the right to access, rectify, delete, restrict, or export all personal data.
CCPA/CPRA (California): We do not sell your personal data. You maintain the right to know what data we collect, opt-out of data tracking, and demand deletion.
Hawaii Privacy Laws: As a Honolulu-based firm, we comply fully with local state privacy regulations and security notification standards.

7. Policy Modifications

We may update this Privacy Policy to reflect security advancements or structural IDE updates. Major updates will be communicated clearly in our application interface or highlighted at the top of this document.

8. Contact Information

If you have any questions or security concerns regarding our data retention practices, please reach out to us:

Security & DevOps: devops@pxg.studio
General Inquiries: support@studiopxg.com
Mailing Address: Studio PxG LLC, Honolulu, HI, USA