On this page
1. Who we are
When Light Fades is an educational role-playing game built for primary-school children in Singapore. The service is operated by heta, the team behind the game. Where this policy uses "we", "us", or "our", we mean heta operating When Light Fades.
For any question about your child's personal data — including a request to access, correct, or delete it — write to contact@whenlightfades.com. This address also reaches our Data Protection Officer (DPO).
2. A note for parents
When Light Fades is designed for children under 13. We take that seriously. The headline things you should know up front:
- We collect your child's username and gameplay record (level, class, quiz performance) so the game can function and pick up where they left off.
- We collect your email address so we can verify that a parent has agreed to let the child use the service, and so we can contact you if needed.
- We do not ask for your child's real name, school name, home address, photograph, or phone number.
- We do not display your child's real name to anyone. The username they choose is the only thing other players (in future multiplayer features) would see.
- There is no chat with strangers in When Light Fades. There is no public real-name leaderboard. There are no in-app social-network share buttons aimed at children.
- We do not sell your child's personal data to anyone, and we do not show third-party advertising inside the game.
What "personal data" means here. Under Singapore's Personal Data Protection Act (PDPA), personal data is any data about an individual who can be identified from that data, or from that data combined with other information we have. A username on its own usually isn't personal data; combined with a parent's email and gameplay history, it is. We treat all of it as personal data and protect it as such.
3. What we collect
We collect only what the game needs to run, to keep your child's progress safe, and to communicate with you. The full list:
| Category | What this is | Source |
|---|---|---|
| Account data | A username your child chooses (filtered for inappropriate words); a password (which we never see — Firebase Authentication stores it as an irreversible hash); or, if you sign in with Google, the Google account identifier and the email address Google shares with us. | Provided by you / your child at sign-up. |
| Parent email | The email address you give us so we can verify parental consent, send password-reset links, and send the optional weekly progress report (you can unsubscribe at any time). | Provided by you at sign-up or in Settings. |
| Character profile | The character name, gender selection (boy / girl), class (Knight, Mage, etc.), and Singapore primary level (P1–P6) your child picks during character creation. These shape the gameplay and difficulty. | Provided by your child in-game. |
| Gameplay record | Level, XP, currencies (Lumen 🪙 and Gems 💎), inventory, equipped items, cosmetics, zone progression, quest state, achievement state. | Generated as your child plays. |
| Learning record | How many questions your child has answered in each subject, how many were correct, which topics they have practised, the difficulty level they are working at, and per-day roll-ups (kept for 90 days on the device and mirrored in our cloud database). | Generated as your child plays. |
| AI-generated portraits and sprites | If your child uses the optional in-game portrait generator, the short text prompt your child writes (describing their character — e.g. "a knight with red hair") is sent to Google's Vertex AI and the resulting image is stored in our cloud storage. Default portraits in every style are pre-generated by us and ship with the game — they are not personalised. | Created by your child explicitly via the Profile screen. |
| Technical data | A reCAPTCHA Enterprise token (used by Firebase App Check to confirm the game is running in a real browser, not a bot); the standard request metadata Google's services log on our behalf (rough IP, browser type, request timestamps). We use this only to keep the service running and to prevent abuse. | Generated automatically by your browser. |
What we deliberately do not collect
- Real names, photographs, school name, home address, phone numbers.
- Government identifiers (NRIC, FIN, passport).
- Voice or video recordings.
- Browsing history outside When Light Fades.
- Location beyond the approximate country/region that Google's network infrastructure logs by default.
- Marketing data from third parties.
- Behavioural advertising identifiers — we run no advertising.
4. How we use it
Under the PDPA we may use personal data only for purposes we have told you about and that a reasonable person would consider appropriate in the circumstances. These are ours:
- To run the game. Loading saves, awarding XP and currencies, picking the next quiz question at the right difficulty, generating portraits when your child asks for one.
- To prove parental consent. Sending the verification email to the address you provide, and recording whether it was confirmed.
- To keep accounts secure. Password reset, abuse detection, App Check token verification, rate limiting on AI generation, and protecting against automated attacks.
- To improve learning outcomes. Aggregating your child's quiz record so the game can adapt the difficulty to them, summarising it for the optional weekly parent email, and (in anonymised form, with no usernames or emails attached) understanding overall game balance.
- To communicate with you. Verification emails, password resets, the weekly progress report if you've subscribed, and notices about important changes (such as updates to this policy).
- To comply with the law. Where we have to respond to a valid legal request or protect someone's safety.
We do not use your child's learning record to build advertising profiles or to sell to a third party. We do not use it to train Google's general-purpose AI models — when we call Google's Vertex AI to generate a question or a portrait, our project is configured so that the prompt is not used to train Google's foundation models.
