Privacy Policy
Last updated: 2026-05-05
What we collect
- Account data: email address, password hash, display name, account creation timestamp.
- Gameplay data: your avatar level + XP, weekly rosters and player picks, guild memberships, contribution totals, and combat events you generated.
- Optional: tip payment records (amount, currency, Stripe session id) if you contribute to the tip jar.
We do not collect: phone numbers, IP-address-derived location, payment card numbers (Stripe handles those directly), real names, or third-party tracking IDs beyond essential analytics.
Where your data lives
We use a small, named set of data processors:
- Supabase — hosts the Postgres database, authentication, and email delivery server. Data resides in Supabase's US East region.
- Vercel — hosts the web app at
app.draftrpg.com. - Cloudflare — DNS for
draftrpg.comand hosting for the marketing landing page. - Resend — transactional email (signup confirmation, password reset, weekly battle report).
- Stripe — payment processing for tip jar contributions.
Your rights
Per GDPR (EU) and CCPA (California) — and as our default for everyone:
- Right to access — download a JSON of all data we hold about you at /api/me/export (or via Settings → Danger Zone → Export my data).
- Right to delete — Settings → Danger Zone → Delete my account. Removes your account and all derived data immediately. Some metadata (the fact a combat event happened in your guild) survives anonymized, with your
user_idset null. - Right to rectify — edit your display name and visibility preferences via the Settings page anytime.
Retention
Active account data is retained as long as your account exists. After deletion, profile and gameplay data are removed within 24 hours. Tip-payment records may be retained for up to 7 years for accounting purposes (anonymized — no link back to your account).
Cookies
We use only essential cookies for authentication (Supabase session cookie, HttpOnly + Secure + SameSite=Lax). No tracking, ad, or analytics cookies. No fingerprinting.
Contact
Privacy-related requests: privacy@draftrpg.com. We respond within 30 days.
Data controller: DraftRPG, LLC (Kentucky, USA).