1.1. This Privacy Policy ("Policy") describes how Frankenstein VTT ("Service", "we", "us", or "our"), accessible at https://frankensteinvtt.com, collects, uses, stores, and protects personal data of its users ("you", "User").
1.2. Data Controller:
1.3. This Policy is drafted in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all Users accessing the Service from the European Union, European Economic Area, or the United Kingdom.
1.4. By registering for and using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, you must discontinue use of the Service.
| Data | Description | Purpose |
|---|---|---|
| Google OAuth identifier (sub) | An opaque external ID from your Google account. This is not your email address | User authentication |
| Display name | A pseudonym chosen by you during registration | In-game identification |
| Country | ISO 3166-1 alpha-2 country code (e.g., "DE", "FR"). Pre-filled via GeoIP at registration; you may override it | Determining data storage region; payment provider routing |
Important: We do not store your email address. Authentication is handled exclusively through Google OAuth; we only receive and store the opaque "sub" identifier from Google. No passwords are stored or processed by the Service.
During your use of the Service, the following data linked to your account is processed:
When you use AI-powered features, we process:
| Data | Description |
|---|---|
| Payment provider | Name of provider (Stripe) |
| External customer ID | Identifier assigned by the payment provider |
| External subscription ID | Subscription identifier in the provider's system |
| Subscription events | Creation, payment success, payment failure, cancellation, refund |
We do not store credit card or payment instrument data. Payment processing is handled entirely by the payment provider (Stripe) in compliance with PCI DSS. Your email address for receipts is collected by the payment provider directly and is not transmitted to us.
| Data | Description | Storage |
|---|---|---|
| IP addresses | Recorded in web server logs | Server logs only; not stored in the database |
| Session data | Current session information | Temporary storage in memory (Redis); deleted upon session expiry |
The Service uses only strictly necessary cookies:
| Cookie | Purpose | Type |
|---|---|---|
| Session JWT token | User authentication (httpOnly; SameSite=Strict; Secure) | Essential |
| Refresh token | Session renewal without re-authentication (httpOnly; SameSite=Strict; Secure) | Essential |
| User preferences | Storing interface preferences | Essential |
We do not use advertising, analytics, or any other tracking cookies.
We process your personal data for the following purposes:
| Legal basis | Data categories | GDPR reference |
|---|---|---|
| Consent | Registration data, AI usage data, cookies | Art. 6(1)(a) |
| Performance of a contract | Data necessary to provide the Service (game data, subscription data) | Art. 6(1)(b) |
| Legitimate interest | Security logs, abuse prevention, anonymized analytics | Art. 6(1)(f) |
| Legal obligation | Subscription event audit trail, server logs | Art. 6(1)(c) |
You may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Phase 1 (current): All personal data, including data of EU Users, is stored on servers located in Moscow, Russia (hosting provider: TimeWeb Cloud). By registering for the Service during Phase 1, EU Users consent to the storage of their data in Russia. Russia is not on the European Commission's list of countries with an adequate level of data protection.
Phase 2 (planned): Personal data of Users whose registered country is outside Russia will be migrated to servers located in Amsterdam, Netherlands (EU). Russian user data will remain in Moscow. After migration, EU user data will be stored within the European Economic Area.
We will notify Users when the Phase 2 migration is complete.
| Data category | Retention period | Deletion method |
|---|---|---|
| Account data (identifier, display name, country) | Until deleted by User | Anonymization upon request (30-day grace period) |
| Game data (rooms, maps, shapes, notes) | Until account deletion | Preserved in anonymized form for other participants |
| AI usage statistics | 1 year | Automated monthly deletion |
| AI call logs | Until monetization model is finalized | Deletion after analysis is complete |
| Saved monsters | Until account deletion | Cascading deletion with account |
| Subscription events | Indefinitely | Retained for audit and compliance purposes |
| Subscription data | Until account deletion | Cascading deletion with account |
| Processed webhooks | 30 days | Automated daily deletion |
| Server logs (including IP addresses) | 90 days | Automated rotation |
| Session data (Redis) | Session lifetime (7 days max) | Automated expiry |
You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to request access to that data. Contact [DPO_EMAIL] to submit an access request.
You may export your personal data in a structured, commonly used, machine-readable format (JSON) through the Service interface:
GET /api/user/exportYou may correct your display name through the profile settings in the Service. To request correction of other data, contact [DPO_EMAIL].
You may request deletion of your account and associated personal data:
DELETE /api/userAfter anonymization, the remaining game data contains no information that could identify you. This renders the data anonymous and outside the scope of the GDPR.
You have the right to request restriction of processing of your personal data in the following circumstances:
Contact [DPO_EMAIL] to submit a restriction request.
You have the right to object to processing of your personal data based on legitimate interest (Article 6(1)(f)). Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Contact [DPO_EMAIL] to submit an objection.
You have the right to lodge a complaint with a supervisory authority. If you are in the EU/EEA, you may contact the data protection authority in your country of residence. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
We will respond to all data subject requests within 30 calendar days of receipt. In complex cases, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for the delay within the initial 30-day period, in accordance with GDPR Article 12(3).
During Phase 1, all data (including data of EU Users) is stored in Moscow, Russia. Russia does not benefit from an adequacy decision under GDPR Article 45. The legal basis for this transfer is your explicit consent (GDPR Article 49(1)(a)), given at registration. You are informed of and consent to this arrangement by agreeing to this Privacy Policy.
Upon completion of Phase 2, personal data of non-Russian Users will be stored on servers in Amsterdam, Netherlands (within the EEA). No international transfer of EU user data will occur after migration.
When you use AI features, text prompts (without personal data) may be transmitted to third-party AI model providers. These prompts do not contain your identifier, display name, or any other personally identifying information.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage:
| Third party | Role | Data shared | Legal basis |
|---|---|---|---|
| Google (Google Ireland Limited) | Authentication provider (OAuth) | "sub" identifier (received from Google; email address is not requested or stored) | Consent (signing in with Google) |
| Stripe (Stripe Payments Europe, Limited) | Payment processing | Payment data is processed by Stripe directly; we receive only the external customer ID and subscription events | Performance of a contract |
| AI model providers | Content generation | Text prompts without personal data | Consent (use of AI features) |
We require all third-party processors to process data in accordance with the GDPR and have appropriate data processing agreements in place.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
The Service is not intended for individuals under the age of 16. By registering, you confirm that you are at least 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a User is under 16, we will delete their account and associated data.
The Service does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you, within the meaning of GDPR Article 22. AI features (monster generation, voice commands) generate game content and do not make decisions about you as a person.
14.1. We may update this Policy from time to time. The current version is always available at https://frankensteinvtt.com/privacy.
14.2. For material changes, we will provide notice through the Service interface at least 14 days before the changes take effect.
14.3. Continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your data.
For any questions or requests regarding this Privacy Policy or the processing of your personal data:
We are committed to resolving any concerns about your privacy. If you believe that we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
This Policy and any disputes arising from it shall be governed by the laws of the European Union (GDPR) as they apply to the processing of personal data. For matters not covered by the GDPR, the laws of [GOVERNING_LAW_JURISDICTION] shall apply.