Privacy policy

Last updated: April 2026. Keep this page in sync with docs/PRIVACY.md in the Myth-Kit repository.

Myth-Kit ("we", "our", or "the app") is a D&D 5e companion application. This policy describes how we collect, use, and protect your information.

Who operates Myth-Kit

Myth-Kit is operated by the project maintainers, who act as the data controller for personal information described here (unless another party is identified for a specific activity, such as Stripe for card processing). For privacy or data requests, use the Support contact in the app (Settings → Legal & Attribution) or the Contact form on this website.

This website (www.myth-kit.com)

If you use the Contact form, we collect the name, email, and message you send so we can respond. We do not sell that information. Hosting and delivery (for example Cloudflare) may process technical data such as IP address for delivery and security; see their privacy notices. Static pages may use local storage in your browser only for preferences you choose (for example theme), not for cross-site advertising.

Information we collect

• Account data: When you register, we collect and store your email address, username, and a hashed version of your password. We do not store your password in plain text.
• Referrals: If you register using another user’s referral code, we store a link between your account and that referrer’s account (and related promotion dates) for referral benefits.
• Content you create: If you use server sync, we store characters, campaigns, and homebrew linked to your account.
• Device/local data: The app may store data locally on your device. When you use the API, we also store account and synced content on our servers.
• Push notifications: If you opt in, we register your device (FCM on Android; web push on PWA) and store tokens or subscription data on our servers so we can send notifications you enable (for example scheduled games, campaign activity, mentions, or billing reminders, according to your in-app preferences). You can revoke permission in device or browser settings.
• Payments (Pro): Purchases and subscriptions are processed by Stripe. We do not receive or store your full card number on our servers. We receive payment status and identifiers (such as customer and subscription identifiers) from Stripe. Stripe’s privacy policy governs how Stripe handles payment data.
• Product usage (first-party): When the app is configured to use our API, we may record which in-app screens you open, approximately how long you stay on them, and an optional app build or version label. The app stores a random session identifier in session storage. If you are logged in, events may include your account user id for aggregate statistics only. We use this to understand feature usage, not for advertising, and we do not sell this data. Operator analytics views (for example /admin) are not included in routine product statistics.

We do not sell your personal information as defined under the CCPA/CPRA (California). We do not use third-party analytics or advertising trackers in the app’s own code. Google may process limited data when you use Google Play services and FCM on Android; see Google’s policies for those services.

Google Play and Firebase (Android)

If you install from Google Play or use Firebase Cloud Messaging, Google may process data as described in Google’s documentation. We use FCM to deliver user-requested push notifications, not for advertising.

How we use your information

• To provide and maintain your account (login, password reset, sync).
• To send transactional emails (welcome, password reset, campaign invitations) when you or another user requests them.
• To serve synced characters, campaigns, and homebrew when you use the app with the API.
• To send push notifications you have opted into, according to your preferences.
• To process Pro subscriptions and entitlements via Stripe.
• To operate referral benefits when you sign up with a valid referral code.
• To measure aggregate in-app navigation and time-on-screen (first-party analytics).
• To respond to Contact form messages and support requests.
• To comply with legal obligations and protect the security and integrity of the service.

Legal bases (EEA, UK, and similar jurisdictions)

Where GDPR or similar laws apply, we rely on performance of a contract with you; legitimate interests in operating, securing, and improving Myth-Kit (including aggregate product analytics and abuse prevention), where those interests are not overridden by your rights; consent where required (for example push permissions); and legal obligation where applicable.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal information, to restrict or object to certain processing, or to withdraw consent where processing is consent-based. You may lodge a complaint with a data protection supervisory authority. Many requests can be fulfilled through in-app export, account deletion, and Support; we respond within timeframes required by applicable law where those laws apply.

California residents (CCPA/CPRA): You have the right to request access to categories and specific pieces of personal information we hold, to request deletion, and to request correction of inaccurate information, subject to exceptions. We do not “sell” or “share” personal information for cross-context behavioral advertising as those terms are commonly used in California law. We will not discriminate against you for exercising these rights. Submit a request via Support or Contact.

Children

Myth-Kit is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

Where your data is stored and international transfers

Account data and synced content are stored on our database with hosting providers we select. Local copies may exist on your device. Your information may be processed in the United States and in other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for international transfers (for example contractual clauses approved by regulators).

Data portability and export

In the app: Settings → Legal & Attribution → Export my data. When logged in with the API, use Download my data from server to fetch server-stored data.

Data retention

We retain your account and synced data for as long as your account exists. After account deletion, we delete or anonymize your data in line with our retention and backup policies (backups may persist for a limited period before rotation).

Account deletion

Use Delete my account in Settings (or Legal & Attribution), or contact support. Deletion is irreversible once processed.

Security

We use industry-standard practices (hashed passwords, encrypted connections in transit) to protect your data. You are responsible for keeping your login credentials secure.

Changes to this policy

We may update this policy; the Last updated date will change. Where required by law, we will provide additional notice. Continued use of the app or website after changes constitutes acceptance of the updated policy where permitted by law.

Contact

For privacy questions or data requests, use Contact or the Support email/URL in the app.

This policy is provided for transparency. It is not personalized legal advice; consult a qualified attorney for your situation or jurisdiction.