Privacy Policy
Last updated: 17 June 2026
This Privacy Policy explains how TalesNTokens collects, stores, uses, shares, and protects personal data. It should be read with the Cookie Policy, GDPR Data Rights Policy, UK GDPR Compliance Statement, Subprocessor Disclosure Page, Security Policy, Data Retention Policy, and Terms of Service.
Definitions
"TalesNTokens", "we", "us", and "our" means the operator of the TalesNTokens platform.
"Platform" means the TalesNTokens website, Nuxt application, APIs, WebSocket services, sandbox tools, game rooms, map builder, marketplace, creator upload tools, bridge tools, and related services.
"User" means any visitor, account holder, player, game master, creator, buyer, or sandbox user.
"Personal data" means information relating to an identified or identifiable person.
"User Content" means maps, tokens, character sheets, notes, chat messages, uploaded files, marketplace assets, creator listings, profile information, room data, and other content submitted by users.
"Processor" or "subprocessor" means a third party that processes personal data for TalesNTokens.
Scope
This policy applies to all users of the Platform, including UK, EEA, and international users. It covers account services, public and private game rooms, WebSocket play sessions, user-generated maps, tokens, character sheets, notes, creator uploads, marketplace transactions, support, safety reporting, sandbox sessions, analytics, and security operations.
This policy does not cover third-party websites or services that users access separately, such as Stripe Checkout, Discord, Roll20, Foundry, Google, or external creator links, except where we describe how we use those providers as subprocessors.
Architecture Audit Summary
The current platform architecture reviewed for this policy includes:
- Nuxt and TypeScript frontend pages for account access, rooms, maps, sandbox, bridge, checkout, and settings.
- Supabase Auth for passwordless email magic-link authentication and Supabase client session storage.
- PostgreSQL via Prisma for users, invite codes, rooms, memberships, game state, gameboards, character sheets, notes, uploaded asset metadata, map packages, sandbox sessions, mailing-list signups, and founder reservation records.
- Supabase Storage for repository assets, character images, bridge snapshots, and uploaded image assets.
- Stripe Checkout and Stripe webhooks for paid supporter access and planned digital marketplace payments.
- Resend for transactional email.
- Fly.io-hosted Socket.IO and WebSocket services for real-time rooms and bridge sessions.
- Cloudflare for DNS, security, caching, and edge delivery where configured.
- Google Analytics and Google Tag Manager script loading when analytics is enabled.
- Google Fonts loading from Google domains.
- Client localStorage and sessionStorage for Supabase auth sessions, theme preferences, invite-code state, room caches, chat cache, character cache, map-drawing drafts, tutorial flags, bridge session data, and gameboard version markers.
- HttpOnly
tnt_sandboxcookie for anonymous sandbox sessions. - User-generated content flows for maps, tokens, character sheets, notes, room state, uploaded files, creator listings, and purchasable digital content.
The audit also identified launch gaps documented in the Architecture Audit and Compliance Gap Analysis, including missing in-app privacy controls, consent management, account deletion automation, marketplace payout records, reporting workflows, moderation tooling, and complete audit logging.
