← Scriptorium Arcanum

Privacy Policy

Last updated: May 11, 2026

What this is

Scriptorium Arcanum is a small-scale tool for plotting Dungeons & Dragons campaigns. We try to keep things small and honest: we collect what we need to log you in, store your campaigns, and handle Pro subscriptions for the users who buy them - and nothing else. This document explains exactly what that means.

Who runs it

The data controller is the operator of Scriptorium Arcanum, reachable at fizzyparanoia@gmail.com. Send any privacy questions, data requests, or complaints to that address. We'll respond within 30 days, faster on weekdays.

What data we collect

The bare minimum needed to run the app:

  • Email address - your login, password reset destination, and the channel for transactional notifications (verification, billing receipts, gift-code delivery).
  • Hashed password - never stored in plain text; we use bcrypt.
  • Campaign content you create - characters, locations, sessions, notes, plans, chat history with the AI sage, player character sheets if you join a campaign as a player. This is the entire point of the app, so naturally it gets stored.
  • Pro subscription state (only if you upgrade) - your Stripe customer ID, current plan, billing period end, cancellation flag, founder slot number, and an aggregated count of AI calls / spend on the managed key (so we can enforce the monthly cap). We do NOT see or store your card; Stripe does.
  • Standard server logs - IP address and request metadata, kept briefly for abuse prevention and rate limiting, then rotated out within 14 days.
  • Cookieless analytics - aggregated page views and a small list of custom events (which CTA you saw, which plan you clicked) via Plausible. No cookies, no fingerprinting, no personal identifiers - just "N visitors saw the upgrade modal this week". See "Analytics" below.

We do not collect: real names, phone numbers, addresses, location data, or browsing history outside our own site. When we're running paid advertising on Meta (Facebook / Instagram), the Meta Pixel may load on our public marketing pages only (landing, /demo, legal pages, login / register, gift redemption) - never inside the authenticated app. See "Marketing pixels (Meta)" below for exactly what that means.

AI keys and AI providers

Free tier (BYOK). Scriptorium Arcanum is "bring your own key". Your AI provider key (Anthropic, Google Gemini, or OpenRouter) lives in your browser's localStorage and is sent with each AI request to our backend, which immediately forwards it to your chosen provider. We do not log the key value, and we redact it from any error traces.

Pro tier (managed key). If you subscribe to Pro, we mint a per-account OpenRouter sub-key with a monthly cap and route your AI calls through it. The sub-key is stored server-side (encrypted at rest); you do not see it. To enforce the cap we also store an aggregated count of calls and approximate spend per calendar month - this gets reset on the 1st each month and is visible to you in Settings → Billing.

What goes to the AI provider. When you ask the sage anything, the relevant campaign context plus your prompt are sent to your selected (or managed) AI provider so they can generate a response. That provider's privacy policy applies to that exchange - we don't control what they do with it. Read theirs: Anthropic, Google, OpenRouter.

Payments and billing data

All Pro purchases (monthly, annual, lifetime, founder edition, gift codes) are processed by Stripe. Stripe is the data controller for your card details and billing address; we never see, touch, or store your card. After a successful payment Stripe gives us back: your Stripe customer ID, the plan you purchased, the period end timestamp, and webhook events for renewals/failures/cancellations - that's all we store on our side.

Receipts and invoices are sent by Stripe directly to your email. You can manage your subscription, change card, or cancel via Settings → Billing → Manage subscription, which opens Stripe's Customer Portal.

For abandoned-checkout follow-ups (you started a checkout but didn't finish), we may send you a single email with a 20%-off coupon, capped at one email per account per lifetime - see Terms § 5. You can opt out via the unsubscribe link in that email.

Email (transactional)

We use Resend to send transactional emails: account verification, password reset, magic-link login, gift-code delivery, abandoned-checkout follow-up. We do not send marketing emails or newsletters. You can't opt out of strictly-transactional emails (verification, password reset, billing receipts) but you can delete your account to stop them entirely.

