Privacy Policy

Account data: email address (used for login and account recovery only) and a bcrypt-hashed password. We never store passwords in plaintext.

Session data: a small session cookie used to keep you logged in across pages. Cookie expires on browser close (session) or after 30 days of inactivity (long-lived).

Coin economy data: coin balance, coin transactions (daily login, spin, game wins, unlocks), unlocked content list, login streak. Required to operate the free coin earn / spend system.

Server logs: IP address, user agent, request paths, timestamps. Retained for security, abuse prevention, and rate-limiting purposes (max 90 days).

Coarse geolocation: country-level lookup via MaxMind GeoLite2 from your IP, used to comply with regional regulations (e.g. softcore-only ad zones for Japanese visitors) and to choose the appropriate ad network.

Privacy-friendly aggregate analytics (GA4 with IP truncation). We do not sell personal data to third parties.

Vanilla Doll is funded entirely by adult-network advertising via ExoClick. Ads may set their own cookies subject to their privacy policies. Ad-served content is loaded directly from ExoClick's network (https://*.exoclick.com / *.exosrv.com); we do not share account-level identifiers, email addresses, or coin balances with any advertiser or ad network.

Geo-aware ad routing means Japanese visitors see only "Soft" zones (filtered for non-explicit content per Japanese law) and other regions see standard adult zones. The ad zone selection is computed server-side based on your coarse country.

We use the following cookies: (1) age-confirmation cookie (vd_age_ok, 1 year, 18+ gate state), (2) NextAuth session cookie (login state), (3) locale preference cookie (next-intl). Plus cookies set by ad providers under their own policies.

You can clear or block cookies via browser settings; doing so will sign you out and force the age gate to re-prompt on next visit.

EU / UK residents (GDPR): you have rights of access, rectification, erasure, restriction, portability, and objection. EEA-based processing relies on the legal basis of legitimate interest (operating a free service) and consent (where applicable).

California residents (CCPA / CPRA): you have rights to know, delete, correct, and opt-out of "sale" or "sharing" of personal information. Vanilla Doll does not sell or share personal information for cross-context behavioural advertising.

To exercise any right, contact us via the contact page. We will verify identity (via the email on file) and respond within 30 days. Account deletion removes personal data; minimal records may be retained for legal or fraud-prevention purposes.

Account data: retained for the life of your account plus 30 days after deletion request. Server logs: 90 days max. Coin transactions: retained for audit purposes for 1 year.

All data is encrypted in transit (HTTPS / TLS 1.2+) and stored on infrastructure operated by us under standard industry security practices. Passwords are bcrypt-hashed with per-user salt.

Our infrastructure is hosted in Japan (XServer VPS) with global edge caching via Cloudflare R2. Personal data may be processed in any region where our hosting providers operate. We ensure appropriate safeguards via standard contractual clauses where required.