AC Online

Privacy Policy

Effective May 13, 2026

This is the privacy policy for animalcrossingonline.com. We try to collect as little as possible. What we do collect is listed below, along with where it lives and how to make us delete it.

What we collect

Account info (only if you sign up)

  • Email address. Used as your login + for password-reset links. Never shared, never sent to advertisers.
  • Display name. Whatever you typed at registration. Shown in the topbar when you're signed in.
  • Password. Stored only as an Argon2id hash, so we cannot read your actual password. If you forget it, you reset; we can't recover it.
  • Account created timestamp.

Cloud saves (only if you opt in by signing in)

When you're signed in, your in-game save data is bundled and uploaded to AWS S3 every ~30 seconds. The bundle contains only the contents of your /save directory inside the emulator: your character, town, items, and progress. It does NOT contain your ROM, your real-world location, your device's other files, or anything outside the game's save slot.

We retain the latest snapshot indefinitely (so you can resume on any device) and keep the last 30 days of versioned backups in case of corruption or accidental deletion. After 30 days, old backups expire automatically.

Sessions + security

  • Session cookies:set on login. HttpOnly + Secure + SameSite. Tied to a hashed-at-rest token in our database, never the plaintext cookie value.
  • IP address:recorded in request logs for ~30 days for abuse detection + rate limiting. Not associated with your account in our database.
  • User-agent string:used to populate the "device hint" on cloud-save metadata so the conflict modal can show "from Chrome on macOS" if you log in on two devices.

Analytics

We use PostHog for product analytics: page views and a small number of events we explicitly fire (e.g. cloud_save_upload_success, user_registered). When you're signed in, events are tagged with your user-id and display name.

We deliberately do NOT send your email address to PostHog. We can compute aggregate engagement, but we can't trade your email or contact you through it.

PostHog respects the browser's Do Not Track signal. To opt out beyond DNT, you can block us-assets.i.posthog.com in your browser or use a privacy extension.

What we DON'T collect

  • Your ROM. The game disc image you load stays in your browser's IndexedDB cache; it never leaves your device.
  • Payment info. The site is free; no payment processor is involved.
  • Your real name, address, phone number, or any other PII beyond the email + display name above.
  • Cookies for advertising or cross-site tracking. There aren't any.
  • Your contact list, location, microphone, or camera. The site doesn't request those permissions.

Where your data lives

We're a small team running on cloud infrastructure. The third-party processors we use (and what they touch):

  • Amazon Web Services (us-east-1):runs the backend server, holds the database, and stores cloud saves in S3 (encrypted at rest with AES-256).
  • Turso / libSQL:the database that holds your account row and cloud-save metadata. Encrypted in transit.
  • SendGrid:sends transactional email (welcome message + password reset). Receives your email address only at the moment of sending.
  • PostHog:product analytics, as described above.
  • Cloudflare DNS / AWS Route 53:DNS resolution for the domain. Sees the fact that your IP looked up our hostname; doesn't see your traffic content.

Most of our infrastructure runs in the United States. If you're in another jurisdiction, by using the site you consent to your data being transferred to + processed in the US.

How we protect it

  • Passwords hashed with Argon2id (memory-hard, cost-tuned).
  • Session and password-reset tokens stored only as SHA-256 hashes; the plaintext lives only in your browser's cookie.
  • HTTPS everywhere:site assets, API, cloud saves. The S3 buckets actively reject any non-TLS request.
  • Encryption at rest on cloud saves and configuration in S3.
  • Rate limits on login, password-reset, and cloud-save uploads.
  • HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy response headers on every page.

Your rights

  • Access. Reach out via Discord and we'll send you a copy of everything we have on your account.
  • Deletion. Reach out and we'll delete your account row, your cloud saves, and your sessions. Versioned cloud-save backups in S3 expire on a 30-day rolling lifecycle.
  • Export. The Options menu in-game already includes "Export Save", so you can download your save bytes as standard .gci files at any time.
  • Opt out of analytics. Enable DNT in your browser or block posthog.com at the network level.
  • Wipe everything locally. The Options menu has "Reset Save" (wipes save data) and "Forget ROM" (wipes the cached ISO). After both, clearing site data in your browser removes any remaining traces.

Data retention

  • Account row: indefinite, until you ask us to delete it.
  • Current cloud save: indefinite.
  • Versioned cloud-save backups: 30 days, then auto-expire in S3.
  • Active session cookie: 7 days from issue (or whenever you log out).
  • Password-reset tokens: 15 minutes if unused, 24 hours after consumption (for audit), then deleted.
  • Request logs (with IP): ~30 days, then rotated out of CloudWatch.
  • Outgoing-email records (SendGrid): per their retention policy.
  • Analytics events: per PostHog's retention defaults.

Children

Our Terms of Service require account holders to be at least 13 (16 in the EEA). If we discover an account belongs to a child below the relevant age, we'll delete it. Parents who want a child's account removed can reach us via Discord.

Cookies

We set as few as possible:

  • One session cookie (HttpOnly, Secure, SameSite) for login state.
  • PostHog may set its own cookies for analytics. See their privacy policy.

We do not use any third-party advertising or cross-site tracking cookies.

Changes to this policy

We may update this policy occasionally. The "Effective" date at the top reflects the most recent change. Material changes (new processors, new categories of data) trigger an email to active accounts.

Contact

Privacy questions, data-export requests, or account deletion: join the Discord and message a moderator. We'll publish an email contact once volume justifies one.

This policy is not legal advice. If anything here materially affects you, please consult a lawyer in your jurisdiction.