Data Inventory
| Data type | Purpose | Legal basis | Retention period | Storage location | Third-party processors |
|---|---|---|---|---|---|
| Account email, Supabase user ID, internal user ID | Authentication, account access, identity matching, support | Contract; legitimate interests; legal obligation where records are required | Account lifetime, then deletion or anonymisation within 30 days unless retention is required | Supabase Auth, Supabase Postgres | Supabase |
| Magic-link authentication events, access tokens, refresh tokens | Sign-in, session continuity, fraud prevention | Contract; legitimate interests | Supabase-managed session period; client token until logout, expiry, or deletion | Supabase Auth; browser localStorage key supabase.auth.token | Supabase |
| Invite codes, invitation status, invited date | Access control for early access and private beta | Contract; legitimate interests | Account lifetime plus 6 years for access records where needed | Supabase Postgres | Supabase |
| Nickname, room nickname, theme preference, custom theme colour | Personalisation and room identity | Contract; legitimate interests | Account lifetime or until changed/deleted | Supabase Postgres; browser localStorage | Supabase |
| Sandbox session token hash, display name, IP hash, user-agent hash, last seen, expiry | Anonymous sandbox access, abuse prevention, rate limiting | Legitimate interests | 24 hours after creation or until cleanup, unless abuse investigation requires longer | Supabase Postgres; tnt_sandbox HttpOnly cookie | Supabase, Cloudflare, Fly.io where routed |
| Rooms, room names, memberships, roles, preferences | Creating and running game rooms | Contract; legitimate interests | Until room deletion or account deletion, subject to backups | Supabase Postgres | Supabase |
| Game state, tokens, map assets, initiative state, dynamic lighting, room settings | Real-time virtual tabletop functionality | Contract; legitimate interests | Until room/gameboard deletion or account deletion, subject to backups | Supabase Postgres; Fly.io WebSocket memory/logs during sessions | Supabase, Fly.io |
| User-generated maps and map packages | Saving, editing, sharing, exporting maps | Contract; legitimate interests | Until deletion by user or account deletion, subject to backups | Supabase Postgres; client localStorage drafts | Supabase |
| Character sheets, character info, equipment, spells, profile pictures | Character sheet functionality and room sharing | Contract; legitimate interests | Until deletion by user, room deletion, or account deletion, subject to backups | Supabase Postgres; Supabase Storage; localStorage/sessionStorage caches | Supabase |
| Notes and custom compendium data, including HTML content | Campaign notes and custom game data | Contract; legitimate interests | Until deletion by user, room deletion, or account deletion, subject to backups | Supabase Postgres; localStorage caches | Supabase |
| Uploaded assets, maps, tokens, images, MIME type, file size, storage path | Repository storage, display, download, marketplace listings | Contract; legitimate interests; legal obligation for takedowns | Until deletion, takedown, room deletion, account deletion, or marketplace record expiry | Supabase Storage and Supabase Postgres | Supabase, Cloudflare where cached |
| Creator profile, listings, asset categories, licence options, revenue share records | Marketplace publishing, licensing, payouts, compliance | Contract; legal obligation; legitimate interests | Listing lifetime plus 6 years for transaction, tax, and dispute records | Supabase Postgres; Stripe | Supabase, Stripe |
| Buyer purchase records, licence grants, downloads | Marketplace fulfilment, proof of licence, support | Contract; legal obligation | 6 years after transaction or longer if legally required | Supabase Postgres; Stripe | Supabase, Stripe |
| Payment email, Discord username, Stripe session ID, payment intent ID, amount, currency, status, reservation tier | Checkout, supporter access, receipts, fraud prevention, accounting | Contract; legal obligation; legitimate interests | 6 years after transaction or longer if required for tax/disputes | Supabase Postgres; Stripe | Stripe, Supabase |
| Mailing-list email and signup source | Sending requested updates and managing subscriptions | Consent; legitimate interests for suppression records | Until unsubscribe, then suppression record retained as needed | Supabase Postgres; email provider if emails are sent | Supabase, Resend |
| Transactional email recipient, message ID, sent date | Sending confirmations, security, support | Contract; legitimate interests; legal obligation | 2 years for delivery logs unless needed for disputes | Resend; Supabase Postgres for confirmation metadata | Resend, Supabase |
| Analytics events, page path, page title, approximate device/browser metadata | Usage measurement and product improvement | Consent where required for non-essential analytics; legitimate interests for aggregated internal measurement where lawful | Up to 26 months or configured analytics retention period | Google Analytics | |
