Privacy Policy

Version 2.0

Last edited: 2026-04-14

1. Introduction

This Privacy Policy explains how MB "Bit by bit developers", a limited liability company with its place of business at Volungės g. 5-1, Vilnius LT-10315, Lithuania (the "Company", "we", "us", or "our"), collects, uses, stores, and protects personal data when you use the bitbybit.dev website and all its subdomains (the "Platform"), including the API Services and any related services.

This Privacy Policy applies to all users of the Platform, whether registered or anonymous visitors. By creating an account you confirm that you have read and understood this Privacy Policy.

For the purposes of the EU General Data Protection Regulation (GDPR), the Company is the data controller for the personal data described in this policy, except where we act as a data processor on your behalf when processing data you submit through the API Services (see §12).

Contact for privacy matters: info@bitbybit.dev

2. Personal Data We Collect

2.1 Data you provide at registration

When you create an account we collect:

  • Email address - for account identification, login, email verification, and service communications
  • Public user name - displayed as attribution on content you publish
  • Password - for account authentication (email/password method only)
  • Age confirmation - verification that you are at least 18 years old, or that a parent or legal guardian is creating the account on behalf of a minor aged 13–17
  • Consent records - date and version of your agreement to our Terms and Conditions and Privacy Policy
  • Marketing email consent (optional) - whether you agree to receive promotional emails

2.2 Data collected through third-party authentication

You may register or log in using third-party authentication providers (currently Google, Facebook, and GitHub). When you do, we receive your display name, email address, and profile photo URL from the provider. We do not receive or store your password from these providers. The data these providers share with us is governed by their respective privacy policies.

2.3 Data stored in your account

Your account record in our database consists of:

Private data (accessible only to you and authorized administrators):

  • User ID, email address, and account timestamps (creation, last login, last edit)
  • Agreement consent records (dates and version numbers)
  • Age confirmation and marketing email consent status
  • Account state

Public data (visible to other authenticated users):

  • Public user name
  • Profile image (if uploaded)

2.4 User-generated content

When you use the Platform you may create:

  • Projects - with title, description, visibility setting, and images
  • Scripts - code files associated with projects
  • Assets - files uploaded to projects (3D models, images, etc.)
  • Images - project and script preview images

Content you mark as public is accessible to anyone on the internet and may be indexed by search engines.

2.5 Payment data

We use a third-party payment processor (Stripe) to handle subscriptions. When you subscribe to a paid plan:

  • Stripe collects your payment information (credit card, billing address) directly - we never see, store, or process your payment card data
  • We receive your subscription status and plan type from the payment processor

Stripe's handling of your data is governed by the Stripe Privacy Policy.

2.6 Data collected through cookies and analytics

We use the following categories of cookies and browser storage:

  • Essential cookies: A cookie consent preference cookie and an authenticated session cookie for API access. These are necessary for the Platform to function.
  • Analytics cookies: If you accept cookies via our consent popup, we use Google Analytics to collect anonymized usage data (page views, events). Analytics data is collected in aggregate to understand how the Platform is used, not to identify individuals.
  • Browser local storage: We store minimal data in your browser's local storage (e.g., display preferences) to improve performance on return visits. This data is not sent to our servers.

For full cookie details, see our Cookie Policy. For Google's data handling, see the Google Privacy Policy.

2.7 Data collected automatically

When you visit the Platform, our hosting infrastructure automatically processes:

  • IP address
  • Standard HTTP request metadata (URL, user agent, referrer)
  • Approximate geographic location (derived from IP address)

This data is processed for routing, security, and abuse prevention by our hosting and CDN provider.

2.8 Bot protection data

We use automated bot protection on login, sign-up, and password reset forms. This collects browser challenge interaction data and a verification token. No personal data is collected beyond what is needed for the challenge.

2.9 Multi-Factor Authentication (MFA) data

If you enable MFA (available for email/password accounts), we store a secret key associated with your authenticator app enrollment. During setup, a QR code is generated that you scan with your authenticator app.

