Framedash
The authoritative version of this document is the Japanese original. This translation is provided for convenience only.

Privacy Policy

Last updated: May 9, 2026

1. Introduction

Crane Valley LLC ("Company", "we", "us") operates the Framedash service. This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

Data Controller

  • Company: Crane Valley LLC
  • Address: Ginza Otake Bldg. 2F, 1-22-11 Ginza, Chuo-ku, Tokyo, Japan
  • Representative: Kiyoaki Tsurutani
  • Contact: privacy@framedash.dev

2. Information We Collect

2.1 Account Information

When you create an account and use the Service, we collect:

  • Name and email address (at registration)
  • Password (stored as a cryptographic hash, at registration)
  • OAuth provider identifiers and provider-issued tokens such as access tokens and refresh tokens (if using social sign-in, stored to maintain the linked account)
  • Profile image (avatar): when you sign in via an OAuth provider (Google, GitHub, or Microsoft), we store a profile image in our account database. For Google and GitHub we store the image URL provided by the provider; for Microsoft Entra ID we fetch the image binary from the Microsoft Graph API and store it as a Base64 data URI. Profile images are used to identify you in member lists and other user-facing areas of the dashboard.
  • Organization name (when creating a workspace)
  • Billing information (when subscribing to a paid plan, processed by Stripe)
  • Map images and project logos (when uploaded by you)

2.2 Telemetry Data

When you integrate our SDK into your game, we receive telemetry data that you configure the SDK to send. This may include:

  • Performance metrics (FPS, frame time, GPU time, memory usage)
  • Player position coordinates and map identifiers
  • Game events (configurable by you)
  • Device and platform information
  • Build identifiers and session metadata

Telemetry Data is associated with your project. Unless you include personal identifiers, we do not treat Telemetry Data as information that identifies individual End Users. However, please note that combinations of device information and session metadata may constitute personal data or personal information under applicable laws.

2.3 Usage Data

We automatically collect usage data through the following means to improve the Service.

  • Server-side logs: pages visited, features used, browser/device information, IP address, and request metadata.
  • Error monitoring (Sentry): we use Sentry's error monitoring and performance tracing across the entire Service web application (server-side and client-side, covering public pages, sign-in/sign-up, onboarding, and the authenticated dashboard), the telemetry ingest Worker, and the consumer Worker to reproduce and diagnose errors.
    (a) Server side and Workers: exception stack traces and request / queue message metadata (IP address, tenant ID, project ID, and similar processing context) are transmitted to Sentry infrastructure located in the United States. In production, approximately 10% of web-server and edge requests, and approximately 5% of telemetry ingest and consumer Worker jobs, are additionally sampled as performance transactions (including route, processing time, internal spans, and outbound request metadata) regardless of whether an error occurred. The X-API-Key request header is filtered to a fixed placeholder before transmission so no API key material is sent.
    (b) Client side (browser) — baseline error monitoring and performance tracing: JavaScript exceptions and unhandled Promise rejections that occur on any page of the Service (legal, sign-in/sign-up, onboarding, dashboard, and similar), and (in production) approximately 10% of page-load and navigation transactions sampled as performance traces (including the outbound fetch spans within those transactions, with URL, status code, and response time metadata), are transmitted to Sentry infrastructure in the United States together with your browser's User-Agent, the page URL, the default Sentry SDK breadcrumbs (recent console output, DOM events such as clicks, fetch/XHR requests, history changes, and navigation), and the IP address Sentry observes on receipt. This transmission occurs regardless of your cookie-consent choice. The legal basis for this processing is our legitimate interest in keeping the Service stable and secure (GDPR Art. 6(1)(f)). Users in the EEA or United Kingdom may object to this processing at any time using the methods described in Section 7.
    (c) Client side — Session Replay: we enable the Sentry Session Replay instrumentation only when you select "Accept" on our cookie consent banner. Without consent, the Replay instrumentation, related cookies, and rrweb DOM collection are not loaded at all. Even after consent, Session Replay is recorded for only approximately 50% of the sessions in which an error occurs (sampling rate). When an error occurs, the capture includes up to approximately one minute of activity that preceded the error, and recording then continues until the session ends. The captured content includes DOM structure, mouse interactions, page navigation, console logs, and network request metadata (URL, status code, response time, etc.). On-screen text and form inputs are masked in the browser before being sent to Sentry, so only masked placeholders (not the original characters) are transmitted. Images, videos, and other media are blocked from capture entirely and are therefore never sent to Sentry's servers.
  • Bot protection (Cloudflare Turnstile): we deploy Cloudflare Turnstile on the sign-up page to deter automated account creation. Turnstile causes your browser to send the following to "challenges.cloudflare.com": browser environment information (user agent, screen configuration, time zone, etc.), behavioral signals such as mouse movement and timing, and the IP address used at verification. The transmitted information is processed by Cloudflare, Inc. (United States) solely to prevent fraudulent account creation by bots. For details, see Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/.

3. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process payments and manage your subscription
  • To send transactional emails (alerts and notifications)
  • To send important service-related notices (such as changes to Terms of Service)
  • To respond to customer inquiries and provide support
  • To perform statistical analysis using anonymized and aggregated data, including for industry benchmarking and inclusion in marketing materials
  • To detect and prevent fraud or abuse
  • To comply with legal obligations

We do not sell your personal information to third parties.

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): providing the Service, managing your account and subscription, processing payments, and delivering transactional communications.
  • Legitimate interests (Art. 6(1)(f)): improving and securing the Service, performing statistical analysis on anonymized data, detecting and preventing fraud or abuse, responding to support inquiries, and operating Sentry baseline error monitoring and performance tracing on both the server and the client (Sections 2.3(a) and 2.3(b)).
  • Legal obligation (Art. 6(1)(c)): retaining billing and accounting records as required by applicable tax and accounting laws, and responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a)): collecting and transmitting Sentry Session Replay data when you select "Accept" on our cookie consent banner. You may withdraw your consent at any time using the methods described in Section 9.3, and such withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

4. Data Storage and Processing

  • Account data (including your name, email address, password hash, OAuth linkage information, and profile image) is stored in Neon PostgreSQL (cloud-hosted). Profile images fetched from Microsoft Entra ID are stored directly in the same database as Base64 data URIs.
  • Telemetry data is stored in ClickHouse (cloud-hosted).
  • User-uploaded files (map images and project logos) are stored in Cloudflare R2 object storage.
  • Data may be processed in Japan, the United States, and other countries where our sub-processors operate.
  • We use industry-standard encryption for data in transit (TLS) and at rest.

Security Measures

We implement organizational and technical security measures to prevent leakage, loss, or damage to personal information. For details, please refer to Section 11 (Security) of our Terms of Service.

5. Data Retention

  • Telemetry data retention periods are configured per plan (Free: 7 days, Starter: 30 days, Pro: 90 days, Team: 180 days, Enterprise: 365 days). We periodically run an automatic purge process that deletes expired telemetry data. Raw events are deleted once they exceed the plan-configured retention period. Daily aggregates are retained for the plan retention period or 30 days, whichever is longer, to maintain reporting accuracy. Player first-seen records (the earliest timestamp at which a player identifier was observed) are excluded from the automatic purge to support retention cohort analysis. Because the purge runs as a batch process, there may be a delay of up to several days between the retention period expiring and the physical deletion of data.
  • Account data is retained while your account is active.
  • After the account deletion grace period ends, we delete your data within 30 days. Complete purging from backups shall be completed within 90 days after production deletion. Audit trail records required for legal compliance or security purposes (action logs containing user identifiers, IP addresses, and operation details) are retained for a maximum of seven (7) years and deleted thereafter, on the legal bases of the bookkeeping retention obligations under the Enforcement Regulation of the Japanese Corporate Tax Act and Article 432, Paragraph 2 of the Companies Act, together with Article 6(1)(c) and Article 6(1)(f) of the GDPR.
  • Billing and payment records are retained in accordance with applicable tax and accounting laws (up to 7 years under Japanese law).

6. Third-Party Services

We use the following third-party services (sub-processors) that may process your data. The privacy policies of each service apply.

  • Stripe (payment processing)
  • Cloudflare (CDN, DDoS protection, Workers runtime, R2 object storage, and Turnstile bot protection on sign-up)
  • Auth.js providers (Google, GitHub, Microsoft for OAuth)
  • Neon (PostgreSQL database hosting)
  • ClickHouse Cloud (telemetry data storage)
  • Resend (transactional email delivery)
  • Sentry (error monitoring and performance tracking for the entire Service web application on both server and browser, the telemetry ingest Worker, and the consumer Worker; Sentry Session Replay is additionally loaded for users who consent)
  • Upstash (rate limiting and caching via Redis)
  • Vercel (web application hosting and serverless runtime)

Sub-processor Oversight

Where any sub-processor further delegates processing to a third party, we ensure that the sub-delegate maintains a level of personal information protection equivalent to this Policy. We will update this Policy to notify you of any changes or additions to sub-processors.

Cross-border Transfers under APPI

When entrusting the processing of personal data to operators located outside Japan, we obligate such operators to continuously implement measures equivalent to those required under the Act on the Protection of Personal Information of Japan (APPI).

