Privacy Policy

Karsten KösterHenriettenweg 1344227 DortmundGermany

Email: info@grimoire-mtg.quest

Grimoire collects and processes the following categories of personal data:

• Account data (email address; magic-link verification token; or OAuth profile data).
• Playgroup content (player names, decks, locations, games, life logs).
• Transactional email data (recipient address and email content processed by Resend).
• Cookies (a single essential session cookie).
• Server logs (IP addresses, request paths, timestamps, user agents).

Each category is detailed in the sections below, including legal basis and retention.

When you create an account, we store your email address. If you sign in with a magic link, we additionally store a short-lived single-use verification token until the link expires or is consumed. If you sign in with Google or Discord, we store the OAuth identifier and basic profile fields returned by that provider (see “OAuth sign-in” below). All account data is stored in a Postgres database on Hetzner servers located in Germany.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention: Your account data is retained until you request account deletion.

If you choose to sign in with Google or Discord, the provider sends us your OAuth identifier, email address, and basic profile information (such as your display name). That data is stored on our Hetzner servers in Germany. The provider itself processes the sign-in event under its own privacy policy.

For more information, see Google's Privacy Policy and Discord's Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR (contract performance). International transfer details are listed in “International data transfers” below.

When a playgroup owner adds players, decks, locations, games, or life logs, we store and process that data on the owner's behalf so the service can function. This may include personal data of natural persons who are not themselves account holders — for example, the names of friends recorded as players in a playgroup.

When you enter another person's data, you act as a controller for that data. Under Art. 14 GDPR, the obligation to inform those persons that their data is being processed falls on you as the playgroup owner.

Legal basis: Art. 6(1)(b) GDPR (contract with the playgroup owner) and Art. 6(1)(f) GDPR (legitimate interest of the playgroup in maintaining its records).

Retention: Until the playgroup owner deletes the playgroup or the data within it.

We use Resend to send transactional emails — sign-in magic links and playgroup invitations. Your email address and email content are processed by Resend. Resend is based in the United States.

For more information, see Resend's Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Grimoire uses a single essential session cookie to keep you signed in. It is HTTP-only and is not used for tracking or advertising. It is strictly necessary for the service to function and is exempt from consent requirements under ePrivacy Directive Art. 5(3) and German TDDDG § 25(2).

We do not use any third-party cookies, analytics cookies, or tracking cookies.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

Our server automatically records IP addresses, request paths, timestamps, and user agents for security and debugging. Server logs are stored on Hetzner servers in Germany and are retained for at most 30 days, after which they are automatically rotated and deleted.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — security and service stability).

Some of your data is transferred to service providers in the United States:

• Resend (transactional email) — transfers are protected by Standard Contractual Clauses (SCCs); Resend is certified under the EU-US Data Privacy Framework (DPF).
• Google (when used for OAuth sign-in) — transfers are protected by SCCs; Google is certified under the DPF.
• Discord (when used for OAuth sign-in) — transfers are protected by SCCs; Discord is certified under the DPF.

All other data — account data, playgroup content, server logs — remains on Hetzner servers in Germany.

Under the GDPR you have the right to:

• Access your personal data (Art. 15 GDPR).
• Rectify inaccurate data (Art. 16 GDPR).
• Erase your data (Art. 17 GDPR).
• Restrict processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR).
• Object to processing (Art. 21 GDPR).

To exercise any of these rights, contact us at info@grimoire-mtg.quest. We will respond within 30 days, as required by Art. 12(3) GDPR.

You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-WestfalenKavalleriestr. 2-440213 DüsseldorfPostfach 20 04 44, 40102 DüsseldorfPhone: 0211 / 38424-0Email: poststelle@ldi.nrw.deWebsite: www.ldi.nrw.de

For any questions about this Privacy Policy or your personal data, contact us at info@grimoire-mtg.quest.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.