Privacy Policy

    • Last Updated: April 24, 2026

    Welcome to Kart Kingdom Refueled

    Kart Kingdom Refueled ("we", "us", "our") is a fan-made revival of the original Kart Kingdom game. We are not associated with PBS, PBS KIDS, The Corporation for Public Broadcasting, Dubit Limited, or any other organizations. This privacy policy explains what information we collect, how we use it, and your rights.

    Information We Collect

    Usernames: Your username is stored in lowercase plain text in our database. This is necessary for account lookups, display in-game, and moderation (so moderators can search for and review accounts). Your username is visible to other players during multiplayer gameplay — this is how the game works. Do not use your real name or any personally identifying information as your username.

    Passwords: Passwords are one-way hashed using bcrypt. This means your actual password is never stored anywhere — not even we can see or recover it. When you log in, we compare your input against the stored hash.

    Secret Questions & Answers: Your secret answer is one-way hashed using bcrypt, the same way passwords are. We cannot see or recover your secret answer. Your secret question text (e.g. "What is your favorite color?") is stored in plain text so it can be displayed to you during account recovery.

    Secret Codes: If you set a secret code, it is one-way hashed using bcrypt (the same method used for passwords). This means your secret code cannot be seen, recovered, or reversed by anyone — including us. When you use your secret code for account recovery, we compare your input against the stored hash without ever knowing the original code.

    Game Data: We store your game progress, including quest data, inventory (kart items, clothing, furniture), avatar configuration, friend relationships, racing scores, and other gameplay data.

    Blog Comments: When you post comments on the blog, we store the comment text, any uploaded images, your display name, and a timestamp. Uploaded images are compressed, stripped of metadata (EXIF data), and encrypted before being saved to disk. All comments are reviewed by human moderators before being published. No automated third-party services are used for moderation.

    Session Data: We use session tokens to keep you logged in. Session tokens are encrypted and stored server-side with automatic expiration. A cookie containing an encrypted session token is set in your browser.

    IP Addresses: We do not store your IP address in plain text. IP addresses are first hashed using SHA-256 with a server-side pepper, then encrypted using AES-256-CBC with a unique random salt per entry. The resulting value cannot be reversed to recover your original IP. This data is used solely for rate limiting and abuse prevention.

    Browser Information: We store a truncated version of your browser's User-Agent string for security purposes (detecting suspicious login activity).

    Information We Do Not Collect

    We do not collect email addresses, real names, home addresses, phone numbers, dates of birth, or geographic location data. We do not use analytics trackers, advertising networks, or third-party data collection services. We do not sell, rent, or share your data with anyone for marketing or advertising purposes.

    How We Use Your Information

    • To provide the game experience (displaying your avatar, saving progress, enabling multiplayer)
    • To moderate content and ensure a safe environment for all players
    • To prevent abuse, cheating, and enforce our Terms of Use
    • To enable account recovery if you forget your password
    • To protect the security and stability of our servers

    Data Security

    We take the following measures to protect your information:

    • Passwords, secret answers, and secret codes are bcrypt-hashed (they cannot be reversed or read by anyone, including us)
    • Session tokens are encrypted using AES-256-CBC
    • IP addresses are SHA-256 hashed with a pepper, then AES-256-CBC encrypted with a unique salt per entry
    • Blog comment images are encrypted at rest and decrypted only when served to approved viewers
    • Connections are served over HTTPS via Cloudflare
    • Usernames are stored in lowercase plain text for moderation and account lookup purposes

    No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. We encourage you to use a unique username and a password you do not use anywhere else. Your secret code should also be unique to this game.

    Children's Privacy

    Kart Kingdom Refueled is designed with children's safety in mind. We intentionally minimize the data we collect — we do not ask for email addresses, real names, or any personally identifiable information beyond a username and password. All usernames are reviewed by human moderators before being displayed to other players, and all blog comments are manually reviewed before publication.

    We do not operate a formal COPPA-compliant parental consent mechanism (such as verifiable parental consent). We are a volunteer-run fan project and do not have the infrastructure for formal regulatory compliance. However, we take practical steps to protect young users: we collect minimal data, we do not collect information that identifies anyone in the real world, passwords and sensitive data are hashed or encrypted, and all user-generated content is reviewed before it becomes visible. If you are a parent or guardian and have concerns about your child's account, please contact us and we will assist you, including deleting the account if requested.

    Data Retention & Deletion

    Your account is retained for as long as you want it. You can request account deletion through our account management page or by contacting us. When you request deletion:

    • There is a 7-day grace period during which you can cancel the request
    • After 7 days, your account and all associated data are permanently and automatically deleted, including: your user profile, game data, race scores, blog comments, friend relationships, inventory, messages, and security sessions

    You can also download a copy of your data through the account management page before deleting your account.

    Session data expires automatically, which means if someone else uses your device, they cannot access your account after the session expires.

    Third-Party Services

    We use a small number of third-party services:

    • Cloudflare: Provides CDN, DDoS protection, and SSL/TLS. Cloudflare processes network traffic (including IP addresses) as part of its standard operation. See Cloudflare's Privacy Policy.
    • Twemoji (via jsDelivr CDN): Used for rendering emoji graphics in the blog. No personal data is transmitted.

    No user content (comments, images, usernames, or any account data) is sent to any third-party service for processing. All moderation is performed manually by our team. We do not share your personal data with any other third parties.

    Your Rights

    You have the right to:

    • Access your data — download a copy from the account management page
    • Delete your account and all associated data — through the account management page or by contacting us
    • Ask questions about how your data is handled — contact us anytime

    Changes to This Policy

    We may update this privacy policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page and provide at least 7 days' notice through an in-game notification before the new policy takes effect. Continued use of the site after the effective date means you accept the updated policy.

    Contact

    If you have questions about this privacy policy, please reach out to us at contact@kartkingdomrefueled.com or through our Discord server.