Privacy Policy

Last updated: 2026-04-16

1. Data Controller

The data controller is Jonathan Witczak, sole proprietor, 22 Rond-Point des Arènes, 13200 Arles, France (SIREN 804 874 907). Contact: contact@mytavern.app. No Data Protection Officer has been appointed; requests relating to personal data are handled at the address above.

2. Data Collected

We collect the following categories of personal data:

  • Authentication: email address, hashed password, OAuth provider metadata (display name, avatar URL from Google or Discord)
  • Profile: display name, username, tag, pronouns, description, avatar, banner, language preference, online status
  • Content: D&D characters, text blocks, knowledge base entries, spells, inventory, character families
  • Games: campaigns, invitations (invitee email), game membership
  • Social: friendships, friend notes, friend request tokens
  • Technical: rate-limit counters (action type, timestamp, count per user), waitlist emails

3. Purposes and Legal Basis

  • Providing the service (character management, games, social features) — legal basis: performance of contract
  • Authentication and account security — legal basis: performance of contract
  • AI-assisted writing (character content sent to OpenAI) — legal basis: explicit consent
  • Email notifications (game invites, friend requests) — legal basis: legitimate interest
  • Marketing communications — legal basis: explicit consent (opt-in)

4. Legal Basis for Processing

Each purpose listed above relies on one of the legal bases set out in Art. 6 GDPR: contract performance (service, authentication, account retention), consent (AI assistant, marketing communications), legitimate interest (security, abuse prevention, functional notifications), or legal obligation (retention of security logs, response to lawful requests).

5. Data Recipients and Sub-processors

Your data may be shared with the following sub-processors:

  • Supabase Inc. — Database hosting, authentication, file storage, Edge Functions (Singapore)
  • Vercel Inc. — Frontend hosting and CDN (USA)
  • OpenAI — AI text generation — character content and chat history are sent to generate text (USA). Transfers are covered by the OpenAI DPA and the European Commission Standard Contractual Clauses (SCC).
  • Resend — Transactional emails — recipient email, sender name, game/character details (USA)
  • Cloudflare — CAPTCHA (Turnstile) for bot protection — IP address, browser fingerprint
  • Google — OAuth authentication — email, profile picture, display name. Google Fonts — IP address for font delivery
  • Discord — OAuth authentication — email, username, avatar
  • Giphy — GIF search API — search queries (no personal data sent)

6. International Data Transfers

Some sub-processors are located outside the European Union (USA, Singapore). Transfers rely on the Standard Contractual Clauses (SCC) adopted by the European Commission under Art. 46 GDPR, supplemented where necessary by additional measures (encryption in transit, data segregation). No data is transferred to a country lacking an equivalent framework.

7. Data Retention

Retention periods are as follows: active account = for as long as the service is used; inactive account with no login for 3 years = notification then deletion; rate-limit counters = rolling 24 hours; waitlist emails = 12 months maximum; account deleted by the user = permanent deletion after a 30-day grace period. Security logs may be retained for up to 12 months.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data via your profile settings
  • Right to erasure (Art. 17) — delete your account and all associated data via Settings
  • Right to data portability (Art. 20) — export your data in JSON format via Settings
  • Right to restriction of processing (Art. 18)
  • Right to object (Art. 21) — object to processing based on legitimate interest

To exercise your rights, write to contact@mytavern.app stating your identity and the nature of your request. A response is provided within one month at most.

You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) or your local supervisory authority.

9. Cookies and Third-Party Services

myTavern uses strictly necessary cookies for authentication (Supabase session). Third-party services (Google Fonts, Cloudflare Turnstile, Giphy) may set functional cookies. You can manage your preferences via the cookie consent banner displayed on first visit.

10. AI Processing

When you use the AI assistant, your character content (name, class, species, backstory text, knowledge base entries) and chat messages are sent to OpenAI (GPT-4o-mini) for text generation. This data is processed in the USA under the OpenAI DPA and Standard Contractual Clauses (SCC). OpenAI contractually commits not to use data submitted via the API to train its models. By using the AI feature, you explicitly consent to this transfer. You can use myTavern without the AI feature.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any question regarding the processing of your personal data, contact us at contact@mytavern.app or by post to Jonathan Witczak, 22 Rond-Point des Arènes, 13200 Arles, France.