Privacy Policy

1. Introduction

Rebuff Reality, Inc. (“Rebuff Reality,” “we,” “us,” or “our”) operates the BodyLink platform, which includes, without limitation, the BodyLink motion gaming system, the BodyLink 60FPS tracking camera, the BodyLink precision haptic controller, the BodyLink Store digital marketplace, the BodyLink Developer Portal, associated mobile and desktop applications, firmware, software development kits (“SDK”), application programming interfaces (“API”), and all related websites, services, and support channels (collectively, the “Services”). This Privacy Policy describes how we collect, use, disclose, store, and otherwise process your personal information in connection with your access to and use of our Services. By using any of our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Privacy Policy, you should immediately discontinue use of our Services.

2. On-Device Processing & Motion Data

BodyLink is engineered with a privacy-first architecture. The BodyLink system utilizes proprietary on-device artificial intelligence and computer vision algorithms to perform full-body skeletal tracking at up to sixty (60) frames per second. All motion tracking data, body pose estimation, skeletal joint positions, gesture recognition data, and any other biometric or movement-related data generated during gameplay or application use (collectively, “Motion Data”) is processed entirely and exclusively on the local BodyLink device hardware.

Under no circumstances is Motion Data transmitted to, uploaded to, stored on, or otherwise made available to Rebuff Reality servers, cloud infrastructure, or any third-party service. Motion Data exists solely in volatile memory during active use and is purged upon session termination unless explicitly saved by the user through the 4K media recording functionality.

The stereo camera system integrated into the BodyLink system captures visual input solely for the purpose of real-time body tracking computation. Raw camera feeds are not recorded, stored, transmitted, or accessible to any application, developer, or third party. Game developers utilizing the BodyLink SDK receive only abstracted skeletal joint position data and confidence scores — they do not receive, and cannot access, raw camera imagery, depth maps, or any identifiable visual data from the camera system.

3. Categories of Information We Collect

In the course of providing our Services, we may collect and process the following categories of personal and non-personal information:

3.1 Account Registration Information

When you create a BodyLink account, we collect your email address, chosen username or display name, and an encrypted representation of your password. If you register through a third-party authentication provider (such as Google or Apple sign-in), we may receive your name, email address, and a unique identifier from that provider. We do not receive or store your third-party account password.

3.2 Transaction & Payment Information

When you make purchases through the BodyLink Store (including game purchases, in-app purchases, subscriptions, or hardware pre-orders), our third-party payment processors collect and process your payment card information, billing address, and related financial data. We do not directly collect, store, or have access to your full payment card numbers. We receive and retain transaction records including purchase amounts, dates, product identifiers, and transaction confirmation numbers for order fulfillment, refund processing, accounting, and legal compliance purposes.

3.3 Device & Hardware Information

When you connect a BodyLink system to our Services, we may collect device serial numbers, hardware model identifiers, firmware version numbers, MAC addresses, and software version information. This information is used for device registration, license management, warranty verification, software update delivery, and technical support. This category of information expressly does not include any Motion Data, camera imagery, or gameplay content.

3.4 Usage & Analytics Data

We collect anonymized and aggregated data regarding how you interact with our websites, the BodyLink Store, and our applications. This may include pages visited, features used, session duration, click patterns, search queries within the Store, game browsing behavior, and general navigation flows. We use this data to understand usage trends, improve user experience, optimize our Services, and inform product development decisions. Where technically feasible, this data is collected in a manner that does not personally identify individual users.

3.5 Communications Data

If you contact our customer support team, participate in surveys, respond to promotional communications, or otherwise communicate with us, we retain records of such communications including your name, email address, message content, attachments, and any metadata associated with the communication channel used.

3.6 Newsletter & Marketing Preferences

If you subscribe to our newsletter or opt in to receive marketing communications, we collect and store your email address, subscription preferences, and engagement metrics (such as open rates and click-through rates) to personalize and improve our communications. You may unsubscribe at any time using the link provided in each communication.

