Privacy Policy
Effective date: April 20, 2026 · Applies to: the BYOB iOS/iPadOS app and the online services at https://buildyourownbrainrot.com (including this policy site and the public leaderboard page).
All legal & policy documents · Terms of Service
1. Who we are
BYOB (short for our tagline, build your own brainrot memes) is a mobile app for creating brainrot-style memes in Meme Lab, plus an idle game that earns ink and upgrades. This website and our online services are run on secure cloud infrastructure.
Controller (EEA/UK/Switzerland). For the purposes of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection where applicable, the operator of BYOB—reachable at support@buildyourownbrainrot.com—is the data controller for the personal data described in this policy (unless we tell you otherwise for a specific processing activity).
For privacy questions, data protection requests, and exercising your rights, contact support@buildyourownbrainrot.com (see also Support). We are not required to appoint a Data Protection Officer for this service; if that changes, we will update this policy.
EU / EEA representative (GDPR Article 27). Companies not established in the EU may need to designate a representative in the Union when they offer goods or services to people in the EEA or monitor their behaviour, depending on the facts. We assess this requirement as our service evolves. Until we publish a separate EU representative in this policy, the controller contact in section 11 is your primary contact for GDPR requests relating to BYOB and this website.
2. What we collect and why
2.1 Photos from your camera (Meme Lab)
When you use Meme Lab, you take a new photo with the in-app camera. We do not request broad access to your photo library for meme generation.
That image is sent to our server over HTTPS to:
- Run an automated vision safety check (“Il Guardiano del Rot”) before any generative step;
- Run AI image generation (image-to-image) so you receive a stylized meme.
We do not use your photos for advertising, sale, or user profiling for ads. If a scene is blocked by the safety gate, we do not produce a meme from that request.
Automated content checks. The safety step uses automated image understanding to decide whether to allow generation for that request. It is not used to make solely automated decisions with legal or similarly significant effects on you in the sense of GDPR Article 22.
2.2 Device identifier (Keychain)
The app stores a random identifier in the iOS Keychain so our service can recognize your device without a login. We use it to:
- Keep usage fair and prevent abuse;
- Maintain an optional server-side “ink” wallet so Meme Lab costs stay in sync between your device and our servers.
This ID is not used for cross-app tracking or advertising. The app does not include third-party ad SDKs.
2.3 Gameplay and settings (on device)
Game state (e.g. Brainrot Points, upgrades, preferences such as sound and chaos mode) is stored locally on your device unless you use features that explicitly sync to our server (see wallet sync).
2.4 Wallet sync (server)
If you use Meme Lab online, we store wallet-related values tied to your device identifier (for example ink balance, lifetime rot, and ink cap) in secure cloud storage so the app and our service agree on generation cost and balances.
2.5 Leaderboard (optional)
If you choose to submit a display name and score, we may store that name and score on our servers and show them on a public leaderboard (in the app and on this website). Names are validated and may be rejected if they violate our rules. Scores are tied to your device ID on the backend.
2.6 Technical data (app & website)
Like most hosted services, our infrastructure may process technical information such as IP address, timestamps, and request metadata for security, debugging, and abuse prevention. The app authenticates to our service in ways designed to reduce misuse.
When you browse this website in a browser (for example to read policies or view the public leaderboard page), our hosting provider may process similar technical data and set strictly necessary cookies or identifiers as described in our Cookie Policy. We do not run third-party behavioral advertising networks on these marketing pages.
2.7 Visiting only this website (EU / EEA / UK)
If you only use a browser to read pages on https://buildyourownbrainrot.com and do not use the iOS app, we typically process technical data (such as IP address, approximate location derived from IP, browser type, timestamps, and request path) and strictly necessary cookies as described above and in the Cookie Policy. That processing is covered by the GDPR / UK GDPR when those laws apply. Legal bases are summarised in section 3; your rights (access, erasure, objection, complaint to a supervisory authority, etc.) are described in section 8.
3. Legal bases (EEA, UK & Switzerland)
If the GDPR, UK GDPR, or Swiss law applies, we process personal data only where we have a valid legal basis under applicable law. The table below summarises typical processing. Where we rely on legitimate interests, we consider your rights and balance them against our interests; you may object to processing based on legitimate interests in certain cases (see section 8).
| Processing | Typical legal basis |
|---|---|
| Providing Meme Lab (receiving and processing your photo, returning a generated image), wallet sync tied to your device ID | Performance of a contract / steps at your request (GDPR Art. 6(1)(b)) |
| Security, abuse prevention, rate limits, integrity of the service, minimal technical logs (e.g. IP, timestamps) | Legitimate interests (Art. 6(1)(f)) — keeping the service safe and available |
| Optional leaderboard display name and score | Performance of a contract or, where applicable, consent when you choose to submit (Art. 6(1)(a) or (b)) |
| Camera access on your device | Where required by law, consent via iOS permission prompts (Art. 6(1)(a)); you can withdraw by revoking camera permission or not using Meme Lab |
| Compliance with law, responding to lawful requests | Legal obligation (Art. 6(1)(c)) where applicable |
| Delivering and securing this informational website (including strictly necessary cookies, bot management, minimal server logs when you load HTML pages) | Legitimate interests (Art. 6(1)(f)) — operating a secure, available site; or, where applicable, providing the informational pages you request (Art. 6(1)(b)) |
If national law requires a different basis for a specific activity, we will rely on that basis where appropriate.
