Privacy Policy

Effective date: 01/31/2026
Organization: CaraCo
Contact: drcarademono@gmail.com

Overview (VRC.Quest.Privacy.1)

This Privacy Policy is managed by CaraCo and explains what data ArtQuest VR (“the App”) processes, how it is used, and how you can request deletion of user data. This Policy applies to the App as distributed on Meta Quest headsets.

The App uses Meta Horizon Platform features and Photon for multiplayer networking. The App also uses CaraCo-operated online services (Cloudflare + Google Cloud + Supabase) to deliver artwork assets and text metadata.

What Data We Process (VRC.Quest.Privacy.2)

A) Meta Horizon Platform data (required for platform features)

If you use platform features (for example: invites, parties, deep links, user profile, avatars), the App processes categories of data provided by Meta Horizon Platform services, including:

USER_ID: an app-scoped Meta user ID used to identify your user for platform and multiplayer features.
USER_PROFILE: profile-related fields made available by Meta for the features you use (for example, display name/handle).
FRIENDS: friend-related data used for social features (for example, inviting friends or displaying friend-related UI where applicable).
AVATARS: avatar-related data used to render your avatar (or avatar-related identifiers/assets) if the App’s avatar features are enabled.
INVITES / PARTIES / DEEP_LINKING: invite/party/deeplink launch details used to create or join sessions, route you to the correct room/session, and carry an invite payload (for example, what gallery or page to open).

How we handle it:

The App uses this data in real time to provide the feature you requested (for example, joining an invite/party, showing your name in-session, rendering avatars).
CaraCo does not sell this data.
Unless stated otherwise in this Policy, CaraCo does not store this Meta Horizon Platform data on CaraCo-operated servers beyond what is transiently necessary to operate the feature.

B) Multiplayer networking data (Photon / Exit Games)

If you use multiplayer features, the App connects to Photon (operated by Exit Games) to relay real-time session traffic between players.

During multiplayer sessions, the App transmits and receives, via Photon and/or to other players in the same room:

Session/connection data: room/session identifier (lobby/session ID), in-room actor number, timestamps, and networking metadata needed to route messages and maintain the session.
Real-time state shared with other players (examples):
- VR pose/position updates (head/hands/controller transforms),
- in-session state used to synchronize the experience (for example, current gallery mode, selected artwork identifiers such as QIDs, page numbers),
- custom gallery identifiers/names/keys if you use shared custom galleries.

How we handle it:

This data is used only to run the multiplayer experience (connect players, synchronize state, and show other players what is happening in the shared session).
CaraCo does not operate Photon’s servers and does not control Photon’s independent processing and retention practices.

Photon publicly describes its design as processing limited technical identifiers (such as IP addresses and user IDs) for operations.

C) CaraCo online services for artwork delivery and metadata (Cloudflare R2/Workers, Google Cloud Run, Supabase)

The App primarily loads artwork images and related assets from CaraCo-operated services, and the App also fetches and stores some artwork text metadata through CaraCo’s backend.

These services necessarily process technical network data so that requests can be routed, delivered, protected, and debugged.

1) Content delivery + image processing (Cloudflare Workers/R2 + Google Cloud Run)

When the App requests images and assets from CaraCo endpoints, CaraCo may collect and store service logs such as:

IP address,
timestamp,
requested URL/path,
response status and latency,
device/app technical identifiers sent in headers (for example user agent),
diagnostic IDs (for example request IDs), and
limited error/debug logs (for example decoding/resizing errors).

Notes:

Cloudflare Workers logging can include request metadata/headers associated with a request event.
The App also uses a Google Cloud Run service for image processing; requests to that service can produce request/container logs in Google Cloud logging.

How CaraCo uses these logs:

to deliver content (CDN routing, caching, resizing),
to prevent abuse (rate limiting, security monitoring),
to diagnose outages/bugs and improve reliability.

2) Artwork descriptions/metadata (Supabase)

The App fetches artwork descriptions and related text from CaraCo’s backend, and CaraCo stores artwork descriptions/metadata in a Supabase database/service. This artwork metadata is about the artworks (not about you), but Supabase and CaraCo services may still process technical connection data (for example IP address and timestamps) as part of providing the service and maintaining security.

CaraCo does not sell this information and does not use it for advertising.

D) Requests to Wikimedia / Wikidata (public databases)

Some App features may make requests from your device to Wikimedia/Wikidata (for example, SPARQL queries or Action API requests). When you connect to those services, they may receive standard technical data such as your IP address, device type, and request headers as part of normal network communications. Wikimedia’s privacy policy explains that it receives IP addresses from site visitors.

E) Local storage on your device and Meta Quest cloud backup

1) Local storage on your device

The App may store limited data locally on your headset to improve performance and usability, such as:

cached artwork images and thumbnails,
your last-used gallery filters and local preferences,
locally saved favorites and custom gallery settings (if you use these features).

2) Meta Quest cloud backup (if enabled)

If you have Meta Quest cloud backup enabled on your device, Meta may back up certain App data stored on your device (for example preferences, favorites, and custom gallery settings) so it can be restored if you reinstall the App or set up a new device.