3.7 Developer Portal Information

If you register as a developer on the BodyLink Developer Portal, we additionally collect your developer profile information, organization or studio name, tax identification information (where required for revenue disbursement), bank account or payment information for receiving royalty payments, game submission metadata (including game titles, descriptions, screenshots, APK files, and version information), and analytics data related to your published titles.

4. Cookies, Tracking Technologies & Website Analytics

Our websites and web-based applications use cookies, web beacons, pixel tags, local storage, and similar tracking technologies (collectively, “Cookies”) for the following purposes:

• Strictly Necessary Cookies: Required for essential site functionality, including session management, authentication, security features, load balancing, and shopping cart persistence. These cookies cannot be disabled without impairing core functionality.
• Functional Cookies: Used to remember your preferences, settings, language selection, and display options to provide a personalized experience across sessions.
• Analytics Cookies: Employed to collect aggregated, anonymized data about website traffic patterns, page views, referral sources, bounce rates, and user engagement metrics. We use this information to measure the effectiveness of our content and to improve our websites.
• Marketing Cookies: If deployed, used to deliver relevant advertisements and to measure the effectiveness of advertising campaigns. These cookies may track your browsing activity across multiple websites.

You may manage your cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or alert you when cookies are being set. Please note that disabling certain cookies may affect the functionality of our websites. We honor Do Not Track (“DNT”) browser signals where technically feasible.

5. Purposes of Processing & Legal Bases

We process your personal information for the following purposes, each supported by an appropriate legal basis:

• Contract Performance: To provide, maintain, and deliver the Services you have requested, including account creation, game purchases, digital content delivery, hardware registration, software updates, developer revenue disbursement, and customer support.
• Legitimate Interests: To improve and optimize our Services, conduct analytics and research, personalize your experience, detect and prevent fraud or unauthorized access, enforce our terms and policies, protect the security and integrity of our platform, and communicate service-related information.
• Consent: To send marketing and promotional communications where you have opted in, to deploy non-essential cookies and tracking technologies, and to process any other data for which we have obtained your explicit consent.
• Legal Obligation: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including tax reporting, consumer protection obligations, and data retention requirements.

6. Data Sharing & Third-Party Disclosures

We do not sell your personal information to third parties. We may share your information in the following limited circumstances:

• Service Providers: We engage trusted third-party companies and individuals to perform services on our behalf, including payment processing, email delivery, cloud hosting and infrastructure (such as Cloudflare and Supabase), analytics, customer support tools, and fraud detection. These service providers are contractually obligated to use your information only as necessary to perform services for us and in accordance with this Privacy Policy.
• Game Developers: If you purchase, download, or interact with third-party games on the BodyLink Store, we may share limited, non-identifying information with the game developer, such as aggregate download counts and anonymized usage statistics. We do not share your personal contact information with developers without your consent.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of such transaction. We will notify you of any such change in ownership or control of your personal information.
• Third-Party Platforms: Our Services may contain links to or integrations with third-party platforms including Discord, Kickstarter, YouTube, TikTok, X (formerly Twitter), Instagram, and Facebook. When you interact with these platforms, their respective privacy policies govern the collection and use of your data. We encourage you to review the privacy policies of any third-party services you access through our platform.

7. Data Retention

We retain your personal information for as long as your account is active, as needed to provide you with our Services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and as otherwise permitted by applicable law. Account information is retained for the duration of your account plus a reasonable period thereafter to facilitate account recovery and comply with legal retention requirements. Transaction records are retained for a minimum of seven (7) years for tax and accounting compliance. Anonymized analytics data may be retained indefinitely as it does not constitute personal information. When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention schedules and applicable data protection legislation.

