Privacy Policy

Last updated: 25 April 2026 · Effective: 25 April 2026

VRCAnalytics is an independent project not affiliated with, endorsed by, or sponsored by VRChat Inc. "VRChat" is a trademark of VRChat Inc.

This Privacy Policy explains how VRCAnalytics (“we”, “us”) collects and processes personal data. We operate the analytics service at vrcanalytics.com and the related Unity beacon package. We comply with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on personal-data processing.

1. Data controller

Controller: Redacted, based in the Czech Republic. Contact: legal@vrcanalytics.com.

For data we receive from VRChat worlds (i.e. beacon traffic), the world creator is the data controller and we are the data processor — see our Data Processing Addendum.

2. What we collect

From site users (creators)

  • Email address and a bcrypt hash of your password (for sign-in).
  • Username you choose, optional bio and social links if you complete a public profile.
  • If you link a VRChat author name, that name and the worlds attributed to it on VRChat's public API.
  • Timestamps of registration, terms-of-service acceptance, and last activity.

From your tracked VRChat worlds (player beacons)

We are deliberately minimal here. From each beacon we keep:

  • A synthetic session identifier — a salted SHA-256 hash that includes the connecting IP and the current hour. We never store the IP itself; the hash exists only to pair a player's "join" event with their "leave" event so we can compute session length.
  • Event type (join, leave, zone enter/exit, FPS sample).
  • Platform bucket (PC VR / Desktop / Quest).
  • Instance size bucket at the moment of joining (e.g. 1–4, 5–8, 9–16, 17–32, 33+).
  • FPS bucket (e.g. <60, 60–75, 75–90, 90–120, 120+).
  • Zone names you defined in your world.
  • VRChat world ID (wrld_…).

We do not store: IP addresses, User-Agent strings, VRChat user IDs, display names, avatars, friend information, voice activity, GPU / CPU / RAM / OS, or any per-player position data beyond zone presence.

IP and User-Agent are inspected at request time only — for rate-limiting and to flag non-VRChat clients (a single boolean is recorded, not the source values). Both are discarded as soon as the request finishes.

From VRChat's public API

We cache publicly-listed world metadata (name, author name, thumbnail, occupancy, heat, favorites) for the discovery layer. Authors who do not opt in still appear in this cache if VRChat's public listings include their world; opting out means contacting us to delete the cache row.

3. Why we process it (legal bases)

  • Performance of contract — to operate your account and the analytics service you signed up for.
  • Legitimate interests — abuse prevention, rate-limiting, security logging.
  • Consent — for optional public profile info (bio, socials, linked VRChat name).
  • Legal obligation — when compelled by lawful orders.

4. How long we keep it

  • Account data: while your account exists, plus 30 days after deletion (audit window).
  • Beacon events (containing only the minimal fields listed above): up to 365 days from creation. We keep one year so creators can run year-over-year comparisons and annual recaps on their own data.
  • Aggregated daily summaries (one row per world per day, no session-level data): retained indefinitely so multi-year trends and "year in review" features remain available after raw events age out.
  • IP addresses and User-Agents: never persisted — used only at request time.
  • Password reset tokens: 1 hour, single-use; soft-deleted rows pruned after 30 days.
  • VRChat cache rows: refreshed every 15 minutes; orphan rows pruned after 30 days.

5. Who we share it with

We do not sell, rent, or share your data for marketing. We use the following sub-processors:

  • Resend (email delivery for transactional mail like password reset).
  • Railway, Inc. (database hosting in the EU).
  • Cloudflare (CDN, DDoS protection — only when enabled in production).

We may disclose data to comply with lawful orders from Czech or EU authorities.

6. International transfers

Our infrastructure is hosted in the EU. Sub-processors that operate outside the EU rely on Standard Contractual Clauses (SCCs) under Article 46 GDPR.

7. Your rights

Under GDPR you may exercise the following rights free of charge:

  • Access — get a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure (“right to be forgotten”) — request deletion.
  • Portability — receive your data in machine-readable form.
  • Restriction and objection — pause or object to processing based on legitimate interest.
  • Withdraw consent — at any time, where consent is the legal basis.

Send requests to legal@vrcanalytics.com. We respond within 30 days. You can also lodge a complaint with the Czech supervisory authority:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
www.uoou.cz · posta@uoou.gov.cz

8. Security

  • Passwords stored as bcrypt hashes (cost 12).
  • World keys hashed (bcrypt) and AES-GCM encrypted at rest.
  • HTTPS in transit; HSTS planned for production.
  • Rate-limited beacon endpoints; suspicious-source flagging.
  • Database access restricted by IAM and network rules.

9. Cookies and similar technology

VRCAnalytics does not use tracking cookies. The site stores a single JSON Web Token in your browser's localStorage after sign-in to keep you authenticated. There are no third-party advertising trackers.

10. Children

VRChat's terms restrict its service to users 13+. We do not knowingly process data of anyone under 13. If you believe we have, contact us and we will delete it.

11. Changes to this policy

We may update this policy. Material changes will be announced in-app and by email; the "Last updated" date above always reflects the current version.

12. Contact

Questions, requests, or complaints: legal@vrcanalytics.com.