WoalzCraft

Legal

Privacy Policy

Effective 11 June 2026PT. Dragonix Global Xperience · Batam, Indonesiasupport@woalz.com
This policy explains what WoalzCraft collects and why, across three surfaces: this website, the Brain cloud service (your account and the shared knowledge base), and the Unreal Engine pluginyou install. It is written to Indonesia's Personal Data Protection Law (UU No. 27 of 2022) and the EU GDPR.
The short version. The plugin runs on your machine. Your AI provider keys stay on your machine and your prompts go straight to the AI provider you choose, we never see or store them. We only hold an account (email + a hashed password) and security logs if you sign in to the Brain service. Contributing your generated Blueprints to the shared knowledge base is opt-in and off by default. We don't sell your data. You can ask us to export or delete it any time at support@woalz.com.

1. Who we are

WoalzCraft is an AI agent for Unreal Engine 5, operated by PT. Dragonix Global Xperience(trading as "Woalz"), Komp. Mutiara Point No. 54, Tiban Baru, Sekupang, Kota Batam, Kepulauan Riau, Indonesia ("we" "us"). For all privacy questions and to exercise your rights, contact support@woalz.com. We are the data controller for the account and knowledge-base data described below.

This policy covers woalzcraft.woalz.com (this site), the WoalzCraft Brain service (accounts, API keys, semantic search, the shared knowledge base), and the WoalzCraft Unreal Engine plugin.

2. Data we collect

We keep the data we collect deliberately small. Concretely:

If you create a Brain account

  • Email address, to identify your account, send sign-in links, and deliver your API key.
  • Password, stored only as a one-way bcrypt hash. We can never read it, in logs or anywhere else. (Magic-link accounts have no password at all.)
  • Display name, optional, shown on your account.

Authentication & security logs

To keep accounts safe and stop abuse, each sign-in/security event records your IP address, browser user-agent, a timestamp, and the event type (sign-up, login success/failure, magic link, password reset, logout). IP addresses are redacted to a coarse network range in our application logs.

API keys & the plugin link

  • API keys are stored only as SHA-256 hashes, we never keep the raw key. We record the key's tier, creation/last-used timestamps, and a request counter.
  • Machine fingerprint, when the plugin links to Brain, it sends an irreversible hash derived from your machine and user name. It cannot be reversed to identify you or your computer; we use it to bind anonymous keys and detect abuse.
  • Device sign-in & Fab purchase records, when you sign in from the plugin or claim a Fab Marketplace purchase, we record the machine fingerprint, plugin version, install source, and (for purchases) your IP and the Fab offer identifier.
  • Email tokens, verification, password-reset, and magic-link tokens are stored hashed, with the requesting IP and a short expiry (15 minutes to 24 hours), then consumed or deleted.

What we do not collect

  • We never receive your AI provider API keys (OpenAI, Anthropic, Google, etc.), they live only on your machine.
  • We don't receive your prompts or generated Blueprints unless you explicitly opt in to contribute (see §5).
  • No payment card data, purchases on Fab are handled by Epic Games (see §6).

3. How we use your data & our legal basis

  • Provide the service, authenticate you, issue and meter API keys, run semantic search. Basis: performance of a contract (GDPR Art. 6(1)(b)); your consent and the contract under UU PDP.
  • Security & abuse prevention, rate limiting, fraud/abuse detection, audit trails. Basis: our legitimate interests (Art. 6(1)(f)).
  • Transactional email, verification, password reset, magic links, key delivery. Basis: contract / legitimate interests.
  • Improve the knowledge base, only from contributions you opt in to share. Basis: your consent (Art. 6(1)(a)).
  • Legal compliance, tax, accounting, and responding to lawful requests. Basis: legal obligation.

We do not use your data for advertising and we do not sell it.

