Limitations & privacy

Udon constraints

VRChat's Udon runtime sandboxes worlds tightly. Our beacon operates within those sandbox limits, which directly shape the product:

• URLs are pre-baked at build time. Udon cannot construct URLs at runtime, so every beacon URL (one per event × platform × zone) is serialized into the world when you Build & Publish.
• No crypto at runtime. Udon can't compute HMACs or sign requests. That's why beacon URLs can't carry time-varying authentication — the same URL is valid every time it's fired.
• No world ID in Udon. Your world can't read its own wrld_xxx at runtime (VRChat deliberately hides this). We work around it by baking the ID in at build time via PipelineManager.blueprintId.
• Beacon fires only when players are present. VRChat instances only exist while at least one player is in them. A world with zero visitors for a week produces zero beacons, indistinguishable from a deleted world — except that our daily VRChat API check resolves this.

Session-ID accuracy

Each beacon is attributed to a server-generated session_id derived fromhash(ip + hour_bucket). This is accurate for typical VRChat traffic because each player has their own home IP. Edge cases:

• Same LAN: two players on the same home WiFi share a public IP → counted as one session for that hour. Rare in practice.
• Carrier NAT: mobile-data users can share IPs with strangers. Collapses into one session.
• Hour crossover: a player in your world from 10:59 to 11:03 generates two session IDs. Total Visits = 1 (no second join), Unique Visitors looks right, per-event counts unaffected.

Why the beacon endpoint doesn't need a key

Beacons arrive with only the world ID (?w=wrld_xxx). The world ID is public (anyone can find it on vrchat.com), so anyone could theoretically spam fake beacons for a registered world. Mitigations in place:

• Per-world rate limit: 5,000 events/hour (caps inflation volume)
• User-agent check: non-VRChat requests flagged as suspicious_source, surfaced in the dashboard warning banner
• Per-IP global rate limit: 200 req/min (catches script-based abuse)

The setup key (the thing you paste into Unity) is a different credential. It lives in EditorPrefs on your machine only and is used once per build to register your world ID with our API. It's never embedded in the uploaded world. So capturing a beacon URL via VRCX reveals only public information — no credential to steal.

Privacy — what we store about players

We record the following per beacon:

• Your world's VRChat world ID
• Event type (join / leave / zone_enter / zone_exit)
• Platform (pcvr / desktop / android) — for join/leave events
• Derived session ID (hashed IP + hour)
• Zone name if applicable
• Duration in seconds (derived server-side from paired join/leave)
• Player count in the instance at the time of the event (from VRChat's GetPlayerCount)
• The request's User-Agent (for abuse detection)
• The request's IP (for session ID derivation and abuse detection — never surfaced in analytics)

We do NOT store:

• Player VRChat usernames or display names
• Player VRChat user IDs
• Player positions (only zone membership)
• Anything about the player's avatar, friends, or inventory

Data retention

Event data is retained indefinitely during beta. At launch, retention will be tied to plan (Free: 7 days, Pro: 90 days, Pro+: 1 year). Creator accounts and registered worlds are retained until the creator deletes them.

GDPR / data rights

Until we ship a self-service data-export and account-deletion flow, requests for data export or deletion can be sent to privacy@vrcanalytics.com. We respond within 30 days.

Known limitations (roadmap)

• First-time world uploads may register without a world-ID binding. Re-upload once VRChat has assigned a wrld_xxx and the binding sticks.
• Session ID collides for players behind the same NAT.
• VRChat API rate limits slow down world-metadata fetches on first registration — newly-bonded worlds may wait up to 10 minutes for name/thumbnail to populate.
• No real-time dashboard — refresh to see latest numbers.
• No email verification on signup yet.