CloverfieldCloverfield
Legal

Privacy Policy

Cloverfield is a Building New Life product · Last updated: July 1, 2026

01

Controller and contact

This Privacy Policy describes how Building New Life, registered at Eteläesplanadi 22, 00130 Helsinki, Finland ("we", "us", "our"), processes personal data in connection with Cloverfield (the "Service"). Cloverfield is operated by Building New Life as one of its products, alongside Pohja and related tools. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK GDPR, we are the data controller of the personal data described in this Policy. Contact: privacy@buildingnew.life.

02

Scope

This Policy applies to personal data processed when you visit cloverfield.app, create an operator Account, mint a session, download or run the cloverfield.exe agent as a player, view or receive a forensic report, or otherwise communicate with us. It does not apply to third-party websites or services we link to, which have their own privacy practices.

03

Who this Policy covers

Three groups of people are covered by this Policy. Operators are people who create Accounts, mint session codes, and receive reports. Players are people who download and run cloverfield.exe in response to a session code an operator gave them. Visitors are anyone who simply browses the site. Different data is collected for each group and, where relevant, different retention rules apply.

04

Data we collect — operators

Account data: email address, password hash, display name, organization, profile preferences, and authentication provider identifiers where you sign in via a third party. Session data: the six-digit session code (one-way hashed for lookup), creation and expiry timestamps, status, the report identifier it resolves to, and any notes or labels you attach. License data: license key, tier, activation status, and redemption history. Billing data: billing name, country, VAT number where applicable, transaction identifiers, plan and purchase history. Card numbers are handled by our payment processor; we do not store them. Communications: messages you send to support, survey responses, and feedback.

05

Data we collect — players

When the cloverfield.exe agent runs on a player's machine, it collects forensic artifacts strictly relevant to detecting cheats and anti-forensic tooling: NTFS Master File Table records and timestamps; Windows prefetch entries; selected registry hives and keys; lists of loaded modules and running processes; pagefile signatures; signatures of known cheat loaders, cleaners, and anti-forensic utilities; and basic system information such as Windows version, hardware identifiers, and locale. The agent does not capture screenshots, keystrokes, microphone or webcam input, browser history, personal documents, saved passwords, browser cookies, game accounts, chat logs, payment data, or any file outside the artifact set defined above. The exact artifact list is documented and evolves with cheating techniques; changes are reflected in the agent's release notes.

06

Data we collect — visitors

When you simply browse the site we may receive standard request data including IP address, user agent, referrer, requested URL, and timestamp. We use a small number of strictly necessary cookies for session, security, and preferences. We do not run third-party advertising trackers and we do not sell visitor data.

07

Sources of data

We collect personal data directly from you when you create an Account and use the Service, automatically as you interact with the Service (for example through cookies, server logs, and the agent), and from third parties such as authentication providers (Google), payment processors, and anti-abuse services.

08

Purposes and lawful bases

We process personal data to: provide, operate, and maintain the Service — performance of contract (Art. 6(1)(b) GDPR); authenticate operators and secure Accounts — contract / legitimate interest (Art. 6(1)(b)(f)); produce and deliver the forensic report an operator requested for a player who ran the agent — contract / legitimate interest; detect, prevent, and respond to fraud, abuse, and prohibited use — legitimate interest and legal obligation (Art. 6(1)(c)(f)); comply with legal obligations including tax, accounting, and reporting duties — legal obligation (Art. 6(1)(c)); send service-related notices — contract / legitimate interest; send marketing communications — consent (Art. 6(1)(a)), withdrawable at any time; and improve and develop the Service — legitimate interest. We do not use scan data for advertising, profiling, or training third-party AI models.

09

Player consent

Cloverfield only scans a machine when the player who controls that machine downloads cloverfield.exe and runs it themselves with a valid session code. Operators are responsible for obtaining the player's informed consent before scanning. Where the player is a minor, the operator is responsible for obtaining appropriate parental or guardian consent in accordance with local law. You have the right to obtain human review of any significant automated decision that affects you (Art. 22 GDPR) by contacting privacy@buildingnew.life.