| Cookies, localStorage, sessionStorage keys | Authentication, sandbox, preferences, caching, analytics consent, room continuity | Contract for essential storage; consent for non-essential storage | Depends on item; see Cookie Policy | User browser; Google Analytics cookies | Supabase, Google |
| WebSocket events, room IDs, user IDs, player names, dice rolls, chat messages, bridge IDs, snapshots | Real-time play, synchronization, bridge operation | Contract; legitimate interests | Transient during session unless persisted as game state, chat cache, bridge snapshot, or logs | Fly.io socket service; Supabase Storage for uploaded snapshots | Fly.io, Supabase |
| Support, legal, copyright, privacy, reporting, appeal correspondence | Responding to requests and enforcing policies | Legitimate interests; legal obligation; vital interests in safety cases | 6 years for legal/support records, or shorter where not needed | Support inboxes and internal systems | Resend/email provider, Cloudflare, Supabase where stored |
| Moderation, reporting, safety, enforcement, appeal records | Safety, fraud prevention, legal compliance, platform integrity | Legitimate interests; legal obligation; vital interests | 2 years after closure, or 6 years for serious/legal cases | Internal moderation systems; Supabase once implemented | Supabase, Cloudflare, email provider |
| Security logs, IP addresses, user agents, request metadata, rate limits | Security, incident response, abuse prevention | Legitimate interests; legal obligation | 90 days by default; longer for incidents | Cloudflare, Fly.io, Supabase logs, server logs | Cloudflare, Fly.io, Supabase |
| Backups | Recovery, integrity, resilience | Legitimate interests; legal obligation | Rolling backup cycle up to 90 days unless otherwise configured | Supabase backups, infrastructure backups | Supabase, Fly.io |
Data Collected
We collect data directly from users, automatically from the service, and from trusted providers:
- Information users submit, such as email, display name, room names, maps, tokens, character sheets, notes, uploads, marketplace listings, support requests, reports, appeals, and copyright notices.
- Account and session data from Supabase Auth.
- Payment and checkout data from Stripe.
- Email delivery metadata from Resend.
- Technical data from browsers, devices, WebSocket connections, Cloudflare, Fly.io, Supabase, and server logs.
- Analytics data from Google Analytics where enabled and consented to where required.
Data Stored
We store production data primarily in Supabase Postgres and Supabase Storage. Session and cache data may be stored in browser localStorage, sessionStorage, cookies, Fly.io WebSocket memory, Cloudflare logs, and provider logs. Payment card details are not stored by TalesNTokens and are handled by Stripe.
Data Processed
We process data to:
- provide accounts, rooms, maps, tokens, character sheets, notes, sandbox sessions, marketplace purchases, creator uploads, and digital content delivery;
- authenticate users and protect invite-only access;
- synchronize game sessions through WebSockets;
- store, display, process, back up, and share User Content within platform functionality;
- process payments, refunds, disputes, chargebacks, and tax/accounting records;
- send transactional emails and requested updates;
- moderate content, respond to reports, enforce policies, and manage appeals;
- investigate fraud, malware, exploits, stolen assets, and marketplace scams;
- comply with UK GDPR, EU GDPR, consumer, copyright, platform safety, tax, and payment obligations;
- improve performance, reliability, and product design.
Third-Party Services Used
Current and planned processors include Supabase, Stripe, Resend, Fly.io, Cloudflare, Google Analytics, Google Fonts, and hosting/build infrastructure. See the Subprocessor Disclosure Page for the current list and processing roles.
User-Generated Content Flows
Users retain ownership of User Content. Users grant TalesNTokens only the limited licence described in the Terms of Service and Marketplace Terms for hosting, displaying, processing, backing up, and sharing User Content within platform functionality.
The platform must never claim ownership of user-created maps, tokens, character sheets, notes, uploaded assets, creator listings, or marketplace content.
UGC may flow through Supabase Postgres, Supabase Storage, browser storage, Fly.io WebSockets, Cloudflare edge services, marketplace pages, private room sharing, public room sharing if enabled, and moderation/reporting queues.
Authentication Methods
The platform uses Supabase passwordless magic-link authentication. The app stores Supabase session data in browser localStorage using the supabase.auth.token key. The platform also uses invite-code checks for access control and an HttpOnly tnt_sandbox cookie for anonymous sandbox sessions.
TalesNTokens does not directly store plaintext passwords. Password handling and email OTP delivery are handled by Supabase unless a future authentication method is added.
