BOLTSTEP does not operate its own game servers. Data is transmitted externally only as described below.
Local Storage (never transmitted)
Nickname, sensitivity, FOV, volume, language, and other settings are stored only in your browser's localStorage (gz_settings) and are never sent externally.
The Privacy Mode setting (relay-only TURN connections) is also stored in localStorage and persists until you change it.
When Creating a Public Room (host only)
Creating a public room sends the following to a Cloudflare Workers KV server for room-list management:
Nickname (hostName)
IP address — used solely to enforce the one-room-per-IP limit; not included in room-list responses.
Room title, map, mode, max players, password flag, and other room settings.
Stored data is automatically deleted approximately 30–45 seconds after the room closes or the last heartbeat.
Using a private room (direct code share) prevents this data from being transmitted.
2. P2P Connections & IP Protection
Multiplayer runs via WebRTC P2P through PeerJS.
The PeerJS signaling server (peerjs.com) is used only for the initial connection handshake.
The game runs in relay-only (TURN) mode by default. The TURN server relays all traffic, so your real IP is not exposed to other players.
TURN credentials are issued temporarily from the Cloudflare Worker /turn endpoint. If the Worker is unreachable (network error, etc.), the game falls back to STUN, which may expose your real IP to other players.
For PeerJS's own privacy practices, see peerjs.com.
3. Third-party CDNs
Library files are loaded from the following CDNs. Those requests may include your IP address.
BOLTSTEP is not directed at children. You must be at least 13 years old to use this game (14 in South Korea; 16 in jurisdictions where GDPR Article 8 sets a higher age). If you are under the applicable minimum age, do not use this game. We do not knowingly collect personal data from children. If we become aware that such data has been collected, it will be deleted promptly.
6. Legal Basis, Your Rights & Regional Notices
Legal basis (GDPR / LGPD / APPI): The IP address collected when creating a public room is processed for ≤75 seconds solely to enforce the one-room-per-IP limit — legitimate interest (GDPR Art. 6(1)(f)). No other personal data is processed by us.
No sale of data (CCPA / US): We do not sell or share personal information for cross-context behavioral advertising.
Your rights (access & erasure): You may request access to or deletion of your data via GitHub Issues. Because room data auto-deletes in ~30–45 seconds, most requests will be moot by the time they are received.
EU / UK / EEA users (GDPR / UK GDPR): You have the right to lodge a complaint with your local data protection supervisory authority.
Cross-border transfers: Room data is processed by Cloudflare (US), which provides GDPR-adequate safeguards under its Data Processing Addendum and Standard Contractual Clauses.
Korean users (개인정보 보호법): Personal data (IP, nickname) is processed for the purpose stated above, retained for ≤75 seconds, and then destroyed. No third-party provision occurs.
7. Contact
For privacy inquiries, please open an issue on the GitHub repository.