Privacy Policy

We collect the following categories of information:

• Account & identity. When you sign in with an OpenID Connect provider (currently Google), we receive your verified email address, your name, your profile picture URL, and a provider account identifier. You may later set or change a username and display name.
• Campaign content you create. Realms, worlds, NPCs, adventurers, maps, locations, factions, lore, calendars, notes, relationships, and similar material. Much of this is stored locally in your browser (see Cookies & local storage); some is saved to our servers so it can sync and power shared features.
• AI generation inputs and outputs. The prompts, notes, and context you submit to generate content, and the text and images produced in response.
• Uploads & assets. Images, maps, and other files you upload, stored locally and/or in cloud storage.
• Communications. If you join a waitlist or contact us, we collect your email address and the contents of your message.
• Technical & usage data. Information collected automatically when you use the Service, such as IP address, browser and device information, request identifiers, and server logs used for security and reliability.

• Provide, operate, secure, and improve the Service.
• Authenticate you and keep your account and content safe.
• Generate content you request through AI features.
• Communicate with you about the Service, including product updates you opted into.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use your campaign content or prompts for advertising.

To generate content, your prompts and the relevant campaign context are sent to third-party AI providers (for example, OpenAI) or, where configured, to self-hosted models. We send only what is needed to produce the result you asked for, and we use provider settings that, where available, disable use of your inputs to train the provider’s models. AI output may be inaccurate or generic and is provided for your review — you are responsible for what you choose to keep and use. Our internal audit logs record identifiers and roles, not the contents of your prompts.

We use a strictly necessary, encrypted session cookie to keep you signed in. We do not use third-party advertising cookies. The application also stores a significant portion of your campaign data in your browser’s local storage so it works quickly and offline; that data stays on your device unless it is synced to power a server-side feature, and you can clear it through your browser.

We share information only with service providers that help us run the Service, and only as needed:

• Google — “Sign in with Google” authentication, and Google Cloud Platform for hosting and file storage.
• AI providers (e.g. OpenAI) — to generate the content you request.
• Email provider (Resend) — to deliver product-update and transactional email.

We may also disclose information if required by law, to protect rights and safety, or in connection with a corporate transaction (e.g. a merger or acquisition). We do not sell personal data.

We keep your account information for as long as your account is active, and content for as long as you keep it in the Service. We retain limited logs for security and legal purposes for a reasonable period. When you delete content or your account, we delete or anonymize the associated personal data within a reasonable time, except where we must retain it to comply with law or resolve disputes.

We authenticate users with OpenID Connect and do not store passwords. Identity tokens are handled server-side and are not exposed to your browser. Traffic is encrypted in transit (HTTPS). No method of transmission or storage is perfectly secure, but we take reasonable measures to protect your information.

Our providers (including Google, OpenAI, and Resend) may process data in the United States and other countries. Where required, we rely on appropriate safeguards for such transfers.

Depending on where you live (for example, under the GDPR or similar laws), you may have the right to access, correct, delete, export, or restrict processing of your personal information, to object to certain processing, and to withdraw consent. You can edit your profile in-app, and you can exercise other rights by contacting us at contact@dmrealm.com. You also have the right to lodge a complaint with your local data protection authority.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Your continued use of the Service after changes take effect constitutes acceptance.

Questions about this Policy or your data? Email contact@dmrealm.com. See also our Terms of Service.