How this works:

This backup is controlled by Meta’s device/cloud backup features, not by CaraCo.
CaraCo does not operate the backup servers and does not receive or directly access your cloud backup contents.
The App does not intentionally transmit your favorites/preferences to CaraCo-operated servers for backup; any cloud backup occurs through Meta’s platform services when enabled on your device.

F) Support communications

If you contact CaraCo for support, CaraCo will receive the information you choose to provide (for example your email, message content, and any logs/screenshots you send). CaraCo uses this only to respond to you and resolve the support issue.

What We Do Not Do

No advertising SDKs integrated by CaraCo.
No sale of user data.
No behavioral advertising or cross-app tracking by CaraCo.
CaraCo does not request or collect your payment information.
CaraCo does not collect precise location, contacts, or biometric identifiers for CaraCo’s own purposes.

How We Use Data (VRC.Quest.Privacy.3)

We use the data described above only to:

provide Meta Horizon platform features you request (identity, social/invites/parties, deep linking, avatars),
provide multiplayer functionality (connecting players and synchronizing real-time session state),
deliver artwork content and metadata to your device,
operate, secure, and debug our services (for example abuse prevention and reliability),
improve performance and usability through on-device caching and preferences.

We do not use user data for:

advertising,
selling or renting user data,
cross-app tracking,
profiling unrelated to providing the App’s features.

Data Sharing (Who Receives Data)

We share/process data only as needed to operate the App:

Meta Horizon Platform services: identity, social features, invites, parties, deep linking, avatars.
Photon (Exit Games): relays multiplayer traffic between players.
Cloudflare (Workers/R2): content delivery and storage for artwork assets.
Google Cloud Run / Google Cloud Logging: image processing service operation and logging.
Supabase: artwork text/metadata storage and retrieval.
Wikimedia/Wikidata (when used): public database/API requests.

We do not share user data with other third parties except as necessary to provide the App’s functionality or as required by law.

Retention (How Long Data Is Kept)

On-device caches and settings: retained on your device until you clear app data or uninstall, unless the App provides an in-app option to clear caches sooner.
Multiplayer session data: processed in real time for the duration of the session; CaraCo does not maintain a CaraCo-operated database of multiplayer session histories.
CaraCo service logs (Cloudflare / Cloud Run / Supabase access logs): retained for limited periods to operate and secure the service. As a default operational practice, CaraCo retains:
- access/request logs for up to 30 days, and
- security/error logs for up to 90 days,
  unless a longer period is required to investigate abuse/security incidents or comply with legal obligations.
Third-party providers (Meta / Photon / Wikimedia): may retain limited technical logs under their own policies; CaraCo does not control those independent retention practices.

How to Request Deletion of Your Data (VRC.Quest.Privacy.4)

1) Deleting local App data on your headset

To remove data stored locally by the App:

uninstall the App from your Meta Quest device, or
clear the App’s data via device settings (if available).

2) Deleting cloud-backed App data (Meta Quest cloud backup)

If Meta cloud backup is enabled, uninstalling the App may not remove cloud-backed App data stored by Meta. To delete backed-up App data, you may need to use Meta’s cloud backup management controls (for example disabling cloud backup for the App and/or deleting the App’s backup data through Meta account/device settings, if available).

Because this data is stored and controlled by Meta, CaraCo cannot directly delete it. If you contact us, we will explain what the App stores locally and help direct you to the appropriate Meta settings/support resources.

3) Deleting CaraCo server-side data (service logs; support tickets)

CaraCo does not maintain a general user account database for the App, but CaraCo does retain limited service logs (described above) and may retain support communications if you contact us.

To request deletion:

Email drcarademono@gmail.com with the subject line: “ArtQuest VR Data Deletion Request”.
Include (if available): your Meta app-scoped user ID (USER_ID), approximate dates/times you used the App, and any other details that help us locate relevant records.

What CaraCo will do:

We will delete or anonymize CaraCo-controlled records that reasonably relate to you (for example support emails; logs that can be feasibly identified and removed), unless we must retain certain records for security, fraud prevention, or legal compliance.
If your request concerns data controlled by a third party (for example Meta cloud backup, Photon logs, or Wikimedia logs), we will explain the relevant controller and point you to the appropriate process.

Data Protection & Security (VRC.Quest.Privacy.5)

We use safeguards appropriate to the App’s design and the data it processes:

data minimization: process only what is needed for platform, multiplayer, and content delivery features,
encryption in transit: network requests use HTTPS where provided by the source/services,
platform sandboxing: the App operates within the Quest application sandbox,
access control: restricted access to CaraCo service dashboards/logs on a need-to-know basis for operations and support.

Children’s Privacy

The App is not directed to children under 13. We do not knowingly collect personal data from children.

Changes to This Policy

If we materially change what data we process or how we use it, we will update this Policy and the effective date above. Continued use of the App after an update constitutes acceptance of the revised Policy.

Contact

Questions about privacy or data deletion requests: drcarademono@gmail.com

Page updated

Google Sites

Report abuse