6. Where we store it
Personal data is stored on Google Cloud infrastructure. Our Firestore database, Cloud Storage bucket, and Cloud Functions all run in Google's regions. Vertex AI requests run in Google's global region because the image models we use are only available there. Some technical logs (for example, the App Check token verification) are processed wherever Google's edge network handles your request.
Two pieces of data stay only on your child's device and are never sent to our servers:
- The local question bank (held in your browser's IndexedDB) — these are questions cached for offline use; once answered, they are deleted.
- The PWA service-worker cache (so the game can launch without a network connection).
7. How long we keep it
- Account and gameplay data — for as long as your child has an active account. If you delete the account (see Section 8), we delete this data.
- Parent email — until you ask us to remove it, or until the linked child account is deleted, whichever comes first. If you unsubscribe from the weekly report, we keep your email only as an unsubscribe record so we do not accidentally email you again.
- Transient AI-generation files — uploaded portrait references in
ai-temp/are deleted by our Cloud Function as soon as the sprite job finishes, with a one-day Cloud Storage lifecycle rule as a safety net. - Daily learning roll-ups on the device — kept for 90 days locally and then automatically pruned.
- Technical logs — Google's standard infrastructure retention applies (typically 30–90 days).
- Backups — automated backups may persist for a short window after deletion (usually under 30 days) before they roll off.
8. Your child's and your rights
Under the PDPA you (as parent) and your child have the right to:
- Access the personal data we hold about your child and ask how we have used it in the past year.
- Correct anything that is inaccurate or out of date.
- Withdraw consent to our continued use of the data. Note that withdrawing consent for the core gameplay data will mean your child can no longer play.
- Delete the account and all associated personal data. (We are completing this self-serve deletion flow; in the meantime, email us at contact@whenlightfades.com and we will action it within 30 days.)
- Port the data — we will provide your child's save and learning record as a structured JSON file on request.
- Unsubscribe from non-essential email (the weekly progress report) at any time via the link at the foot of every report.
To exercise any of these, write to contact@whenlightfades.com from the parent email registered on the account. We will respond within 30 days as required by the PDPA, or sooner where we can.
10. Children's data — extra safeguards
Because our audience is primary-school children, we go beyond the PDPA minimums:
- We require a parent email at sign-up and verify it before the child uses optional features that involve our servers (such as AI portrait generation).
- We design out collection. The game asks only for the bare minimum needed to function: a username, a class, a primary level, a parent email.
- The AI portrait prompt field is constrained to a character description and is reviewed by Google's Vertex AI safety classifiers before any image is generated. We do not retain the prompt text once the image is produced.
- There is no public real-name leaderboard, no in-app chat with strangers, and no in-app share-to-social-media button. Achievement "brag-cards" are PNG files saved to the device; the parent decides what (if anything) to forward.
- If you believe your child has signed up without your knowledge, write to contact@whenlightfades.com and we will delete the account.
11. Security
We use industry-standard controls:
- All traffic is encrypted in transit via HTTPS / TLS.
- Data at rest in Firestore and Cloud Storage is encrypted by Google Cloud by default.
- Per-user access rules enforce that one child's account cannot read or write another child's data.
- Firebase App Check blocks requests that don't come from a verified browser session.
- Our Cloud Functions run with the minimum permissions they need — no broad "editor" or "owner" roles.
- AI generation is rate-limited per child per day to prevent abuse.
No internet service can promise that data will never be breached. If we ever experience a security incident that puts your child's data at material risk, we will notify you (and, where required, Singapore's Personal Data Protection Commission) without undue delay.
12. International transfers
Google operates a global network. Your child's personal data may be processed in countries outside Singapore — most commonly the United States, where some Google services are headquartered, and in other regions where Google Cloud has edge infrastructure. Google Cloud is bound by Standard Contractual Clauses and equivalent transfer mechanisms recognised by Singapore's PDPC. When you use our service you are consenting to your child's data being transferred in this way.
13. Changes to this policy
We may change this policy as the game evolves. When we make a meaningful change (such as adding a new service provider or a new type of data collection), we will update the "Last updated" date at the top and — where the change is material to your child's data — email the parent address registered on the account before the change takes effect.
14. Contact & complaints
For anything to do with your child's personal data, please write to:
Data Protection Officer
heta — When Light Fades
contact@whenlightfades.com
If you believe we have not handled your child's personal data in accordance with the PDPA, you can lodge a complaint with Singapore's Personal Data Protection Commission at pdpc.gov.sg. We would always prefer the chance to resolve the issue directly with you first.