Privacy Policy
Last updated: May 11, 2026
Who this policy covers
This Privacy Policy explains how Cloverfield collects, uses, stores, and shares personal data. It applies to three groups: operators (people who create accounts and mint sessions), players (people who download and run cloverfield.exe in response to a session code), and visitors (anyone who simply browses the site). Different data is processed for each group, and different retention rules apply. The relevant rules for each group are called out explicitly below.
What we collect — operators
When you create an operator account, we collect your email address, a hashed password (or a third-party authentication identifier if you sign in with a provider like Google), and any profile information you choose to add (display name, organization). When you mint sessions, we record session metadata including the six-digit code (one-way hashed for lookup), creation time, expiry time, status, and the report identifier the session resolves to. If you upgrade to a paid plan, we collect billing details (handled by our payment processor) and invoice metadata.
What we collect — players
When the agent runs on a player's machine, it collects forensic artifacts strictly relevant to detecting cheats and anti-forensic tooling. This includes: NTFS Master File Table records and timestamps; Windows prefetch entries; selected registry hives and keys; lists of loaded modules and running processes; pagefile signatures; signatures of known cheat loaders, cleaners, and anti-forensic utilities; basic system information such as Windows version, hardware identifiers, and locale. The agent does not capture screenshots, keystrokes, microphone or webcam input, browser history, the contents of personal documents, saved passwords, browser cookies, game accounts, chat logs, payment data, or any file outside the artifact set defined above. The exact artifact list is documented and may evolve to keep up with cheating techniques; changes are reflected in the agent's release notes.
What we collect — visitors
When you simply browse the site, we may receive standard request data including IP address, user agent, referrer, requested URL, and timestamp. We use a small number of strictly necessary cookies (session, security, preferences). We do not run third-party advertising trackers or sell visitor data.
Why we process this data
We process operator data to operate accounts, deliver the service, bill paid plans, and meet legal obligations. We process player scan data for the single purpose of producing the forensic report the operator requested and delivering it securely back to that operator. We process visitor data to keep the site online, secure, and to understand basic usage at an aggregate level. We do not use scan data for advertising, profiling, or training third-party AI models. We do not sell personal data.
Legal bases (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on the following legal bases: (a) performance of a contract — to provide the service to operators and to deliver reports tied to a session a player has voluntarily run; (b) legitimate interests — to keep the service secure, prevent abuse, and improve the product, balanced against your rights; (c) consent — for any non-essential cookies or marketing emails, where required; (d) legal obligation — to comply with tax, accounting, or law-enforcement requirements.
Player consent
Cloverfield only scans a machine when the player who controls that machine downloads cloverfield.exe and runs it themselves with a valid session code. Operators are responsible for obtaining the player's informed consent before scanning. Where the player is a minor, the operator is responsible for obtaining appropriate parental or guardian consent in accordance with local law.
Where data is stored and processed
Data is hosted with reputable cloud infrastructure providers in the EU and the US. Reports are encrypted in transit (TLS) and encrypted at rest. International data transfers are protected by appropriate safeguards (such as Standard Contractual Clauses) where required by law.
Subprocessors
We rely on a small number of trusted subprocessors, including providers for cloud hosting and storage, authentication, transactional email, error and performance monitoring, and payment processing. Each subprocessor is bound by a written data-processing agreement and may only process personal data on our documented instructions. The current list is available on request to privacy@cloverfield.app.
How long we keep it
Forensic reports are retained for 90 days from upload, then permanently deleted. Operators may delete a specific report earlier from their dashboard or by request. Account data is retained while your account is active and for up to 30 days after deletion (to allow recovery and to comply with legal obligations). Billing records are retained for as long as required by tax law (typically 7 years). Server and security logs are retained for up to 30 days.
How we secure it
Reports are signed and hashed end-to-end so tampering can be detected. Authentication uses industry-standard mechanisms (hashed passwords, OAuth, optional 2FA). Access to scan data inside our infrastructure is restricted to a small number of personnel on a need-to-know basis, logged, and reviewed. We follow secure-development practices and run regular reviews of our infrastructure. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you in line with applicable law.
Sharing with third parties
We do not sell personal data. We share personal data only: (a) with subprocessors as described above; (b) with the operator who minted the session, in the form of the report (this is the entire purpose of the service); (c) where compelled by valid legal process (court order, subpoena, regulatory request) — we will, where lawful, notify the affected user; (d) in the event of a corporate transaction (merger, acquisition, sale of assets), subject to confidentiality and to this policy continuing to apply.
Your rights
Depending on where you live, you have the right to access, correct, export, restrict, or delete your personal data, the right to object to certain processing, and the right not to be subject to fully automated decisions with legal effect. EU/UK residents have rights under GDPR/UK GDPR. California residents have rights under CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of sale or sharing (we don't sell or share for cross-context behavioural advertising). Email privacy@cloverfield.app to exercise any of these rights — we'll respond within the period required by law.
Cookies and similar technologies
We use a minimal set of strictly necessary cookies for session management, security, and remembering your preferences. We do not use advertising cookies. Where required, you'll see a banner letting you accept or reject any non-essential cookies. You can also manage cookies in your browser settings.
Children
Cloverfield is not directed at children under 13 and we do not knowingly collect personal data from children. If a parent or guardian believes a child under 13 has used the service, please contact privacy@cloverfield.app and we will delete the data.
Automated decisions
Reports are produced by automated forensic analysis. The report itself is information presented to the operator — it does not, by itself, ban a player or produce a legally significant decision. Any decision based on the report is made by the operator (or the league, tournament, or organization they represent), not by us.
Changes to this policy
We may update this policy from time to time. The "Last updated" date below will always reflect the most recent version. For material changes, we will give reasonable advance notice in-product, by email, or by highlighting a notice at the top of this page for at least 30 days.
Contact
Questions, requests, or complaints about your privacy: privacy@cloverfield.app. If you are in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.