3. How We Use Your Data

We use your personal data for the following purposes:

Purpose Legal basis (GDPR)
Providing and maintaining your account Performance of contract (Art. 6(1)(b))
Authenticating your identity Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptions Performance of contract (Art. 6(1)(b))
Displaying your public user name on content you publish Performance of contract (Art. 6(1)(b))
Sending service-related communications (verification emails, agreement updates) Performance of contract (Art. 6(1)(b))
Sending marketing emails Consent (Art. 6(1)(a)) - only if you opted in
Analytics and Platform improvement Legitimate interest (Art. 6(1)(f)) - only with cookie consent
Preventing abuse, fraud, and bot activity Legitimate interest (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))
Processing API Data you submit Performance of contract (Art. 6(1)(b))

4. Sharing Your Personal Data

We do not sell, trade, or rent your personal data to third parties.

We share your data only with the following categories of service providers who process data on our behalf:

  • Cloud infrastructure provider - account data, authentication, database storage, and file storage
  • Payment processor (Stripe) - subscription and billing data (payment card data is collected directly by Stripe, not by us)
  • Analytics provider - anonymized usage data such as page views and events (only with your cookie consent)
  • Hosting and CDN provider - HTTP requests and IP addresses for content delivery, security, and bot protection
  • Search provider - public content metadata (titles, descriptions, author names) to power the public search feature. No private user data is shared.
  • Accounting service provider - invoice and billing data (names, email addresses, company names, VAT identification numbers, other tax or business identifiers, transaction amounts, and billing addresses) for bookkeeping and tax compliance purposes.

All subprocessors have been assessed for adequate data protection. Where data is transferred outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) and/or adequacy decisions where applicable.

A current list of specific subprocessors is available upon request by contacting info@bitbybit.dev.

We may also disclose your data if required by law or to protect our rights, safety, or the rights of others.

5. Public Projects and Content

When you create Projects, Scripts, or Assets and set their visibility to public:

  • Your public user name is displayed as the author
  • Project titles, descriptions, images, and script code are accessible to anyone on the internet
  • Public content may be indexed by search engines and included in our search index and sitemap
  • Public projects are shared under MIT (code) and CC BY 4.0 (creative output) licenses as stated in our Terms and Conditions
  • You take full responsibility for the content and quality of public material
  • All assets used in publicly accessible projects must be original or you must have the right to use and publish them

Removing public content: If you delete a project, it is removed from our database and search index. However, content already indexed by search engines or cached by third parties may persist. Contact us at info@bitbybit.dev if you need assistance with search engine removal requests (provided on a best-effort basis).

6. Data Retention

  • Active account data - retained while your account is active
  • Data after account deletion - database backups are overwritten through normal rotation within approximately 90 days. Specific legal and compliance records (such as transaction history, billing records, and account identifiers) may be retained for up to 10 years where required for tax, legal, or regulatory purposes. Archives are not used for active processing and are not shared with third parties except as required by law.
  • API processing results - retained temporarily (currently 24 hours) then automatically deleted
  • API uploaded files - deleted after processing is complete
  • Analytics data - per our analytics provider's retention settings
  • Cookie consent preference - per the expiry configured in our cookie banner
  • Infrastructure logs - per our hosting provider's retention policy
  • Payment records - per our payment processor's retention policy and tax/legal requirements

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with similar data protection laws, you have the following rights:

7.1 Right of access (Art. 15 GDPR)

You can view the personal data we hold about you by visiting your Profile page. This shows data stored in our database. Note that this does not include data held by our analytics or payment providers.

For a complete copy of all personal data we hold, contact us at info@bitbybit.dev.

7.2 Right to rectification (Art. 16 GDPR)

You can update your marketing email preference on your Profile Edit page.

Your public user name cannot be changed after account creation. If you need a different public user name, you must delete your account and create a new one.

To correct other data, contact us at info@bitbybit.dev.

7.3 Right to erasure / right to be forgotten (Art. 17 GDPR)

You can delete your account and all associated data at any time by visiting the Delete my Account page.

Account deletion:

  • Deletes all your Projects, Scripts, and Assets from our database
  • Deletes your user record from our database
  • Removes your data from our payment provider and cancels active subscriptions
  • Removes your API keys and session data
  • Clears local browser data

Please note:

  • Database backups are overwritten within approximately 90 days. Specific legal and compliance records may be retained for up to 10 years for tax, legal, or regulatory purposes (see §6)
  • Content previously indexed by search engines may require separate removal requests to those search engines
  • Contact info@bitbybit.dev if you need assistance with search engine removal (best-effort basis)

7.4 Right to restrict processing (Art. 18 GDPR)

You may request that we restrict the processing of your personal data. Contact us at info@bitbybit.dev.

Please note that restricting processing may prevent you from using the Platform and its Services. When no technical solution is available, you may be advised to delete your account to achieve the desired restriction.

7.5 Right to data portability (Art. 20 GDPR)

You may request a copy of your personal data in a structured, commonly used, machine-readable format. Contact us at info@bitbybit.dev.

7.6 Right to object (Art. 21 GDPR)

You may object to the processing of your personal data based on legitimate interests. Contact us at info@bitbybit.dev.

You can withdraw your consent for marketing emails at any time via the Profile Edit page and you can withdraw consent for analytics cookies by declining cookies when prompted or by clearing cookies in your browser.

7.7 Right to lodge a complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, https://vdai.lrv.lt) or your local data protection authority.

7.8 Right to be informed (Art. 13–14 GDPR)

If our Privacy Policy or Terms and Conditions change substantially, we will notify you via the Platform when you log in. You will need to accept the updated agreements to continue using the Platform. You are also responsible for checking the Privacy Policy periodically.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA).

These transfers are safeguarded by:

  • Standard contractual clauses (SCCs) adopted by the European Commission
  • Adequacy decisions where applicable
  • The service provider's compliance with applicable data protection frameworks

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit - all data is transmitted over HTTPS
  • Secure session management - session cookies are protected against client-side access
  • Access controls - database security rules enforce that users can only access their own private data
  • Bot protection - automated challenge systems prevent abuse of authentication forms
  • Multi-Factor Authentication - optional MFA available for email/password accounts
  • Minimal data collection - we collect only the data necessary to provide our Services

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Children's Privacy

The Platform is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete the account and associated data promptly.

Persons younger than 18 years old may not create their own accounts. A parent or legal guardian may create an account on behalf of a minor aged 13–17, as described in our Terms and Conditions (§7). In such cases the parent or legal guardian is responsible for the minor's use of the Platform and for ensuring it is appropriate.

All account holders must confirm during registration that they are at least 18 years old or that a parent or legal guardian is acting on behalf of a minor aged 13–17.

11. Cookies and Tracking Technologies

We use cookies and localStorage as described in §2.6.

  • Essential cookies/storage: Cookie consent preference and authentication session - these are necessary for the Platform to function and do not require consent
  • Analytics cookies: Only activated with your explicit consent via our cookie banner

You can manage your cookie preferences at any time by clearing your browser cookies. Declining analytics cookies does not affect your ability to use the Platform.

For full details, see our Cookie Policy.

12. API Services - Data Processing

When you use the API Services, you may submit files and data for server-side processing. For the purposes of GDPR:

  • If your submitted data contains personal data, we act as a data processor on your behalf
  • We process your data only to deliver the requested computation results
  • We do not access, analyze, or share your data for any other purpose
  • Processing results are retained temporarily (currently 24 hours) and then automatically deleted
  • Data is processed on managed cloud infrastructure (see the Data Processing and Retention section of our Terms and Conditions for full details)

The data processing terms in our Terms and Conditions (§21), together with this Privacy Policy, constitute the data processing agreement required under GDPR Article 28.

The Platform may contain links to third-party websites (documentation, tutorials, external tools). We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal data.

14. Changes to This Privacy Policy

We may update this Privacy Policy at any time. When changes are substantial, we will notify you via the Platform at your next login, and you will need to accept the updated Privacy Policy to continue using the Platform.

We encourage you to check this page periodically. The "Last edited" date at the top indicates when this Privacy Policy was last revised.

15. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, contact us at:

Email: info@bitbybit.dev

Data Controller: MB "Bit by bit developers" Volungės g. 5-1 Vilnius LT-10315 Lithuania