8. Data Security

We implement and maintain appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, destruction, or loss. These measures include, but are not limited to: encryption of data in transit using TLS/SSL protocols; encryption of sensitive data at rest; secure authentication mechanisms including bcrypt password hashing; role-based access controls; regular security assessments and vulnerability testing; secure software development practices; incident response procedures; and employee security training. Our infrastructure providers maintain SOC 2 Type II compliance and industry-standard physical security controls. Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure, and we cannot guarantee the absolute security of your information. In the event of a data breach that affects your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable data breach notification laws.

9. International Data Transfers

Rebuff Reality is based in the United States. If you access our Services from outside the United States, please be aware that your information may be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those in your country of residence. By using our Services, you consent to the transfer of your information to these jurisdictions. Where required by applicable law, we implement appropriate safeguards for international data transfers, including Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

10. Children's Privacy

BodyLink is a motion gaming platform designed for use by individuals and families. We recognize that our platform may appeal to younger audiences. We do not knowingly collect, solicit, or maintain personal information from children under the age of thirteen (13), or under the applicable age of digital consent in your jurisdiction, without verifiable parental consent as required by the Children's Online Privacy Protection Act (“COPPA”) and similar legislation. If we become aware that we have collected personal information from a child under the applicable age threshold without appropriate parental consent, we will take prompt steps to delete such information from our records. Parents and legal guardians are encouraged to monitor and supervise their children's use of the BodyLink Services and may contact us at any time to review, delete, or restrict the processing of their child's personal information. If you believe that a child has provided us with personal information without appropriate consent, please contact us immediately at the address provided below.

11. Your Privacy Rights

Depending on your jurisdiction of residence, you may be entitled to certain rights with respect to your personal information under applicable data protection legislation, including but not limited to:

• Right of Access: The right to request confirmation of whether we process your personal information and to obtain a copy of such information.
• Right of Rectification: The right to request correction of inaccurate or incomplete personal information we hold about you.
• Right of Erasure: The right to request deletion of your personal information, subject to certain legal exceptions and retention obligations.
• Right to Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit such data to another controller.
• Right to Restrict Processing: The right to request that we limit the processing of your personal information under certain circumstances.
• Right to Object: The right to object to the processing of your personal information for direct marketing purposes or where processing is based on our legitimate interests.
• Right to Withdraw Consent: Where processing is based on your consent, the right to withdraw that consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
• Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising your privacy rights, as provided under the California Consumer Privacy Act (“CCPA”) and similar legislation.

To exercise any of these rights, please submit a verifiable request to us using the contact information provided in Section 14 below. We will respond to your request within the timeframe required by applicable law (generally thirty (30) days, with possible extensions as permitted). We may need to verify your identity before fulfilling your request, and we reserve the right to deny requests that are unfounded, excessive, or otherwise not required by law.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”). You have the right to know what categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties with whom we share it. You have the right to request deletion of your personal information. You have the right to opt out of the sale or sharing of your personal information — however, we do not sell personal information as defined by the CCPA/CPRA. You have the right to correct inaccurate personal information. You have the right to limit the use and disclosure of sensitive personal information. We will not discriminate against you for exercising any of your CCPA/CPRA rights. To submit a request, contact us at the address provided in Section 14.

13. Changes to This Privacy Policy

We reserve the right to modify, amend, or update this Privacy Policy at any time in our sole discretion. When we make material changes to this Privacy Policy, we will update the “Last updated” date at the top of this page and, where appropriate, provide additional notice through our websites, the BodyLink Store, email notification, or other communication channels. Your continued use of our Services following the posting of changes constitutes your acceptance of such changes. We encourage you to review this Privacy Policy periodically to stay informed about our information practices and the choices available to you.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal information, or our data practices, you may contact us through the following channels:

• General inquiries: info@bodylink.io
• Privacy-specific requests: privacy@bodylink.io
• Technical support: support@bodylink.io

We will endeavor to respond to all legitimate inquiries within a reasonable timeframe and in accordance with applicable law.