10

Sharing with processors

We share personal data only with vendors that help us run the Service under written data processing agreements: cloud hosting and database infrastructure, authentication providers, transactional email, error and performance monitoring, and payment processors. Reports are shared only with the operator who minted the session — this is the entire purpose of the Service. We do not sell personal data and do not share it for cross-context behavioural advertising.

11

International transfers

Some of our processors are located outside the European Economic Area, including in the United States. Where required, transfers are protected by the European Commission's Standard Contractual Clauses, supplementary technical and organizational measures, or — for transfers to the United States — reliance on the EU–U.S. Data Privacy Framework where the recipient is certified.

12

Cookies and tracking

We use strictly necessary cookies for authentication, session management, and security. Analytics or marketing cookies are loaded only after you accept them in our cookie banner. You can review and change your choices at any time. We do not respond to "Do Not Track" signals because there is no industry-wide standard for their interpretation.

13

Retention

We retain personal data for as long as necessary to provide the Service and for the periods required by law: forensic reports — 90 days from upload, then permanently deleted (operators may delete a specific report earlier from their dashboard); session and license data — for the life of the associated Account and up to 30 days after closure in backups; Account and authentication data — for the life of your Account and 90 days after closure; billing records — for the period required by accounting and tax law (typically 6–10 years); safety and abuse records, including records preserved under Section 14 — for the period required by applicable law and, in any event, no shorter than the statutory minimum; server and security logs — typically 30 to 180 days, longer where needed for investigation.

14

Disclosures to authorities

We may disclose personal data to law enforcement, regulators, or other public authorities where we are required to do so by law, where we have a good-faith belief that disclosure is necessary to comply with a binding legal request, or where disclosure is necessary to protect the rights, property, or safety of any person. Where activity on your Account is determined to constitute a serious violation — in particular material relating to the sexual exploitation of minors, terrorism, or credible threats of violence — we are required by law to preserve the relevant records and to file a report with the competent authorities, in accordance with 18 U.S.C. § 2258A, EU Regulation 2021/1232, and the corresponding provisions of Finnish law. Records preserved under this section cannot be deleted on request.

15

Your rights

Subject to the conditions and exceptions set out in applicable data protection law, you have the right to: (a) access your personal data; (b) rectify inaccurate data; (c) request erasure; (d) restrict or object to processing; (e) data portability; (f) withdraw consent at any time without affecting processing already carried out; and (g) lodge a complaint with a supervisory authority. In Finland this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). To exercise your rights, contact privacy@buildingnew.life. We will respond within one month, extendable by two further months for complex requests.

16

Security

Reports are signed and hashed end-to-end so tampering can be detected. Authentication uses industry-standard mechanisms (hashed passwords, OAuth). We implement encryption in transit (TLS 1.2+), encryption at rest, role-based access control, least-privilege production access, audit logging, regular dependency scanning, and incident response procedures. No system can be made perfectly secure; please report suspected vulnerabilities to security@buildingnew.life.

17

Children

The Service is not directed to children under 13, and where local law sets a higher age of digital consent we apply that higher age. We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us personal data, please contact privacy@buildingnew.life and we will take appropriate steps to delete it.

18

Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, and notify affected users without undue delay where required by law.

19

California residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know the categories of personal information collected, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell personal information and do not share it for cross-context behavioural advertising as those terms are defined under California law.

20

Automated decisions

Reports are produced by automated forensic analysis. The report itself is information presented to the operator — it does not, by itself, ban a player or produce a legally significant decision. Any decision based on the report is made by the operator (or the league, tournament, or organization they represent), not by us.

21

Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in the Service or by email at least 14 days before they take effect, except where an earlier change is required for legal reasons. The "Last updated" date below reflects the latest version.

22

Contact

Privacy questions: privacy@buildingnew.life. General inquiries: hello@buildingnew.life. Postal: Building New Life, Eteläesplanadi 22, 00130 Helsinki, Finland. See also our Terms of Service.