Analytics (Plausible)

We use Plausible, a privacy-friendly analytics tool, to count page views and a few specific custom events: which marketing CTA you saw, which Pro plan you clicked, which landing-page A/B variant you got. Plausible uses no cookies and no personal identifiers; the metrics are aggregated to "N visitors did X this week". Because there's no personal data and no cookies, GDPR doesn't require a banner here, and there's nothing for you to opt out of beyond using a tracker-blocker if you want.

Marketing pixels (Meta)

When we're actively running paid advertising on Meta properties (Facebook, Instagram), we deploy the Meta Pixel on our public marketing surface: the landing page, /demo, the legal pages, login / register, magic-link / forgot-password, gift redemption, and player-invite landing. The Pixel does NOT load inside the authenticated app - your campaign cauldron, sessions, library, player panel, archmage panel, and settings are all outside its reach. We made that boundary deliberately: once you're logged in you're not an ad target, and your private worldbuilding never enters Meta's advertising graph.

What the Pixel does on the pages where it loads:

  • Sets a first-party cookie called _fbp (180-day TTL) and reads an inbound _fbc cookie when you arrive from a Meta ad click - both are used by Meta to attribute the ad click to the page visit.
  • Sends Meta a page-view event plus, on /demo, a "ViewContent" event when you reach the splash and a "Lead" event when the demo guest account is provisioned. No emails, no passwords, no campaign content.
  • On Stripe-checkout success, may fire a "Purchase" event with the plan price - again, no card data and no personal identifiers beyond the cookie.

How to opt out: use any tracker blocker (uBlock Origin, Brave Shields, AdGuard, Privacy Badger, etc) - they all block the Pixel by default. You can also delete the _fbp cookie in your browser's site-data settings at any time. We do not penalize blocking or punish opt-outs in any way.

Legal basis (EU/UK). The Pixel is non-essential tracking, so under GDPR / UK-GDPR / PECR the lawful basis is consent (Art. 6(1)(a)). At the time of writing we do not yet ship an in-app cookie-consent banner; visitors who do not want Pixel tracking should use a blocker as described above, and we do not target Meta ad campaigns at EU / UK audiences while the banner is pending. If we later add a banner, this section will be updated and EU/UK visitors will see a clear opt-in choice before the Pixel loads.

Meta may use the Pixel data to build advertising audiences, including lookalike audiences. We do not upload customer lists to Meta, do not share Pro plan or AI-usage data with Meta, and do not let Meta use our Pixel data for purposes other than attribution and ad delivery on our behalf. Meta's privacy policy applies to anything you ever share directly with them: Meta Privacy Policy.

Player Panel and invited players

If you're a Dungeon Master and invite players to your campaign via the player invite link, each player creates their own account using their own email and password. As DM you see their player character sheet in your campaign cauldron, but you don't see their account credentials, their other campaigns, or any data outside the shared campaign.

If you're a player who joined a campaign, your character sheet, notes, and chat with the sage from inside that campaign are visible to the DM. Anything you do outside that campaign (other characters in your /player hub, other campaigns you've joined elsewhere) stays private.

Why we have your data (legal basis)

Under GDPR (Art. 6), our legal bases are:

  • Contract performance (Art. 6(1)(b)) for account data, campaign content, AI key handling, Pro subscription state, and transactional emails. You signed up to use the app and we need this data to deliver it.
  • Legitimate interest (Art. 6(1)(f)) for short-lived server logs (abuse prevention) and the cookieless Plausible analytics (understanding which features are useful, at an aggregate level, with no personal identifiers).
  • Legal obligation (Art. 6(1)(c)) for retaining billing records (Stripe processes; we keep summary entries) for the period required by Polish tax law.

No marketing-purpose processing. No profiling. No data sales.

