Privacy Policy
Last updated: 2026-06-06
What we collect
- Account data: email address, password hash, display name, account creation timestamp.
- Gameplay data: your avatar level + XP, weekly rosters and player picks, guild memberships, contribution totals, and combat events you generated.
- Optional: tip payment records (amount, currency, Stripe session id) if you contribute to the tip jar.
- Product analytics (consent-gated): if — and only if — you accept the analytics banner on your first visit, we send anonymous usage events (page views, button clicks, funnel steps) to PostHog to understand how the game is played and where people get stuck. Analytics are off by default until you accept, you can decline outright, and you can change your mind anytime in Settings. We do not sell this data or use it for advertising.
We do not collect: phone numbers, IP-address-derived location, payment card numbers (Stripe handles those directly), real names, or cross-site advertising identifiers.
Age check at signup: we ask for your birth year to verify you're at least 13 (required by COPPA in the US). The year is checked client-side and discarded immediately — we do not store it in any account record or log.
Where your data lives
We use a small, named set of data processors:
- Supabase — hosts the Postgres database, authentication, and email delivery server. Data resides in Supabase's US East region.
- Vercel — hosts the web app at
www.draftrpg.com. - Cloudflare — DNS for
draftrpg.com. - Resend — transactional email (signup confirmation, password reset, weekly battle report).
- Stripe — payment processing for tip jar contributions.
- PostHog — product analytics, only if you opt in to the analytics banner. Processes anonymous usage events; hosted in the US (PostHog Cloud US). Disabled entirely until consent, and re-disabled the moment you opt out.
What's publicly visible (leaderboard opt-in)
When your leaderboard opt-in is on (default), the following appear on public leaderboards and hero profile pages:
- Your username (handle), display name, and Hero level.
- Your contribution stats for resolved weeks (damage, disrupt, amplify, finish, MVP count, W/L).
- Supporter status — if you've contributed via the tip jar, a small star (⭐) appears next to your handle on leaderboards and your profile page. This is visible to anyone viewing the leaderboard, including signed-out visitors.
You can turn off public visibility at any time via Settings → Visibility. With opt-in off, your row is removed from public leaderboards within minutes (we refresh the public view immediately on opt-in changes per GDPR Art. 17).
Your rights
Per GDPR (EU) and CCPA (California) — and as our default for everyone:
- Right to access — download a JSON of all data we hold about you at /api/me/export (or via Settings → Danger Zone → Export my data).
- Right to delete — Settings → Danger Zone → Delete my account. Removes your account and all derived data immediately. Some metadata (the fact a combat event happened in your guild) survives anonymized, with your
user_idset null. - Right to rectify — edit your display name and visibility preferences via the Settings page anytime.
Retention
Active account data is retained as long as your account exists. After deletion, profile and gameplay data are removed within 24 hours. Tip-payment records may be retained for up to 7 years for accounting purposes (anonymized — no link back to your account).
Cookies
Essential cookies (always on): the Supabase session cookie for authentication (HttpOnly + Secure + SameSite=Lax) and a small local-storage flag that remembers your analytics choice. No advertising cookies, ever. No fingerprinting.
Analytics cookies (only with consent): if you accept the analytics banner, PostHog sets first-party cookies/local-storage (e.g. ph_*) to de-duplicate anonymous events across page views. These are not set unless you opt in, and are cleared when you opt out via Settings. We do not use them for advertising or cross-site tracking.
Contact
Privacy-related requests: privacy@draftrpg.com. We respond within 30 days.
Data controller: DraftRPG, LLC (Kentucky, USA).