Legal

Privacy Policy

Last updated: March 2026 · D&D Sync

1. Who We Are

D&D Sync is a personal D&D session companion app for managing character sheets, campaigns, and initiative tracking. This policy explains what data we collect, why we collect it, and how we handle it.

2. Data We Collect

Account information — username, email address, and a bcrypt-hashed password when you register.
Character & campaign data — everything you enter into your character sheets and campaigns (stats, notes, inventory, spell slots, etc.). This data is stored server-side to enable syncing across sessions and devices.
Server logs — basic access logs (IP address, timestamps, HTTP method) retained for security and debugging. These are not linked to user profiles and are rotated regularly.

We do not use advertising networks, analytics trackers, or any form of third-party behavioural tracking.

3. How We Use Your Data

To authenticate you and keep your session secure.
To store and sync your characters and campaign data across sessions.
To send password-reset emails when you explicitly request one.
To allow your Game Master to view party stats in the GM overview (only within campaigns you join).

We do not sell, rent, share, or monetise your personal data in any way.

4. Third-Party Services

We load fonts from Google Fonts (fonts.googleapis.com / fonts.gstatic.com). This causes your browser to connect to Google's servers, which may log your IP address per Google's Privacy Policy. No other third-party scripts, SDKs, or trackers are loaded.

5. Data Storage & Security

Your data is stored in a SQLite database on our server. Passwords are hashed with bcrypt and are never stored or transmitted in plain text. Authentication tokens are short-lived JWTs stored only in your browser's localStorage.

We apply reasonable technical and organisational measures to protect your data. No internet-connected system can guarantee absolute security.

6. D&D 5e Game Content

Spell, monster, and item reference data is sourced from the community 5etools dataset. Access to this full content requires your explicit consent, which you can grant or revoke at any time in Profile → Content Licence. Without consent, only SRD-licensed content is shown. We do not host or redistribute this content commercially.

7. Your Rights

Access & export — you can export all your characters as JSON at any time from Profile → Export & Import.
Correction — update your email address and password directly in Profile Settings.
Deletion — contact us to permanently delete your account and all associated data. We will process requests within 30 days.
Portability — exported character JSON files are self-contained and can be re-imported into another instance of D&D Sync.

If you are in the EU/EEA you additionally have rights under the GDPR, including the right to lodge a complaint with your local supervisory authority.

8. Cookies & Local Storage

We do not set any cookies. We use browser localStorage to store:

dnd_token — your authentication token (cleared on sign-out).
dnd_theme / dnd_theme_dark — your UI theme preference.
dnd_realm — your active realm/campaign info for display purposes.
dnd_user — your username and user ID for display purposes.

None of this data is transmitted to anyone other than our own server during normal API requests.

9. Changes to This Policy

We may update this policy when we add new features or when legal requirements change. The "last updated" date at the top of this page will reflect any changes. Continued use of D&D Sync after changes are posted constitutes acceptance of the updated policy.

10. Contact

For privacy questions, data access requests, or deletion requests, reach out via our Discord or via the contact details in our Impressum.