Mythoscript

Skip to content

Privacy & Data Policy

This page explains what Mythoscript collects, why we collect it, how we secure it, and the controls you have. We aim for minimal data, maximum clarity, and zero creepy stuff.

What Mythoscript Collects

We keep to the essentials required to run tabletop campaigns and characters.

Data map (what & why)

CategoryExamplesPurpose
Account basicsEmail, display nameAuthentication, communication
Gameplay dataCharacters, campaigns, encounters, inventory, spells, XP, notes, marketplace stateCore functionality of Mythoscript
Session dataAuth/session tokens, device info (browser/OS), coarse regionSecurity, performance, session continuity
Operational logsError and performance logs (may include IP addresses and timestamps)Reliability, abuse prevention, debugging

We do not request phone numbers, home addresses, or government IDs for gameplay.

How We Use Your Data

  • Provide core features (auth, characters, campaigns, marketplace).
  • Secure accounts, enforce access controls, and prevent abuse.
  • Fix bugs, improve performance, and plan sensible product changes.
  • Respond to support requests and account-related questions.
  • Send essential account emails (verification, password resets, policy updates).

We currently do not use third-party analytics. If we add privacy-preserving analytics in the future, this policy will be updated before activation.

Legal Bases for Processing (EEA/UK)

If you are in the EEA/UK, we process personal data under these legal bases:

  • Contract: To provide Mythoscript you requested (authentication, storage of gameplay data).
  • Legitimate interests: Security, fraud prevention, app improvement, and support.
  • Consent: When you opt into optional features that require it. You can withdraw consent at any time.
  • Legal obligations: To comply with applicable law or lawful requests.

Where It Lives & How It’s Secured

Data is primarily stored in the United States. We use Supabase for database, authentication, and storage with Row-Level Security (RLS) to isolate user records. Players access only their own characters; Dungeon Masters access only campaigns they manage. Mythoscript does not store your password; Supabase’s managed auth handles credential security.

We apply least-privilege access, encryption in transit (HTTPS), and industry-standard controls. No system is perfectly secure, but we design with defense-in-depth and monitor for abuse.

Cookies & Similar Technologies

We use strictly necessary cookies and/or local storage to keep you signed in and remember state (e.g., active character). We do not use third-party advertising or cross-site tracking cookies.

“Do Not Track” signals are respected in practice because we do not run behavioral tracking.

Service Providers We Rely On

These vendors process data on our behalf under contractual safeguards:

  • Supabase — database, authentication, storage, and security controls.
  • Hosting/CDN (e.g., Vercel) — to serve the web app efficiently.
  • Transactional email (SMTP) — to send account emails (verification, password resets).

We review providers periodically and will update this list as our infrastructure evolves.

International transfers: where data moves across borders, we rely on appropriate safeguards (e.g., standard contractual clauses or equivalent mechanisms) as required by law.

What We Refuse To Do

  • No selling, renting, or trading your personal data (“Do Not Sell” honored).
  • No third-party ad networks or behavioral ad tracking.
  • No cross-app/browser fingerprinting.
  • No unnecessary personal identifiers (phone, address, legal name) for play.
  • No use of your gameplay for marketing profiles.
  • No automated decision-making that produces legal or similarly significant effects.

Your Choices & Rights

  • In-app control: Delete characters or campaigns you no longer want stored; ask a DM to remove you from a campaign.
  • Access, export, delete: Request a copy of your data or permanent account deletion by emailing support@mythoscript.app.
  • Correction: Update profile information and request corrections to inaccurate data.
  • Consent withdrawal: Stop using Mythoscript and request account deletion at any time.
  • Jurisdictional rights: Depending on your location (e.g., EEA/UK, California), additional rights may apply (access, rectification, portability, objection, restriction). We honor valid requests as required by law.

Verification: we may ask for information to confirm your identity before fulfilling a request. If you disagree with our response, you may reply to appeal.

Data Retention & Deletion

We retain account and gameplay data while your account is active. When you delete data in-app, it’s removed from primary views promptly. Backups and logs roll off on routine cycles.

Backup retention: deleted personal data may persist in encrypted backups for up to 90 days for disaster recovery. We may retain limited records as required for security, legal, or audit purposes.

Security Incidents & Notifications

If we discover a data breach affecting your personal data, we will notify you via your registered email and/or in-app notice without undue delay and, where required, within 72 hours.

Children’s Privacy

Mythoscript is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect data from children under that age. If you believe a child has provided personal data, email support@mythoscript.app and we will take appropriate steps to remove it.

Changes to This Policy

We’ll revise this policy when our practices change. We’ll update the “Last updated” date below and, when appropriate, provide additional notice in-app. Continued use of Mythoscript after an update constitutes acceptance of the revised policy.

Contact

Mythoscript (United States) is the data controller for Mythoscript. For privacy questions or data requests, email support@mythoscript.app.

You can also review our User Agreement and Support pages.

Last updated: 2025-10-13 · Current build: Development