Privacy Policy

1. What We Collect

rpg.actor collects as little data as possible. Here's what we do and don't store:

Things We Store

• Email address — If you create a Creator Account, we store the email you provide so we can send you account-related messages (receipts, password resets, important notices).
• AT Protocol identity (DID) — When you log in via AT Protocol, we store your decentralized identifier to link your sessions.
• Payment records — If you purchase a Creator Account, Stripe processes your payment. We store a Stripe customer ID and transaction metadata (amount, date, status) but never your card number, CVV, or full billing details. Stripe handles that directly.
• Server logs — Our web server logs IP addresses, request timestamps, and user-agent strings for security and abuse prevention. These logs are rotated and deleted automatically.
• Rate-limiting data — We temporarily track IP addresses in memory to enforce rate limits. This data is not persisted to disk.

Things We Don't Store

• Character sheets and sprites — Your characters are stored on your own AT Protocol personal data server (PDS), not on ours. We read and display them; we don't keep copies.
• Passwords for AT Protocol accounts — Authentication is handled via AT Protocol OAuth or app passwords. We don't see or store your Bluesky/AT Protocol password.
• Tracking or analytics cookies — We don't use third-party analytics, ad trackers, or social media pixels.

2. Cookies

We use a small number of functional cookies necessary for the site to work:

• Session cookies — To keep you logged in during your visit.
• CSRF tokens — To protect form submissions from cross-site request forgery.

We do not use advertising cookies, tracking cookies, or any third-party cookies.

3. How We Use Your Data

• Email — Account communications only. We will never sell your email or send marketing spam.
• DID — To authenticate your sessions and associate your activity on the site with your AT Protocol identity.
• Payment data — To process Creator Account purchases and handle refund requests via Stripe.
• Server logs — To detect abuse, debug errors, and maintain security. We don't mine logs for behavioural analytics.

4. Third-Party Services

We use the following third-party services:

• Stripe — Payment processing. Stripe collects payment details directly; see their privacy policy.
• AT Protocol network — Character data is fetched from the decentralized AT Protocol network. Your PDS operator's privacy policy governs how your data is stored there.

We do not share your data with any other third parties.

5. Data Retention

• Account data — Retained as long as your Creator Account is active. If you ask us to delete your account, we will remove your email and associated records within 30 days.
• Server logs — Retained for 30 days and then automatically deleted.
• Rate-limiting data — Held in memory only. Cleared when the server restarts or the rate-limit window expires (typically within minutes).
• Payment records — Retained as required for tax and legal compliance (typically 7 years for financial records).

6. International Data Transfers

Our servers are located in Canada. If you are accessing rpg.actor from outside Canada, your data will be transferred to and processed in Canada. By using this site, you consent to this transfer. Canada is recognized by the European Commission as providing an adequate level of data protection.

7. Your Rights

You can:

• Access your data — Contact us to request a copy of what we store about you.
• Delete your data — Request deletion of your Creator Account and associated data.
• Correct your data — Update your email or other account details at any time.
• Export your character data — Your characters are already on your own PDS; you always have full access.

To exercise any of these rights, email dev@rpg.actor.

8. Children

rpg.actor is not directed at children. If you are under 13 (or under 16 if you are resident in the European Economic Area), do not create an account or submit personal information. By registering, you confirm that you meet the applicable minimum age for your jurisdiction.

We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us (or if you are a parent or guardian acting on their behalf) and we will delete it promptly.

9. Changes

We may update this privacy policy from time to time. The effective date at the top will change when we do. Continued use of the site after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? dev@rpg.actor