← Back to the app

Privacy Policy

Last updated: 2026-06-26

1. Who we are

PathfinderGM ("we", the service) is a tool for Pathfinder 2E game masters. The controller of your personal data is the operator of PathfinderGM. Questions? Email stuggesjoerd@gmail.com.

2. What data we collect

We only process the data needed to provide the service:

  • Account data: your email address and (hashed) password, or an OAuth identity (e.g. Google/Discord).
  • Campaign content: notes, NPCs, locations, session prep, combats, lore and other content you create or import.
  • AI usage: the prompts you send to the AI and the resulting consumption (credits).
  • Payment data: if you buy credits, our payment provider processes the payment. We do not receive full card details.
  • Technical data: limited server logs (e.g. IP address and timestamp) for security and troubleshooting.

3. Why and on what legal basis

We use your data to provide the service (performance of a contract), to prevent abuse and keep the service secure (legitimate interest), and to comply with legal obligations. To create an account we ask for your explicit agreement to this policy and the Terms of Service.

4. Processors and transfers

We use third-party processors that handle data on our behalf:

  • Supabase — database, authentication and file storage.
  • Anthropic (Claude) and OpenAI — AI text generation. Your prompts are sent to the chosen AI provider to generate a response.
  • Stripe and/or Polar — payment processing for credit purchases.
  • Render — application hosting.

Some of these parties may process data outside the EEA; where they do, we rely on appropriate safeguards (such as standard contractual clauses). Do not send special-category or sensitive personal data to the AI.

5. Retention

We keep your data for as long as your account exists. If you delete your account, your account data and campaign content are deleted immediately and irreversibly. Limited logs and payment records may be kept for a shorter or longer period where legally required or necessary.

6. Your rights

Under the GDPR you have the right to:

  • Access and a copy of your data (export your data via Settings → Privacy & data).
  • Rectification of inaccurate data.
  • Erasure ("right to be forgotten") — delete your account via Settings → Privacy & data.
  • Portability: your export is a machine-readable JSON file.
  • Restriction of and objection to processing.
  • Withdraw consent, without affecting the lawfulness of earlier processing.
  • Lodge a complaint with your data protection authority.

7. Security

We take appropriate technical and organisational measures, including encrypted connections, per-user data isolation and access control. No service is entirely risk-free; report a suspected security issue to stuggesjoerd@gmail.com.

8. Changes

We may update this policy. The date at the top shows the last change. Questions can be sent to stuggesjoerd@gmail.com.