Privacy Policy
Last updated: April 4, 2026
At Lorekeeper, your privacy is fundamental. This Privacy Policy describes what personal data we collect, how we use it, how long we keep it, who we share it with, and your rights under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Information We Collect
We collect only the data necessary to provide our service:
- Account Information: Email address, username, hashed password, and authentication tokens. If you sign in via Discord or Google, we receive your name, email, and profile picture from that provider.
- Gaming Data: Games you log, your ratings, reviews, emotional tags, play session timestamps, journal entries, lists, and community interactions (follows, likes).
- Profile Data: Optional profile picture, bio, and selected gaming platforms you choose to share.
- Usage Data: Anonymous, aggregated metrics such as page views and feature usage to improve the product. We do not use third-party analytics trackers.
- Error Data: When crashes occur, our error monitoring service (Sentry) may capture browser type, OS, error stack traces, and network request metadata (not request bodies) to help us fix bugs.
2. How We Use Your Data
Your data is used strictly to provide and improve the Lorekeeper experience:
- Core Service: Powering your game library, reviews, emotional logs, session timers, and journal.
- Personalisation: Generating your Gamer Personality profile and providing personalised game recommendations based on your gaming history and emotional patterns.
- Community Features: Showing your public profile, reviews, and activity to other users (if your account is set to public).
- Communications: Sending transactional emails such as email verification, password resets, and two-factor authentication codes. We do not send marketing emails.
- Error Monitoring: Diagnosing crashes and bugs to maintain service stability.
We do not sell, rent, or trade your personal data to any third party.
3. Third-Party Services
We use the following services to operate Lorekeeper. Each processes data only as necessary for its stated purpose:
| Service | Purpose | Data Shared |
|---|---|---|
| IGDB (Twitch/Amazon) | Game metadata, artwork, descriptions | Search queries (anonymous) |
| Neon (PostgreSQL) | Cloud database hosting | All user data (encrypted at rest) |
| Cloudinary | Profile image hosting | Uploaded avatar images |
| Resend | Transactional email delivery | Email address, message content |
| Sentry | Error monitoring | Browser errors, stack traces, page URLs (no passwords or personal content) |
| Render / Vercel | Application hosting | IP addresses (server logs, auto-deleted) |
4. Data Retention
We keep your data only as long as needed:
- Account data: Retained for as long as your account exists.
- Gaming data: Retained for as long as your account exists. Deleted immediately upon account deletion.
- Error logs: Automatically purged by Sentry after 90 days.
- Auth sessions: Expired sessions are periodically cleaned up.
When you delete your account, all associated data is permanently removed from our database within 24 hours. This includes your profile, games, reviews, journals, emotions, sessions, lists, follows, likes, notifications, and dismissed recommendations.
5. Your Rights (GDPR & CCPA)
Regardless of where you live, we grant all users the following rights:
- Right to Access: You can export a complete copy of all your data at any time from Settings → Data & Privacy → Export My Data.
- Right to Rectification: You can update your profile, username, email, and all gaming data at any time.
- Right to Erasure ("Right to be Forgotten"): You can permanently delete your account and all data from Settings → Data & Privacy → Delete Account.
- Right to Data Portability: Your data export is provided in machine-readable JSON format.
- Right to Withdraw Consent: You can stop using the service and delete your account at any time.
- Right to Object: You may opt out of non-essential processing by contacting us.
For California Residents (CCPA)
We do not sell your personal information. You have the right to know what data we collect, request its deletion, and not be discriminated against for exercising these rights. To make a verifiable consumer request, email us at the address below.
6. Data Security
We take security seriously:
- All passwords are hashed using industry-standard algorithms (never stored in plaintext).
- All connections use HTTPS/TLS encryption in transit.
- Database is encrypted at rest (Neon PostgreSQL).
- Rate limiting protects against brute-force and abuse.
- Two-factor authentication (TOTP) is available for all accounts.
- Content Security Policy (CSP) headers prevent XSS attacks.
7. Children's Privacy
Lorekeeper is not directed at children under 13. We do not knowingly collect data from children under 13. If we learn that we have, we will promptly delete it. If you believe a child under 13 has provided us with personal data, please contact us immediately.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of Lorekeeper after changes constitutes acceptance of the updated policy.
9. Contact Us
For any privacy-related questions, data requests, or concerns, please contact us at: support@lorekeeper.cc
We aim to respond to all data rights requests within 30 days, as required by GDPR.