Privacy Policy

Version: 2.0

Effective: Dec 1st, 2025

Hypixel Studios Canada Inc. and its affiliates (collectively, "Hypixel Studios Canada", "we", "us", "our") respect your privacy and are committed to protecting it by complying with this privacy policy (this "Policy"). Hypixel Studios Canada is the controller of personal information processed for the purpose of providing the Services (as defined below). We are incorporated in Quebec, Canada. This Policy explains what personal information we collect, how we use it, how long we retain it, how we share it, how we protect it, and the choices and rights you have with respect to your personal information.

This Policy replaces any prior notices issued by Hypixel Studios Limited and reflects the transition of control to Hypixel Studios Canada.

1. Scope

This Policy applies to personal information processed in connection with the following services (collectively, the "Services"):

• The Hytale game and launcher;
• The websites, forums, and official social channels we operate;
• Creator tools, user-generated content ("UGC"), marketplace listings, and payouts handled by us; and
• Customer support, safety, and moderation.

This Policy does not apply to third-party websites or services that we do not control. When you leave our properties, the privacy policies of such third parties apply to the processing of your personal information.

2. Key Definitions

• "personal information" means any information that identifies, relates to, describes, is about, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual. (Also called "personal data" under some laws. Anonymized information that cannot be reasonably be linked to an identifiable individual is not considered personal information.)
• "processing" means any operation performed on personal information (e.g., collecting, storing, using, disclosing).
• "controller" means the party which determines the purposes and means of processing; "processor"/"service provider" means the party which processes data on a controller's behalf.
• "sell"/"share" have the meanings given to them under the California Consumer Privacy Act (as amended by CPRA). We state our position in Section 13.
• "child" and "minor" are interpreted in accordance with local law (e.g., under 13 in the U.S. (COPPA), under 13 in the UK, and 16 by default under GDPR, but may be set between 13 and 16 by individual EU Member States).

3. What Personal Information We Collect About You

The types of personal information we collect depend on a variety of factors, such as the types of services you request or use, applicable legal and regulatory requirements, and the means by which you communicate with us. We may collect the following categories of personal information:

• Account and identifiers: username, display name, email, age or birth year/month (where needed for age gating), country/region, account IDs, platform IDs, authentication tokens, hashed passwords.
• Gameplay, UGC, and social: in-game profile, creations and mods, marketplace listings and transaction metadata, friend lists, voice/text/chat content where features exist, reports and appeals, and community posts you choose to submit.
• Telemetry and device data: IP address and approximate location (country/region), device/OS information, language and time zone, performance metrics, crash logs, feature usage events.
• Anti-cheat and integrity signals: runtime integrity checks, suspicious process and memory signatures, device/account linkages, ban evasion signals, and enforcement history.
• Payments and transaction information: handled by third-party processors; we receive limited details (e.g., transaction ID, status, item purchased, billing country/region, partial contact details) but not the full payment card numbers.
• Communications information: support tickets, feedback, survey responses, email preferences, creator applications, and compliance/KYC documents where legally required.
• Information collected from cookies and similar technologies: online identifiers, analytics, and preference data. See Section 7 and our Cookie Policy.

We do not seek to collect special categories of personal information (e.g., health, biometric) or criminal offence data, and we ask that you do not include it in UGC or support submissions.

4. Sources of Personal Information

We use different methods to collect your personal information, including:

• Directly from you (e.g., account creation, gameplay, UGC, support, creator onboarding);
• Automatically from your use of the Services (e.g., telemetry, cookies/SDKs (as defined below)); and
• From third parties (e.g., payment processors, platform partners, anti‑cheat and security vendors, analytics, and creators you interact with).

Where we receive your personal information from third parties, we provide you with the information required by law within the applicable timeframes (for example, within one month or at the first communication), unless an exemption applies.

