Privacy Policy
Last updated: June 6, 2026
At Lorekeeper, your privacy is fundamental. This Privacy Policy describes what personal data we collect, how we use it, how long we keep it, who we share it with, and how you can exercise privacy rights. GDPR, CCPA, and India's Digital Personal Data Protection Act, 2023 ("DPDP Act"; Rules notified November 2025) are separate legal frameworks. Where one of them applies to you, Lorekeeper provides the controls described below without treating those laws as interchangeable.
1. Information We Collect
We collect only the data necessary to provide our service:
- Account Information: Email address, username, hashed password, and authentication tokens. If you sign in via Discord or Google, we receive your name, email, and profile picture from that provider.
- Gaming Data: Games you log, your ratings, reviews, emotional tags, play session timestamps, journal entries, lists, and community interactions (follows, likes).
- Profile Data: Optional profile picture, bio, and selected gaming platforms you choose to share.
- Usage Data: Anonymous or aggregated metrics such as page views and feature usage to improve the product. We do not use third-party analytics trackers.
- Error Data: When crashes occur, our error monitoring service (Sentry) may capture browser type, OS, error stack traces, and network request metadata (not request bodies) to help us fix bugs.
- Consent Records: The version of the Terms, Privacy Policy, and consent notice you accepted, the timestamp, and limited request metadata used to maintain an audit trail. IP address and user-agent metadata are redacted after 180 days while the consent event is retained.
2. How We Use Your Data
Your data is used strictly to provide and improve the Lorekeeper experience:
- Core Service: Powering your game library, reviews, emotional logs, session timers, and journal.
- Personalisation: Generating your Gamer Personality profile and providing personalised game recommendations based on your gaming history and emotional patterns.
- Community Features: Showing your public profile, reviews, and activity to other users (if your account is set to public).
- Communications: Sending transactional emails such as email verification, password resets, and two-factor authentication codes. Optional product updates are sent only if you opt in.
- Error Monitoring: Diagnosing crashes and bugs to maintain service stability.
- Compliance: Maintaining records of consent, privacy requests, account deletion, and security events where required.
We do not sell, rent, or trade your personal data to any third party.
3. India DPDP Notice
For users in India, this section is the DPDP notice for account creation and use of Lorekeeper. It is separate from the Terms of Service and from the GDPR/CCPA rights summary below.
| Personal Data | Specified Purpose | Required? |
|---|---|---|
| Email, username, password hash, auth/session records | Create, secure, verify, and maintain your account | Required |
| Game library, reviews, ratings, journals, emotional logs, sessions, lists | Provide the gaming log, profile, recap, personality, and recommendation features you use | Required for those features |
| Profile image, bio, platforms, PC specs, Discord ID, Steam URL | Customize your profile, imports, and recommendations | Optional |
| Email address for product updates | Send optional product news or announcements | Optional opt in |
| Consent timestamps, document versions, IP address, user agent | Maintain proof of notice and consent and process withdrawal requests | Required for compliance |
You can withdraw optional marketing consent in Settings - Data & Privacy. If you withdraw consent for processing necessary to run your account, Lorekeeper cannot continue providing the account service; you can export your data and delete your account from the same settings page. You may contact us at support@lorekeeper.cc to exercise rights or raise privacy questions. Complaints to the Data Protection Board of India may be made through the official channel made available by the Board.
4. Third-Party Services
We use the following services to operate Lorekeeper. Each processes data only as necessary for its stated purpose:
| Service | Purpose | Data Shared |
|---|---|---|
| IGDB (Twitch/Amazon) | Game metadata, artwork, descriptions | Search queries (anonymous) |
| Neon (PostgreSQL) | Cloud database hosting | All user data (encrypted at rest) |
| Cloudinary | Profile image hosting | Uploaded avatar images |
| Resend | Transactional email delivery | Email address, message content |
| Sentry | Error monitoring | Browser errors, stack traces, page URLs (no passwords or personal content) |
| Render / Vercel | Application hosting | IP addresses (server logs, auto-deleted) |
5. Data Retention
We keep your data only as long as needed:
- Account data: Retained for as long as your account exists.
- Gaming data: Retained for as long as your account exists. Deleted immediately upon account deletion.
- Error logs: Automatically purged by Sentry after 90 days.
- Auth sessions: Expired sessions are periodically cleaned up.
- Consent logs: Retained while your account exists and included in your data export.
When you delete your account, all associated data is permanently removed from our database within 24 hours. This includes your profile, games, reviews, journals, emotions, sessions, lists, follows, likes, notifications, and dismissed recommendations.
6. Your Rights
Regardless of where you live, we provide the following account controls. These controls support GDPR and CCPA requests where those laws apply, and DPDP requests where India's DPDP Act applies.
- Right to Access: You can export a complete copy of all your data at any time from Settings → Data & Privacy → Export My Data.
- Right to Rectification: You can update your profile, username, email, and all gaming data at any time.
- Right to Erasure ("Right to be Forgotten"): You can permanently delete your account and all data from Settings → Data & Privacy → Delete Account.
- Right to Data Portability: Your data export is provided in machine-readable JSON format.
- Right to Withdraw Consent: You may withdraw optional marketing consent in settings. For core account processing, you may export your data and delete your account.
- Right to Object or Restrict: You may opt out of non-essential processing by contacting us.
For California Residents (CCPA)
We do not sell your personal information. You have the right to know what data we collect, request its deletion, and not be discriminated against for exercising these rights. To make a verifiable consumer request, email us at the address below.
7. Data Security
We take security seriously:
- All passwords are hashed using industry-standard algorithms (never stored in plaintext).
- All connections use HTTPS/TLS encryption in transit.
- Database is encrypted at rest (Neon PostgreSQL).
- Rate limiting protects against brute-force and abuse.
- Two-factor authentication (TOTP) is available for all accounts.
- Content Security Policy (CSP) headers prevent XSS attacks.
8. Children's Privacy
Lorekeeper is not directed at children under 13. We do not knowingly collect data from children under 13. Where local law requires parental or guardian consent for older minors, including users under 18 in India, you must have that consent before using Lorekeeper. If we learn that we have collected data from a child without required consent, we will promptly delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes and, where required by applicable law, request fresh consent before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
10. Contact Us
For any privacy-related questions, data requests, or concerns, please contact us at: support@lorekeeper.cc
We aim to respond to data rights requests within 30 days where GDPR applies, and within the timelines required by other applicable law.