4. Processors, subprocessors & AI
We use Cloudflare and related services as processors (GDPR Article 28) to host this site, run our online features, and perform AI inference. We use written agreements with our processors that require them to protect personal data and process it only on our instructions, subject to their public terms and privacy notices.
Data may be processed on Cloudflare’s global network (including in the United States and other regions). AI models are invoked only to perform the safety check and image generation you trigger; we do not train public models on your photos.
5. Retention
We retain server-side data only as long as needed to operate the service, comply with law, and resolve disputes. Wallet and leaderboard entries may persist until overwritten by new gameplay data or removed as part of routine maintenance. We do not guarantee indefinite storage of any score or image.
6. Security
We use HTTPS for data in transit. No method of storage or transmission is 100% secure; use the app only on devices you trust.
7. Children & U.S. children’s privacy (COPPA)
Audience. BYOB is intended for a general audience and is not directed to children under 13 in the United States (or the minimum age required in your country for similar protections). Parents and guardians should supervise younger users’ device use and online activity.
No knowing collection from children without consent. We do not knowingly collect, use, or disclose personal information (as defined under the U.S. Children’s Online Privacy Protection Act and its implementing rule, “COPPA”) from children under 13 without verifiable parental consent, except as COPPA permits. The app does not include third-party behavioral advertising SDKs, and the marketing pages on this website do not load third-party ad networks for behavioral advertising.
This website and the public leaderboard
This site (policies, home, support, and the public leaderboard page) is part of the same online service as the app. We do not design these pages for children under 13. Viewing our HTML pages may involve technical data and strictly necessary cookies as described in sections 2.6 and in the Cookie Policy. The leaderboard page may show display names and scores submitted from the app; it does not let visitors sign up for an account on the web.
If you are a parent or guardian in the U.S. and you believe we have collected personal information from your child under 13 in a way that requires parental consent, contact us at support@buildyourownbrainrot.com. We will respond in line with applicable law, which may include deleting that information and refusing to allow further collection or use, except as permitted to maintain security or comply with law.
Information we may collect. Depending on how the app is used, our service may process technical data (for example IP address and request metadata), a random device identifier stored in the iOS Keychain, optional wallet values tied to that identifier, photos you submit for Meme Lab, and an optional leaderboard display name. When you use only a web browser here, collection is generally limited to technical data (and any cookies described in the Cookie Policy). The sections above describe these practices in more detail.
This section is meant to help you understand our practices; it is not legal advice. COPPA and other laws depend on how the service is operated and who uses it—consult qualified counsel if you need certainty for your situation.
EU / UK / Switzerland — children and consent
Under the GDPR and UK GDPR, the age at which a child may consent to information society services varies (typically 13–16 depending on the member state). If you are a parent or guardian and believe your child has provided personal data without a valid basis, contact us and we will address your request in line with applicable law.
8. Your rights
EEA, UK & Switzerland (GDPR / UK GDPR). Subject to conditions and exceptions in applicable law, you may have the right to:
- Access your personal data and receive certain information about processing (Art. 15);
- Rectify inaccurate data (Art. 16);
- Erase data (“right to be forgotten”) in certain cases (Art. 17);
- Restrict processing in certain cases (Art. 18);
- Data portability for data you provided, where processing is based on consent or contract and carried out by automated means (Art. 20);
- Object to processing based on legitimate interests (Art. 21), and to direct marketing (we do not send marketing emails by default);
- Withdraw consent at any time, where we rely on consent, without affecting the lawfulness of processing before withdrawal;
- Lodge a complaint with a data protection supervisory authority in your country of habitual residence, place of work, or place of an alleged infringement.
How to exercise rights. Email support@buildyourownbrainrot.com from an address you control and describe your request. Because we often identify accounts by a random device ID (not an email login), we may ask for reasonable information to confirm your request and match your device or leaderboard entry—without asking for more data than necessary.
Website-only visits. If you have not used the app and only visited this site, we may hold limited technical records (for example server logs). To help us locate data tied to you, include approximate date/time, pages visited, and whether you use a VPN. We may not be able to separate one visit from other similar technical traffic; we will explain the outcome of your request in line with applicable law.
Response time. We will respond within one month in line with GDPR where it applies, or inform you if we need more time or cannot fulfil a request (for example if data is required to meet a legal obligation).
Other regions. Depending on where you live, similar rights may apply. We will honour applicable law.
California (CCPA/CPRA): We do not “sell” or “share” personal information as those terms are commonly defined for cross-context behavioral advertising. California residents may contact us for permitted privacy requests.
9. International transfers
We are based in the United States and use infrastructure that may process data there and in other countries. If you use BYOB from the EEA, UK, or Switzerland, your personal data may be transferred to the United States or other countries that may not be deemed to provide an adequate level of protection by your local authority.
Where GDPR (or UK/Swiss equivalents) applies, we implement appropriate safeguards for such transfers as required by law, including—where relevant—Standard Contractual Clauses approved by the European Commission or UK authorities in our agreements with processors, and supplementary measures our processors describe where appropriate. Cloudflare publishes information about compliance and transfers in its privacy documentation.
U.S. users: certain transfers may also be supported where applicable by other lawful mechanisms (for example the EU-U.S. Data Privacy Framework for participating organizations, where relevant to a given processor).
10. Changes
We may update this Privacy Policy from time to time. The “Effective date” at the top will change when we do. Where applicable law requires it, we will provide additional notice of material changes (for example through the app or site). Continued use of the app or site after changes where permitted means you acknowledge the updated policy.