Back to Home

Privacy Policy

Last updated: March 24, 2026 | Version 3.0.0

At ArcForge, we take your privacy seriously. This policy explains how we collect, use, protect, and handle your personal information.

Information We Collect

Account Information

  • Email address - Required for authentication and account recovery
  • Password (encrypted) - Hashed using bcrypt, never stored in plain text
  • Name (optional) - For personalization
  • Two-Factor Authentication data - TOTP secret (encrypted) and backup codes (encrypted)

Usage Data

  • Number of adventures created (for usage limits)
  • Features used (ArcForge generation, manual creation, exports)
  • Subscription tier and billing information
  • Last login date and activity timestamps

Content You Create

  • Adventures, scenes, characters, and story content
  • Maps and uploaded files
  • Version history of your work
  • Share settings (public links, read-only access)

Solo Play & AI Interaction Data

  • Character data (name, class, stats, inventory, equipment) stored in your browser
  • Story choices and narrative inputs sent to our AI for content generation
  • Combat actions, dice rolls, and gameplay decisions
  • AI-generated scene text, narration, and game responses
  • Game state data (current scene, adventure progress) stored locally in your browser

Security & Technical Data

  • IP addresses (for security and fraud prevention)
  • Login history and failed login attempts
  • Session tokens and authentication data
  • Browser type and device information (standard HTTP headers)

How We Use Your Data

To Provide the Service:

  • Authenticate your account and maintain secure sessions
  • Store and retrieve your adventure content
  • Generate ArcForge-powered content based on your inputs
  • Power Solo Play AI interactions (scene generation, combat, narration)
  • Export PDFs and VTT files
  • Enable sharing features (public links)

To Enforce Usage Limits:

  • Track monthly ArcForge adventure generation counts
  • Apply subscription tier restrictions
  • Reset usage counters on billing dates

For Security & Fraud Prevention:

  • Detect suspicious login activity
  • Implement account lockouts after failed attempts
  • Monitor for abuse or violations of Terms of Service
  • Maintain audit logs for security incidents

To Improve ArcForge:

  • Analyze usage patterns to improve features (anonymized data only)
  • Fix bugs and technical issues
  • Develop new tools and capabilities

To Communicate With You:

  • Send critical account notifications (password changes, unusual activity)
  • Notify about subscription renewals and billing
  • Announce major feature updates (optional, can opt out)
  • Respond to support requests

How We Protect Your Data

Encryption

  • In Transit: All data transmitted using TLS 1.3 encryption (HTTPS)
  • At Rest: Database encrypted on disk (AES-256)
  • Passwords: Hashed using bcrypt with 12 rounds (industry standard)
  • Sensitive Fields: 2FA secrets and backup codes encrypted

Access Controls

  • Role-based access control (RBAC) for team members
  • Multi-factor authentication required for admin access
  • Principle of least privilege (minimal permissions)
  • Regular access audits and reviews

Infrastructure

  • Hosted on secure, SOC 2 compliant infrastructure
  • Regular automated backups (daily + incremental)
  • Geographic redundancy for disaster recovery
  • DDoS protection and rate limiting
  • Regular security patches and updates

Monitoring & Response

  • 24/7 automated security monitoring
  • Failed login attempt tracking and alerts
  • Anomaly detection for unusual activity
  • 72-hour breach notification commitment

Security Acknowledgment

IMPORTANT: While we implement industry-standard security measures, you acknowledge and agree that:

  • No internet-connected system can be guaranteed 100% secure against all threats
  • You assume full responsibility and risk of loss resulting from your use of the Service
  • You are responsible for maintaining the security of your account credentials
  • You should maintain local backups of important content
  • ArcForge's liability for any data breach is limited as set forth in our Terms of Service

Data Sharing & Third Parties

We DO NOT sell your personal information. Ever.

Limited Third-Party Services:

  • Payment Processing: Stripe (for subscriptions) - they receive billing info but NOT your adventure content
  • Content Generation Provider: OpenAI (GPT-4o-mini API) - receives prompts for content generation and Solo Play AI interactions, does not store them
  • Text-to-Speech: Microsoft Azure Cognitive Services - receives narration text for audio generation, processed ephemerally and not stored by Microsoft
  • Hosting: Database and server infrastructure providers - encrypted data only
  • Email: Transactional email service (for authentication and notifications)

Legal Requirements:

We may disclose data if required by law, court order, or to protect our legal rights, prevent fraud, or ensure user safety.

No Marketing Partners:

We do not share your data with advertisers or marketing companies.

⚖️ Your Privacy Rights

Right to Access: Request a complete copy of all your data (JSON export)

Right to Deletion: Request permanent deletion of your account and all associated data

Right to Correction: Update or correct inaccurate personal information

Right to Portability: Export your adventures in PDF, JSON, or VTT format

Right to Opt-Out: Unsubscribe from optional marketing emails (account security emails required)

To exercise any of these rights, email us at support@myarcforge.com. We will respond within 30 days.

Data Retention

  • Active Accounts: Data retained as long as your account is active
  • Cancelled Subscriptions: Free tier data retained; you can continue using free features
  • Account Deletion: All personal data deleted within 30 days (backups purged within 90 days)
  • Legal Requirements: Some data (billing records, security logs) retained for 7 years as required by law

Cookies & Tracking

Essential Cookies (Required):

  • Authentication session cookies (keeps you logged in)
  • Security tokens (CSRF protection)

Browser Storage (Non-Cookie):

  • localStorage: Theme preference, cookie notice acknowledgment, Solo Play game state (character data, adventure progress, inventory)
  • IndexedDB: Offline game state cache (synced to your account)

We DO NOT use:

  • ❌ Advertising cookies or tracking pixels
  • ❌ Third-party analytics (Google Analytics, Facebook Pixel, etc.)
  • ❌ Cross-site tracking

Children's Privacy

ArcForge is not intended for children under 13. We do not knowingly collect personal information from children.

If you are a parent and believe your child has created an account, please contact us immediately at support@myarcforge.com and we will delete the account.

International Users

ArcForge operates globally. Your data may be stored and processed in the United States or other countries where our infrastructure providers operate. By using our services, you consent to such transfer and processing.

GDPR Compliance (EU/UK users): We comply with GDPR requirements including data portability, right to deletion, and consent management. Our lawful basis for processing is contractual necessity (to provide the Service) and legitimate interests (for security and service improvement).

US State-Specific Privacy Rights

California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of personal information collected about you in the past 12 months
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: Opt out of sale/sharing of personal information (we do not sell your data)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights
  • Shine the Light: Under California Civil Code Section 1798.83, you may request information about disclosure to third parties for direct marketing. We do not disclose personal information for direct marketing.

Colorado, Connecticut, Virginia Residents

  • Right to Appeal: If we deny your privacy request, you have the right to appeal that decision
  • Right to Opt-Out of Profiling: You may opt out of profiling in furtherance of decisions producing legal effects. ArcForge does not engage in such profiling.

Nevada Residents

We do not sell your covered information as defined under Nevada Revised Statutes Chapter 603A.

To exercise any of these rights, email privacy@myarcforge.com. We will respond within 45 days. We may need to verify your identity before processing your request.

Changes to This Policy

We may update this Privacy Policy occasionally. Material changes will be announced via email and on our website.

Continued use of ArcForge after changes constitutes acceptance of the updated policy.

Contact Us

For privacy questions or to exercise your rights:

View Terms of Service → · Content & Safety Policy → · DMCA Policy →