Payments And Marketplace Data
Stripe processes payment information. TalesNTokens receives limited transaction metadata such as email, amount, currency, session ID, payment intent ID, payment status, tier, and refund or dispute status. Marketplace purchases, licences, refunds, revenue share, chargebacks, and creator payouts are governed by the Marketplace Terms, Creator Agreement, and Refund Policy.
Analytics And Tracking
Google Analytics may collect page views and browser/device metadata where analytics is enabled. Analytics and marketing storage require consent where required by UK PECR, EU ePrivacy rules, UK GDPR, and EU GDPR. See the Cookie Policy.
Cookies And Local Storage
We use essential cookies and local storage for authentication, sandbox sessions, preferences, room continuity, and caching. Non-essential analytics and marketing storage must not be used unless the user has given valid consent where required. See the Cookie Policy.
Email Systems
We use Supabase for authentication emails and Resend for transactional emails such as reservation confirmations. Marketing emails require opt-in consent or another lawful basis and must include an unsubscribe method.
Moderation And Reporting
We process reports and moderation data to enforce the Acceptable Use Policy, Community Guidelines, Content Moderation Policy, Child Safety Policy, User Reporting Policy, and Trust and Safety Policy.
File Uploads
File uploads may include maps, tokens, images, profile pictures, creator assets, and marketplace content. Uploads are subject to file-size limits, content restrictions, copyright checks, malware controls, and moderation. Users must not upload malware, pirated content, stolen assets, or unlawful content.
Asset Ownership Model
Users and creators retain ownership of their original assets. Buyers receive only the licence described at purchase. TalesNTokens receives only the limited platform licence necessary to operate the service. Marketplace licence categories are defined in the Marketplace Terms.
User Reporting Systems
Users may report illegal content, abuse, copyright infringement, child safety risks, marketplace scams, stolen assets, malware, fraud, harassment, hate speech, and policy violations under the User Reporting Policy. Reports may be reviewed manually, escalated to external providers, and reported to lawful authorities where required.
International Transfers
Some processors may process data outside the UK or EEA. Where required, we rely on adequacy regulations, the EU Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, Data Privacy Framework participation where applicable, or another lawful transfer mechanism. See the UK GDPR Compliance Statement and Subprocessor Disclosure Page.
User Obligations
Users must:
- provide accurate account, payment, creator, and contact information;
- keep account access secure and promptly report unauthorized access;
- use the platform only for lawful purposes;
- upload only content they own or are licensed to use;
- honour buyer and creator licence terms;
- avoid uploading sensitive personal data unless strictly necessary for play;
- avoid uploading children's personal data unless lawful and appropriate;
- comply with the Acceptable Use Policy, Copyright and DMCA Policy, and Marketplace Terms.
Platform Obligations
TalesNTokens will:
- process personal data lawfully, fairly, and transparently;
- collect only data reasonably needed for the stated purposes;
- maintain appropriate technical and organisational security measures;
- maintain processor and subprocessor disclosures;
- provide rights procedures for access, deletion, correction, portability, objection, restriction, and withdrawal of consent;
- maintain cookie consent controls for non-essential storage;
- respond to valid legal, safety, copyright, consumer, and data rights requests;
- preserve User Content ownership and avoid claiming ownership of user-created content;
- maintain deletion, retention, moderation, appeals, and breach response procedures.
Contact Procedures
Privacy and data rights: privacy@talesntokens.com General support: support@talesntokens.com Safety reports: safety@talesntokens.com Copyright notices: copyright@talesntokens.com Security reports: security@talesntokens.com
Requests should include the account email, relevant room/listing/content IDs, the right or issue being raised, and enough information for us to verify the request. We may request additional verification before disclosing or deleting account data.
Enforcement Procedures
If privacy or data misuse is reported, TalesNTokens may investigate, preserve relevant records, restrict access, remove content, suspend accounts, notify processors, notify regulators, notify affected users, or take other steps required by law and platform safety.
Appeals And Complaints
Users may appeal privacy-related enforcement decisions by contacting privacy@talesntokens.com within 30 days of the decision. Users may also complain to the UK Information Commissioner's Office or their local EU data protection authority. Moderation appeals are handled under the Content Moderation Policy.