Where the data lives (sub-processors)

  • Database: Neon (managed PostgreSQL), EU region.
  • Backend hosting: Render.
  • Frontend hosting: Vercel.
  • DNS & tunnel: Cloudflare.
  • Payments: Stripe (Pro subscriptions and gift purchases only).
  • Transactional email: Resend.
  • Analytics: Plausible (cookieless, aggregate).
  • Advertising attribution (conditional): Meta - only while paid advertising is active, only on public marketing pages, and never inside the authenticated app. See "Marketing pixels (Meta)" above.
  • Managed AI (Pro tier only): OpenRouter, which routes calls to underlying model providers (Anthropic, Google, OpenAI, Meta etc) according to which model you select.

Each holds data only to the extent needed to keep its piece of the service running. We have data-processing agreements (or equivalent terms) with each.

How long we keep it

Account and campaign data: for as long as your account is active. When you delete your account, your user record and every campaign / session / event / library entry / character that belongs to you is hard-deleted from the database via cascading foreign keys - usually within seconds. Backups are rotated out within 30 days.

Server logs: 14 days, then automatically rotated.

Billing records: retained for the period required by Polish tax law (currently 5 years from the end of the calendar year of the transaction), even after account deletion. Stripe is the primary holder of these records.

Analytics aggregates: rolling 12-month window in Plausible, no personal identifiers attached.

Your data is yours - export it

Scriptorium Arcanum is in active development. We strongly recommend exporting your campaigns locally on a regular basis. Settings → Export your campaign produces a JSON file with everything you've created (and a Markdown bundle, plus a "hardcover" PDF for Pro). Treat it like a backup. We cannot guarantee that no campaign data will ever be lost - to a regression, a botched migration, an infrastructure incident, or an account-recovery edge case. The export button is right there. Use it.

Your rights

If you're in the EU/UK (GDPR) or California (CCPA), you have:

  • Right of access - ask what we hold on you and we'll send it.
  • Right to rectification - ask to correct anything that's wrong.
  • Right to erasure - "Delete account" in Settings does this in one click. Or email us. Note: billing records may have to stay for the tax-law retention period (see above) but are otherwise unlinked from your identity once your account is gone.
  • Right to data portability - every campaign has a JSON export button (Settings → Export). That's your data, round-trip-compatible.
  • Right to object / restrict processing - email us and we'll act on it.
  • Right to lodge a complaint - with your local data protection authority. In Poland this is UODO.

We don't sell your data - full stop - so the CCPA "Do Not Sell" right is moot, but you have it anyway.

Local storage

The app uses your browser's localStorage for:

  • Session token (so you stay logged in).
  • UI preferences: AI provider, model, language, panel widths, active panel (DM vs Player), onboarding-completed flag, dismissed tour steps.
  • Free tier only: your BYOK AI provider key (never sent to us beyond AI proxying).
  • An A/B-test cookie (90-day TTL, single character A/B/C value) for landing-page variant assignment - no personal data.

Clearing your browser's site data removes all of this. Aside from the conditional Meta Pixel _fbp cookie described under "Marketing pixels (Meta)" - which only ever loads on public marketing pages - we do not set third-party cookies.

Security

HTTPS everywhere. Passwords hashed with bcrypt. JWT auth with short-lived tokens and per-IP rate limits on login / register / guest to discourage brute-force. Stripe handles card data (PCI-DSS Level 1 certified). We're a small operation, not a bank - we do best-effort, not certified-everything.

If we discover a breach affecting your data, we'll notify affected accounts within 72 hours of becoming aware (per GDPR Art. 33-34) and report to UODO if applicable.

Children

Not directed at children under 13 (or 16 in some EU jurisdictions). If you believe a minor has signed up, email us and we'll delete the account.

Changes to this policy

If we change anything material - new sub-processors, new data categories, narrower user rights - we'll update the "last updated" date above and notify you in-app or by email at least 14 days before the change takes effect. Continued use after a change means acceptance.