7. Your Rights

You may exercise the following rights under the Act on Protection of Personal Information (APPI) and other applicable laws.

  • Request disclosure of personal data we hold
  • Request correction, addition, or deletion of inaccurate data
  • Request suspension of use or erasure of data
  • Request cessation of third-party data sharing
  • Export your data in a portable format (for users in GDPR-applicable regions)

To exercise these rights, contact us at privacy@framedash.dev.

Upon verifying your identity, we will respond within one month as a general rule.

Disclosure Request Procedure

Requests for disclosure, correction, or suspension of use under the Act on the Protection of Personal Information shall be made as follows:

  • Submit your request in writing (email accepted) to privacy@framedash.dev.
  • Identity verification: Please provide a copy of an identity document (driver's license, passport, or equivalent). Requests by an authorized representative require a power of attorney and the representative's identity document.
  • Response method: We will respond in writing (including electronic records) to the email address registered with your account.
  • Fees: A fee of JPY 1,000 (tax included) per disclosure request applies under APPI. No fee is charged for correction or suspension requests. For users in the EEA and United Kingdom, access requests under the GDPR are free of charge.

Complaints

For complaints regarding our handling of personal information, please contact privacy@framedash.dev. If we are unable to resolve your complaint, you may consult the Personal Information Protection Commission (PPC) at https://www.ppc.go.jp/.

Additional Information for EEA and UK Users

If you are located in the EEA or the United Kingdom, the following additional information applies:

  • Right to object: You may object at any time to processing based on legitimate interests (Art. 21 GDPR). Our legitimate interests are: improving and securing the Service through usage analytics, preventing fraud and abuse, providing customer support, and operating Sentry baseline server-side and client-side error monitoring and performance tracing (Sections 2.3(a) and 2.3(b)).
  • Supervisory authority: You have the right to lodge a complaint with the supervisory authority of the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
  • Contractual necessity: Providing your account information (name and email address) is necessary to enter into and perform our contract with you. If you do not provide this information, we cannot create your account or provide the Service.

8. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected such information, please contact us immediately. Users aged 16 to 17 must obtain consent from a parent or legal guardian before using the Service. At sign-up, every user must self-attest to meeting this age requirement; we rely on that confirmation as our reasonable measure to verify eligibility.

9. Cookies

We use cookies for the following purposes. We do not use third-party tracking cookies or advertising cookies.

9.1 Strictly necessary cookies (no consent required)

  • Authentication and session management (maintaining login state)
  • Storing user preferences (sidebar open/closed state, last selected project, active workspace, etc.)
  • Security protection (Cloudflare edge-network cookies for bot detection and DDoS mitigation, and Cloudflare Turnstile challenge cookies set on "challenges.cloudflare.com" from the sign-up page)
  • Consent management (framedash_cookie_consent: stores your consent choice ("accepted" or "rejected") for up to 180 days. Attributes: Path=/, SameSite=Lax, with the Secure attribute over HTTPS)
  • Payment processing (checkout is handled on Stripe-hosted pages; Stripe may set its own cookies on its domain during the checkout session)

9.2 Optional cookies (prior consent required)

  • Session Replay (Sentry): the Sentry Replay instrumentation and related cookies are loaded only when you select "Accept" on our cookie consent banner. If you select "Reject" or have not yet made a choice, the Replay instrumentation is not loaded at all. See Section 2.3(c) for the full scope of captured data and the masking applied before transmission. Baseline server-side and client-side error monitoring and performance tracing (Sections 2.3(a) and 2.3(b)) operate continuously under our legitimate interest and are not subject to this consent.

9.3 Managing and withdrawing consent

We display a cookie consent banner the first time you access the Service and record your choice in the framedash_cookie_consent cookie. You can withdraw your consent at any time by either of the following:

  • Delete the framedash_cookie_consent cookie via your browser settings
  • Clear all cookies in your browser (the consent banner will reappear on your next visit)

Once your withdrawal takes effect (after a page reload or on your next visit), the Sentry Replay instrumentation is not loaded and no new Replay data is collected. If you delete the cookie via your browser while the Service remains open in a tab, an already-running Replay buffer in that tab may continue until the next page load.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect.

11. Data Breach Notification

In the event of a security breach affecting your data, we will notify you within the timeframe required by applicable law. See Section 11 (Security) of our Terms of Service for details.

12. Contact

For questions about this Privacy Policy, contact us at privacy@framedash.dev.

We use essential cookies for core site functionality. With your consent we also enable optional session replay for error diagnostics. See our Privacy Policy for details.