4. The plugin, your AI keys, and your prompts

The plugin is designed to keep your work on your machine:

  • Your AI provider keys stay local. Keys for OpenAI, Anthropic, Google Gemini, an OpenAI-compatible endpoint, or local Ollama are stored in your project settings on your computer. They are sent only to the provider endpoint you configured, never to us.
  • Your prompts go to the provider you choose. When you generate a Blueprint with a cloud provider, your prompt and the relevant project context are sent directly to that provider under their privacy policy. We do not proxy, receive, or store them.
  • Fully local mode. With Ollama (or the bundled offline templates), generation happens entirely on your machine and nothing is sent to us or any cloud provider.
  • Plugin telemetry is local-only. The plugin keeps usage statistics (request counts, success rates, timings) in a file on your machine to power its own dashboards. This file is never transmitted anywhere.
  • The Brain connection is optional. Out of the box the plugin works without any cloud connection; Brain features activate only after you sign in.

5. Community knowledge-base contributions

The Brain gets better when developers share working Blueprints and patterns. This is opt-in and turned off by default, nothing is contributed unless you enable it or explicitly invoke a "contribute" action.

  • When you contribute, we receive the Blueprint/pattern content you submit and quality metrics about it.
  • Your identity is pseudonymised at ingest: any email is replaced with an irreversible hash before storage. We do not store your email alongside contributions.
  • Once reviewed and approved, contributions become publicly visible (semantic search, public entries, the contributor leaderboard), attributed only to the hashed identifier, never your email.
  • You can ask us to remove your contributions at any time (see §9).

6. Who we share data with

We don't sell personal data. We use a small set of processors to run the service:

  • Resend, sends our transactional emails; receives your email address and the message content (e.g. a sign-in link).
  • ipapi.co, turns an IP into a coarse city/region/country for security and abuse detection. We store only the coarse location, not precise coordinates.
  • Cloudflare, CDN/edge delivery and encrypted off-site database backups.
  • Plausible, privacy-first, cookieless website analytics (aggregate only), where enabled. No cross-site tracking.
  • Epic Games (Fab Marketplace), if you buy the plugin on Fab, Epic processes the purchase under Epic's privacy policy. We receive only an entitlement signal (offer identifier), never your payment details.
  • Your chosen AI provider, receives your prompts directly, under their own policy. You pick the provider; you can pick a local one.

We may also disclose data where required by law or to protect our rights and users.

7. International data transfers

We are based in Indonesia and our infrastructure is operated there. Some processors above (for example Resend, Cloudflare, ipapi.co, and AI providers you choose) operate in other countries, including the United States and the EU. Where your data is transferred across borders, we rely on appropriate safeguards (such as the processor's standard contractual clauses) and, where required, your consent.

8. How long we keep data

  • Account data, while your account is active, and a short period after closure.
  • Email tokens, minutes to hours; deleted on use or expiry.
  • Security/login logs, retained for a limited period for security and audit, then pruned.
  • Purchase/entitlement records, retained as required for tax and accounting.
  • Backups, encrypted database backups rotate on a short retention window.

When you ask us to delete your account, we erase or irreversibly anonymise your personal data as described in §9, keeping only what the law requires us to retain.

9. Your rights

Under UU PDP 27/2022 and the GDPR you can access, correct, delete, restrict, port, and object to our processing of your personal data, and withdraw consent at any time.

  • To exercise any right, email support@woalz.com. We may need to verify your identity, and we'll respond within the time the law requires.
  • Deletion cascades across your account, keys, security logs, tokens, and (on request) your knowledge-base contributions. If you withdraw consent, we schedule deletion of the associated data, typically within 7 days.
  • EU users may also lodge a complaint with their local data-protection authority. Indonesian users may contact the authority designated under UU PDP.

10. How we protect your data

  • Passwords hashed with bcrypt; API keys and email tokens stored only as hashes.
  • HTTPS everywhere, HSTS, and hardened security headers.
  • IP addresses redacted in application logs; precise location never stored.
  • Admin access uses a server-side proxy so privileged keys never reach the browser, with an audit log for sensitive actions.

No system is perfectly secure, but we aim to hold only what we need and to protect it well.

11. Children

WoalzCraft is a developer tool and is not directed to children under 16 (or the age of digital consent in your country). We do not knowingly collect data from children. If you believe a child has given us data, contact us and we will delete it.

12. Changes to this policy

We may update this policy as the product evolves. We'll change the effective date at the top and, for material changes, give notice through the site or by email. Continuing to use WoalzCraft after an update means you accept the revised policy.

13. Contact

Questions, requests, or complaints about privacy? Email support@woalz.com. See also our Terms of Service.