1. Who We Are
EncounterCraft is operated from the Netherlands. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch privacy law.
For privacy inquiries, contact us at [email protected]
2. Data We Collect
We collect the following data when you use EncounterCraft:
Account Information
- Name and email address (provided by Discord or Google OAuth)
- Profile picture URL (from your OAuth provider)
- OAuth provider identifier
Usage Data
- Encounters you create and their content
- NPC descriptions and AI-generated images associated with your encounters
- Monthly usage counters (encounters generated, images generated, abilities generated)
Billing Information
- Stripe customer ID and subscription ID
- Subscription status and billing dates
- Payment details are handled entirely by Stripe — we never store card numbers
3. How We Use Your Data
We use your data to:
- Authenticate you and maintain your account
- Provide the encounter creation and AI generation features
- Track usage limits and enforce subscription tier restrictions
- Process payments and manage your subscription via Stripe
- Respond to support requests
Legal basis (GDPR): Processing is based on the performance of a contract (providing the Service you signed up for) and our legitimate interest in operating the Service securely.
4. Third-Party Services
We share data with the following third parties to operate the Service:
OpenAI
Your encounter inputs are sent to OpenAI's API to generate encounter content and images. OpenAI's privacy policy applies to this processing.
Stripe
Handles all payment processing. Your email is shared with Stripe to create a billing customer. Stripe's privacy policy applies.
Discord / Google
Used for authentication only. We receive your name, email, and profile picture from your chosen OAuth provider.
Railway (Database Hosting)
Your data is stored in a PostgreSQL database hosted on Railway's infrastructure.
5. Data Retention
We retain your account data and encounters for as long as your account is active. If you delete your account, your personal data and encounters will be permanently deleted within 30 days. Billing records may be retained for up to 7 years as required by Dutch financial regulations.
6. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — request your data in a machine-readable format
- Restriction — request we limit how we process your data
- Object — object to processing based on legitimate interests
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
7. Cookies
We use a session cookie strictly necessary for authentication (NextAuth.js). We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by EncounterCraft.
8. Security
We use HTTPS for all data transmission, secure OAuth for authentication, and industry-standard database security. We never store passwords. Payment data is handled entirely by Stripe and never touches our servers.
9. Children's Privacy
EncounterCraft is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service or by email. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
For any privacy-related questions or to exercise your rights, contact us at [email protected]