5. How We Use Personal Information and Legal Bases

We use the personal information that we collect about you or that you provide to us, for the following purposes, as permitted by applicable law and based on our contracts with you, our legitimate interests balanced with your rights, our legal obligation, and your consent (where required):

Purpose	Examples of use	Legal basis
Provide and operate the Services	create accounts, run game features, enable UGC and marketplace	Contract; Legitimate interests; Consent where required
Safety, security, and anti‑cheat	detect/prevent cheating, abuse, fraud, and spam; protect accounts	Legitimate interests; Legal obligation where applicable; Consent where required
Customer support and communications	respond to requests; service messages; notices about changes	Contract; Legitimate interests; Consent where required
Improve and develop the Services	fix bugs, measure performance, optimize content and features	Legitimate interests; Consent where required
Payments and compliance	process purchases via processors; tax, accounting, KYC/AML where required	Legal obligation; Contract; Consent where required
Marketing (non‑child audiences)	newsletters, promotions; preference‑based communications	Consent where required; Legitimate interests (opt‑out available)
Legal and regulatory	enforce this Policy and our terms, defend legal claims, comply with lawful requests	Legal obligation; Legitimate interests; Consent where required

Where we rely on legitimate interests, our interests include: keeping our Services secure and fair (including anti‑cheat and fraud prevention), operating and improving our games and features, ensuring network and information security, supporting customer service, and communicating with you about the Services. You have the right to object to processing based on our legitimate interests at any time (see Section 13). If you object, we will stop processing unless we have compelling legitimate grounds or the processing is needed for legal claims.

For EU/UK individuals, we obtain your prior consent before sending marketing emails or SMS, unless the "soft opt‑in" applies under local e‑privacy law (you gave your details in the context of a sale of our products/services and we provided a clear opt‑out at collection and in each message). You can withdraw consent or opt out at any time.

You can otherwise withdraw consent at any time where we rely on consent.

6. Children

We design with safety and privacy by default for children. We do not knowingly collect personal information from children without parental consent where required by law (e.g., under 13 in the UK or U.S. (COPPA), under 14 in Quebec, and 16 by default under GDPR, but may be set between 13 and 16 by individual EU Member States). Parents/guardians can review, delete, or withdraw consent for a child's data by contacting us (see Section 15). If we learn we have collected or received personal information from a child without verifiable parental or legal guardian consent, we will delete or anonymize that information.

In the UK, where our services are likely to be accessed by children, we apply the UK Age Appropriate Design Code, including high‑privacy defaults, data minimization, and age‑appropriate transparency.

In the EU, where we rely on consent for processing in connection with an information society service, we obtain verifiable parental consent where the child is under the age set by the Member State (between 13 and 16). We apply high‑privacy by default for child users and do not use behavioural advertising directed at children.

7. Cookies and Similar Technologies

We use cookies, SDKs, and similar technologies for core functionality, security, analytics, and to remember your preferences. Where required by applicable law, we ask for consent and provide controls. For users in the EU/EEA and UK, we will only set or access non‑essential cookies, SDKs, similar technologies, or use device fingerprinting with your prior consent under applicable e‑privacy laws. You can provide or withdraw consent at any time using our cookie banner/preferences center, which offers granular controls by purpose and vendor. Essential technologies strictly necessary to provide the Services (for example, to keep you logged in, provide security, or carry out a purchase you requested) do not require consent.

As you navigate through and interact with our websites, we may use cookies or other automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our websites, including traffic data, location data, logs, and other communication data and the resources that you access and use on our websites.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically may include personal information. It helps us to improve our websites and to deliver a better and more personalized service, including by enabling us to estimate our audience size and usage patterns and to ensure the security and improve the operation of our websites. By accessing or using the Services, you consent to the use of the technologies described below and the sharing of information with third parties as specified.

The technologies we use for this automatic data collection may include:

• Cookies: A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our websites. For details—including categories, purposes, and retention—see our Cookie Policy.
• Pixel tags: Pixel tags (also called "beacons" or "pixels") are small blocks of code installed on (or called by) a webpage, email, app, or ads which can retrieve certain information about your device and browser and how you interact with it. This includes, for example, information about your device type, operating system, browser type and version, website visited, time of visit, referring website, IP address, whether you've opened an email or clicked on an ad, and other similar information, including the small text file (the cookie) that uniquely identifies the device. Pixels provide the means by which third parties can set and read browser cookies from a domain that they do not themselves operate and collect information about visitors to that domain, typically with the permission of the domain owner.
• Local storage: This refers generally to other places on a browser or device where information can be stored by websites, ads, or third parties (such as HTML5 local storage and browser cache).
• Software development kits: Software development kits (also called "SDKs") function like pixels and cookies, but operate in the mobile app context where pixels and cookies cannot always function. Pieces of code (the SDK) are installed in the app that allow us and our partners to collect certain information about your interaction with the app and information about your device and network.
• IP address: IP address is the short form for Internet Protocol address which is assigned by internet access providers to every computer that is connected to the internet. Website owners have access to IP addresses of their users. Using IP addresses, we and our partners can identify the country, state and city from which a computer is connecting to the Internet. IP addresses are, for example, used for IP geolocation purposes.
• Device identifiers: We may also collect your IP address, unique device identifier or create a unique device fingerprint (this is a unique combination of different information from your device so that we can single it out) so we can identify your device. We may then use this in a similar way to cookies.

8. Sharing and Disclosure of Your Personal Information

We may share your personal information including as follows:

• To our subsidiaries and affiliates.
• To contractors, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with improving and optimizing the Services) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this Policy.
• To law enforcement or a government institution in order to investigate fraud or potential fraud, as well as any other violation of a law, regulation, or the terms and conditions of use of the Services or any agreement with you in connection with the Services, and/or in order to protect the rights, property, or safety of Hypixel Studios Canada, our customers, or our partners.
• In accordance with applicable law, to an actual or prospective buyer or other successor (and their legal and other advisors) in the event of a merger, amalgamation, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our investors and other individuals is among the assets transferred.
• To fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the personal information.
• To comply with any court order, law, regulation, investigation, subpoena, order of a court, tribunal or other administrative or governmental authority, or legal process, including to respond to any government or regulatory request, in accordance with applicable law.
• To enforce or apply our Terms of Service and other agreements with you.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Hypixel Studios Canada, our customers, or others.
• With your consent, where permitted or required by applicable law.

We require processors to protect your data and use it only per our instructions.

9. International Transfers

We operate globally. Your data may be processed in Canada and other jurisdictions (including the United States, the UK and the EU/EEA). When transferring personal information across jurisdictions, we use appropriate safeguards:

• For the EU/EEA: Where our Canadian operations are subject to PIPEDA, we rely on the EU's adequacy decision for Canada (commercial organizations). For transfers to countries without EU adequacy, we use the EU Standard Contractual Clauses together with appropriate supplementary measures and conduct transfer impact assessments. For transfers to the United States, where the recipient is certified under the EU‑US Data Privacy Framework, we rely on that framework; otherwise we use the EU Standard Contractual Clauses with appropriate supplementary measures.
• For the UK: Where our Canadian operations are subject to PIPEDA, we rely on the UK's adequacy regulations for Canada (private‑sector organizations). For transfers to countries without UK adequacy, we use the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs together with appropriate supplementary measures. For transfers to the United States, where the recipient is certified to the UK extension to the EU‑US Data Privacy Framework (the "UK‑US Data Bridge"), we rely on that framework; otherwise we use the UK IDTA/Addendum with appropriate supplementary measures.
• For Quebec: Cross‑border transfer assessments and privacy impact assessments (PIAs) where required.

We also implement contractual and technical measures with our processors (including Cloudflare and Google Cloud) consistent with applicable laws. You may contact us for a summary of the safeguards in place.

We or our service providers may access, process or store your personal information outside of the jurisdiction where we are located and where you reside, where laws regarding the protection of personal information may be less stringent than the laws in your jurisdiction. As a result, when your personal information is used or stored in a jurisdiction other than where you are residing, it may be accessible to law enforcement, national security authorities, and the courts of such jurisdictions.

Contact us for more information about safeguards.

10. Security

We implement physical, technical and organizational measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. Such measures are appropriate to the risk, and include access controls, encryption in transit and at rest (where appropriate), network protections, vulnerability management, and employee training. No system is perfectly secure; if we learn of a breach impacting your data, we will notify you and regulators as required by law.

11. Retention

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law. Typical periods:

Category	Typical retention
Account information	While account is active + 2 years
UGC and public profiles	While published or until you delete; residual backups per policy
Chat and moderation logs	Up to 18–24 months unless longer needed for safety or legal holds
Anti‑cheat and security signals	Up to 5 years to address repeat abuse and ban evasion
Payments and tax records	7 years (or longer if required by local law)
Support tickets	3 years after closure
Telemetry and analytics	12–18 months, then aggregated or anonymized

Backups are retained and cycled on fixed schedules and may contain data that is outside of a retention period.

12. Automated Decision‑Making and Profiling

We use automated systems to detect cheating, fraud, spam, and platform abuse. These systems may temporarily restrict features or flag accounts for review. Significant enforcement actions involve human review and an appeal path (see Section 15). We do not take decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. If we introduce such processing, we will provide you with specific information and your rights, including the right to obtain human intervention.

13. Your Rights

Your rights depend on where you live. You can exercise them via the methods in Section 15.

• EU/UK GDPR: access; rectification; erasure; restriction; data portability; object to processing based on legitimate interests; withdraw consent at any time; lodge a complaint with a supervisory authority. You have an absolute right to object at any time to direct marketing (including profiling for direct marketing). Some rights apply only in certain circumstances (for example, portability and restriction). Section 15 explains how to exercise your rights and our verification process. Section 12 explains your rights in relation to automated decisions.
• California (CPRA): know/access specific pieces; delete; correct; opt‑out of sale or sharing; limit use and disclosure of sensitive personal information; non‑discrimination. We do not sell personal information and do not share it for cross‑context behavioural advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link. We do not collect or process sensitive personal information for the purposes of inferring characteristics, and therefore are not required to offer the right to limit. Please see our State Specific Supplement for more information on your rights under California and other US state laws.
• Brazil (LGPD): confirm processing; access; correct; anonymize, block or delete; portability; information about sharing; revoke consent; petition the ANPD.
• Canada (PIPEDA and Quebec's Act respecting the protection of personal information in the private sector (the "Quebec Private Sector Act")): access and correction; information about automated processing; portability in Quebec; withdraw consent subject to legal or contractual restrictions.
• Australia: rights under the Australian Privacy Principles; complaint to the OAIC.

Response timelines (typical): EU/UK 1 month; California 45 days; Canada 30 days; Brazil 15 days; Australia within a reasonable period. Extensions may apply for complex requests.

Privacy Rights for California Minors in the Digital World

California Business and Professions Code Section 22581 permits California residents under the age of 18 to have the right to view, correct and request the removal of content or information they have posted to the Services. This request can be made by emailing us at [email protected].

California Shine the Light Law

California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share our user's personal information with unaffiliated third parties for their own direct marketing purposes. For inquiries regarding our disclosure policy, please send us an email to [email protected].

14. Choices and Controls

• Account settings: update your profile and preferences in product (where available).
• Email: unsubscribe links are included in non‑essential emails.
• Cookies/SDKs: adjust preferences in our cookie banner or device settings; see our Cookie Policy.
• Objections: where we rely on legitimate interests, you can object, and we will honor it unless we have compelling legitimate grounds where permitted by applicable law.

15. Exercising Your Rights and Contacting Us

Controller: The controller for your personal information is Hypixel Studios Canada Inc. of:

70 chemin de l'Envolee
L'Ange-Gardien, Quebec J8L 3H1
Canada

You can contact us by submitting requests through: support.hytale.com. We may need to verify your identity (and, for children's accounts, the parent/guardian). Agents may submit requests where permitted by applicable law with proof of authority. You can reach our general privacy contact at: [email protected].

UK representative: Pursuant to Article 27 UK GDPR, Hypixel Studios Canada Inc. has appointed Privacy Rep Office Limited as its UK representative. UK residents may contact our UK representative regarding our processing of their personal data at:

Privacy Rep Office Limited
Attn: Hypixel Studios Canada Inc.
[email protected]

EU representative: Pursuant to Article 27 EU GDPR, Hypixel Studios Canada Inc. has appointed Privacy Rep Office Limited as its representative in the European Union. EU residents may contact our EU representative regarding our processing of their personal data at:

Privacy Rep Office Limited
Attn: Hypixel Studios Canada Inc.
2nd Floor, 1-2 Victoria Buildings, Haddington Road
Dublin 4, Dublin, Ireland, D04 XN32
[email protected]
Telephone: 0035-31-6994225

We may require certain information to verify your identity before responding to a request. You may have a right to appeal our response to your request in certain US states, which you can exercise by emailing us at [email protected].

Regulators:

• EU: contact the supervisory authority in your Member State of residence
• UK: Information Commissioner's Office (ICO) — https://ico.org.uk/
• Canada: Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/en/
• Quebec: Commission d'accès à l'information — https://www.cai.gouv.qc.ca/
• Brazil: ANPD — https://www.gov.br/anpd/
• Australia: OAIC — https://www.oaic.gov.au/

16. Changes to This Policy

We may update this Policy from time to time by posting a new version to the websites on which this Policy appears, with an effective date. Material changes will be communicated (e.g., in‑product notice or email or by notice on the websites) and will include a new effective date. Your continued use of the Services after the effective date means you accept the updated Policy.

17. Compliance Considerations (Appendix)

• International transfers: SCCs/IDTA and supplementary measures are applied where required.
• Quebec Private Sector Act: privacy officer designated; PIAs performed for projects with high privacy risk and cross‑border transfers; transparency regarding identification, location, and profiling technologies.
• Children/teens: high‑privacy defaults; no personalized ads; parental controls for underage accounts.
• Subprocessors: Data processing agreements executed with Cloudflare and Google Cloud; additional subprocessors may be added with notice. We maintain an up‑to‑date list of our key processors and sub‑processors available on request.

18. State Specific Supplement

California

Notice at Collection: If you are a resident of the State of California, this serves as a notice at collection and a description of the categories of personal information we collect and have collected over the past 12 months, the purpose of the collection, the source of the information, whether it is sold or shared, and whether it is disclosed to third parties for business purposes. We note our policies regarding retention in Section 11 above.

See Section 5 for the purposes of the collection, Section 4 for the sources of the personal information, and Section 8 on how we disclose your personal information and the categories of third parties to whom such information is disclosed and the purpose of the disclosure.

The following are the categories of personal information collected:

Identifiers and Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)): username, display name, email, age or birth year/month (where needed for age gating), country/region, account IDs, platform IDs, authentication tokens, hashed passwords, and Gameplay, UGC, and Social data described in Section 3;

Commercial information: payments and transaction information; game play data.

Internet or other electronic network activity information: telemetry and device data: IP address and approximate location (country/region), device/OS information, language and time zone, performance metrics, crash logs, feature usage events; anti-cheat and integrity signals

Geolocation data: postal code.

Audio, electronic, visual, thermal, olfactory, or similar information: voice/text/chat content.

We do not currently "sell" personal information, as we interpret that term under California law. We also do not "share" personal information for purposes of cross-context behavioural advertising. We also do not collect sensitive personal information for purposes of inferring characteristics about you. We also do not use Automated Decisionmaking Technology in a manner that is subject to the opt-out and access rights under the CCPA.

You have the following rights under California law:

1. The right to know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.
2. The right to delete personal information that the business has collected from the consumer, subject to certain exceptions.
3. The right to correct inaccurate personal information that a business maintains about a consumer.
4. If the business sells or shares personal information, the right to opt out of the sale or sharing of their personal information by the business.
5. If the business uses or discloses sensitive personal information for certain reasons, the right to limit the use or disclosure of sensitive personal information by the business.
6. The right not to be retaliated against for exercising privacy rights conferred by the CCPA, including when a consumer is an applicant to an educational program, a job applicant, a student, an employee, applicant or an independent contractor.

Nevada

Nevada residents who have purchased goods or services from us may opt out of the "sale" of "covered information" for monetary consideration to a person for that person to license or sell such information to additional persons. "Covered information" includes first and last name, address, email address, and phone number, or an identifier that allows a specific person to be contacted either physically or online. We do not believe we are engaged in the sale of covered information under Nevada law; however, if you are a Nevada resident who has purchased goods or services from us, you may submit a request to record your preference to opt out of future sales by emailing us at [email protected].

Other States

We may be subject to data privacy laws in other states. Depending on the state in which you reside, you may have one or more of the following rights:

1. To confirm whether or not we are processing your personal information and to access such personal information;
2. To correct inaccuracies in your personal information, taking into account the nature of the personal data and the purposes of the processing of the personal data;
3. To delete your personal information, subject to certain exceptions;
4. To obtain a copy of your personal information you provided us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
5. To opt out of the processing of your personal information for purposes of targeted advertising, the sale of personal data and certain profiling;
6. To request a list of the categories of third parties to which we have disclosed your personal information;
7. To request a list of the specific third parties to which we have disclosed personal information;
8. To appeal a decision we have made in connection with your privacy rights request;
9. To opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (which may be limited to solely automated decisions depending on your state of residency);
10. To not be discriminated against for exercising your privacy rights under these laws; and
11. To revoke your consent to data processing.

This list is not exhaustive, and residents of states not included above may have additional rights relating to privacy and their personal information.