Skip to content

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use Hattavick, we collect:

  • