מדיניות פרטיות

1. Who we are

BYOB — Build your own memes. Meme Lab for making memes, plus Grind for ink and upgrades. This site and our online services run on secure cloud infrastructure.

Controller (EEA/UK/Switzerland). For the purposes of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection where applicable, the operator of BYOB—reachable at support@buildyourownbrainrot.com—is the data controller for the personal data described in this policy (unless we tell you otherwise for a specific processing activity).

For privacy questions, data protection requests, and exercising your rights, contact support@buildyourownbrainrot.com (see also Support). We are not required to appoint a Data Protection Officer for this service; if that changes, we will update this policy.

EU / EEA representative (GDPR Article 27). Companies not established in the EU may need to designate a representative in the Union when they offer goods or services to people in the EEA or monitor their behaviour, depending on the facts. We assess this requirement as our service evolves. Until we publish a separate EU representative in this policy, the controller contact in section 11 is your primary contact for GDPR requests relating to BYOB and this website.

2. What we collect and why

2.1 Photos from your camera (Meme Lab)

When you use Meme Lab, you take a new photo with the in-app camera. We do not request broad access to your photo library for meme generation.

That image is sent to our server over HTTPS to:

• Run an automated vision safety check (“Il Guardiano del Rot”) before any generative step;
• Run AI image generation (image-to-image) so you receive a stylized meme.

We do not use your photos for advertising, sale, or user profiling for ads. If a scene is blocked by the safety gate, we do not produce a meme from that request.

Automated content checks. The safety step uses automated image understanding to decide whether to allow generation for that request. It is not used to make solely automated decisions with legal or similarly significant effects on you in the sense of GDPR Article 22.

Optional Meme Lab modes (short clips, Fruit Island text, Ultra quality)

Short clip export. You may choose a mode where we still return a generated image from our servers (same Rot Guardian and AI steps). The iOS app can then turn that frame into a brief video on your device for sharing. When enabled, our servers may also deduct extra Brainrot Points from your synced wallet in line with in-app pricing — see wallet sync below.

Fruit Island (optional). In a separate Meme Lab flow you can add a short written synopsis with your camera photo. That text is sent with your request so our model can read mood and atmosphere only; it is not treated as instructions to bypass safety checks, and length/format limits apply server-side. Access may depend on lifetime Brainrot Points stored on your synced wallet.

Ultra quality image generation (optional). When unlocked in the app, you may choose a higher-cost image path that can spend additional Brainrot Points on your synced wallet for that cook. Certain combinations (for example Ultra plus short-clip mode on the same request) are not offered.

2.2 Device identifier (Keychain and optional iCloud mirror)

The app stores a random identifier in the iOS Keychain so our service can recognize your installation without a named user account. The same value may be mirrored to iCloud Key-Value Store on your Apple ID so the identifier can persist across reinstalls when iCloud is available—this is still a pseudonymous ID, not your name or email.

We send this identifier to our servers (for example as request metadata) so we can:

• Keep usage fair, enforce rate limits, and reduce abuse;
• Maintain an optional server-side “ink” wallet so Meme Lab costs and optional rot spends stay in sync between your device and our servers;
• Support optional features such as the public leaderboard and referral or invite flows, where those features tie rewards or scores to your device ID on the backend.

Relationship to ads. This BYOB-managed ID is used for our own service logic as described above. Google AdMob (see below) runs as a separate SDK and may use its own identifiers, device signals, and data practices under Google’s Privacy Policy; those practices are not identical to ours.

2.3 Google advertising (AdMob) in the app

The iOS app may show Google Mobile Ads (AdMob) placements—for example rewarded, native, or other formats—to help fund the free app. AdMob and its partners may collect or derive information from your device (such as device or advertising identifiers, IP-derived coarse location, app interaction, and fraud-prevention signals) to deliver and measure ads, cap frequency, and detect invalid traffic.

Depending on your region and settings, the app may present consent or preference controls (for example through Google’s User Messaging Platform or Apple’s App Tracking Transparency) before certain data uses. You can also limit ad personalization in iOS settings (for example Settings → Privacy & Security → Apple Advertising and related controls). We do not receive your Meme Lab photos from AdMob solely because ads run in the app.

This marketing website does not embed AdMob; ad network scripts on these HTML pages are not used the same way as in the app.

2.4 Gameplay and settings (on device)

Game state (e.g. Brainrot Points, upgrades, preferences such as sound and chaos mode) is stored locally on your device unless you use features that explicitly sync to our server (see wallet sync).

2.5 Wallet sync (server)

If you use Meme Lab online, we store wallet-related values tied to your device identifier (for example ink balance, spendable rot, lifetime rot, and ink cap) in secure cloud storage so the app and our service agree on generation cost, optional rot spends (such as short-clip or Ultra modes when you use them), and balances.

2.6 Leaderboard and referrals (optional)

If you choose to submit a display name and score, we may store that name and score on our servers and show them on a public leaderboard (in the app and on this website). Names are validated and may be rejected if they violate our rules. Scores are tied to your device ID on the backend.

If you use referral or invite features, we may record redemptions or rewards against device identifiers so bonuses can be applied fairly.

2.7 Technical data (app & website)

Like most hosted services, our infrastructure may process technical information such as IP address, timestamps, and request metadata for security, debugging, and abuse prevention. The app authenticates to our service in ways designed to reduce misuse.

When you browse this website in a browser (for example to read policies or view the public leaderboard page), our hosting provider may process similar technical data and set strictly necessary cookies or identifiers as described in our Cookie Policy. If you opt in to optional cookies on this site, Microsoft Clarity may process usage data on these pages as described there. We do not run third-party behavioral advertising networks on these marketing pages.

2.8 Visiting only this website (EU / EEA / UK)

If you only use a browser to read pages on https://buildyourownbrainrot.com and do not use the iOS app, we typically process technical data (such as IP address, approximate location derived from IP, browser type, timestamps, and request path) and strictly necessary cookies as described above and in the Cookie Policy. That processing is covered by the GDPR / UK GDPR when those laws apply. Legal bases are summarised in section 3; your rights (access, erasure, objection, complaint to a supervisory authority, etc.) are described in section 8.

3. Legal bases (EEA, UK & Switzerland)

If the GDPR, UK GDPR, or Swiss law applies, we process personal data only where we have a valid legal basis under applicable law. The table below summarises typical processing. Where we rely on legitimate interests, we consider your rights and balance them against our interests; you may object to processing based on legitimate interests in certain cases (see section 8).

If national law requires a different basis for a specific activity, we will rely on that basis where appropriate.

4. Processors, subprocessors & AI

We use Cloudflare and related services as processors (GDPR Article 28) to host this site, run our online features, and perform AI inference. We use written agreements with our processors that require them to protect personal data and process it only on our instructions, subject to their public terms and privacy notices.

Google. The iOS app loads Google Mobile Ads (AdMob). Google acts as an independent provider of advertising technology and may process data as described in Google’s Privacy Policy and Google’s advertising terms. Depending on region and configuration, Google may be a processor, subprocessor, or separate controller for specific advertising activities—see Google’s disclosures for your jurisdiction.

Data may be processed on Cloudflare’s global network (including in the United States and other regions). AI models are invoked only to perform the safety check and image generation you trigger (including optional modes such as Ultra quality or Fruit Island where you submit synopsis text). We do not train public models on your photos or synopsis text.

5. Retention

We retain server-side data only as long as needed to operate the service, comply with law, and resolve disputes. Wallet and leaderboard entries may persist until overwritten by new gameplay data or removed as part of routine maintenance. We do not guarantee indefinite storage of any score or image.

AdMob and Google may retain ad-related logs and metrics under their own retention schedules; see Google’s privacy documentation for details.

6. Security

We use HTTPS for data in transit. No method of storage or transmission is 100% secure; use the app only on devices you trust.

7. Children & U.S. children’s privacy (COPPA)

Audience. BYOB is intended for a general audience and is not directed to children under 13 in the United States (or the minimum age required in your country for similar protections). Parents and guardians should supervise younger users’ device use and online activity.

No knowing collection from children without consent. We do not knowingly collect, use, or disclose personal information (as defined under the U.S. Children’s Online Privacy Protection Act and its implementing rule, “COPPA”) from children under 13 without verifiable parental consent, except as COPPA permits. The iOS app includes Google AdMob, which may collect identifiers and usage data for advertising in line with Google’s policies and platform child-directed treatment settings. The marketing pages on this website do not embed AdMob the way the app does; we do not load third-party ad network scripts on these HTML pages for behavioral advertising in the same manner as in-app ads.

This website and the public leaderboard

This site (policies, home, support, and the public leaderboard page) is part of the same online service as the app. We do not design these pages for children under 13. Viewing our HTML pages may involve technical data and strictly necessary cookies as described in sections 2.7 and in the Cookie Policy. The leaderboard page may show display names and scores submitted from the app; it does not let visitors sign up for an account on the web.

If you are a parent or guardian in the U.S. and you believe we have collected personal information from your child under 13 in a way that requires parental consent, contact us at support@buildyourownbrainrot.com. We will respond in line with applicable law, which may include deleting that information and refusing to allow further collection or use, except as permitted to maintain security or comply with law.

Information we may collect. Depending on how the app is used, our service may process technical data (for example IP address and request metadata), a random device identifier stored in the iOS Keychain (and optionally mirrored via iCloud Key-Value Store), optional wallet values tied to that identifier, photos you submit for Meme Lab, optional short synopsis text when you use gated Meme Lab flows such as Fruit Island, an optional leaderboard display name, and data related to referrals or invites where those features are enabled. Google AdMob may separately collect or derive advertising-related data on the device as described in section 2.3. When you use only a web browser here, collection is generally limited to technical data (and any cookies described in the Cookie Policy). The sections above describe these practices in more detail.

This section is meant to help you understand our practices; it is not legal advice. COPPA and other laws depend on how the service is operated and who uses it—consult qualified counsel if you need certainty for your situation.

EU / UK / Switzerland — children and consent

Under the GDPR and UK GDPR, the age at which a child may consent to information society services varies (typically 13–16 depending on the member state). If you are a parent or guardian and believe your child has provided personal data without a valid basis, contact us and we will address your request in line with applicable law.

8. Your rights

EEA, UK & Switzerland (GDPR / UK GDPR). Subject to conditions and exceptions in applicable law, you may have the right to:

• Access your personal data and receive certain information about processing (Art. 15);
• Rectify inaccurate data (Art. 16);
• Erase data (“right to be forgotten”) in certain cases (Art. 17);
• Restrict processing in certain cases (Art. 18);
• Data portability for data you provided, where processing is based on consent or contract and carried out by automated means (Art. 20);
• Object to processing based on legitimate interests (Art. 21), and to direct marketing (we do not send marketing emails by default);
• Withdraw consent at any time, where we rely on consent, without affecting the lawfulness of processing before withdrawal;
• Lodge a complaint with a data protection supervisory authority in your country of habitual residence, place of work, or place of an alleged infringement.

How to exercise rights. Email support@buildyourownbrainrot.com from an address you control and describe your request. Because we often identify accounts by a random device ID (not an email login), we may ask for reasonable information to confirm your request and match your device or leaderboard entry—without asking for more data than necessary.

Website-only visits. If you have not used the app and only visited this site, we may hold limited technical records (for example server logs). To help us locate data tied to you, include approximate date/time, pages visited, and whether you use a VPN. We may not be able to separate one visit from other similar technical traffic; we will explain the outcome of your request in line with applicable law.

Response time. We will respond within one month in line with GDPR where it applies, or inform you if we need more time or cannot fulfil a request (for example if data is required to meet a legal obligation).

Other regions. Depending on where you live, similar rights may apply. We will honour applicable law.

California (CCPA/CPRA): We do not sell personal information to unrelated data brokers for money. The iOS app uses Google AdMob, which may process identifiers and usage data for advertising delivery and measurement. Under California law, certain advertising-related disclosures or processing may be treated as “sharing” or “selling” personal information as those terms are defined in the CCPA/CPRA, depending on Google’s configuration and your choices. You can limit some uses through iOS privacy and advertising settings, any in-app consent or messaging presented for ads, and Google’s resources linked from Google’s Privacy Policy. California residents may contact us for permitted privacy requests.

9. International transfers

We are based in the United States and use infrastructure that may process data there and in other countries. If you use BYOB from the EEA, UK, or Switzerland, your personal data may be transferred to the United States or other countries that may not be deemed to provide an adequate level of protection by your local authority.

Where GDPR (or UK/Swiss equivalents) applies, we implement appropriate safeguards for such transfers as required by law, including—where relevant—Standard Contractual Clauses approved by the European Commission or UK authorities in our agreements with processors, and supplementary measures our processors describe where appropriate. Cloudflare publishes information about compliance and transfers in its privacy documentation.

U.S. users: certain transfers may also be supported where applicable by other lawful mechanisms (for example the EU-U.S. Data Privacy Framework for participating organizations, where relevant to a given processor).

10. Changes

We may update this Privacy Policy from time to time. The “Effective date” at the top will change when we do. Where applicable law requires it, we will provide additional notice of material changes (for example through the app or site). Continued use of the app or site after changes where permitted means you acknowledge the updated policy.

11. Contact

Email: support@buildyourownbrainrot.com · Support page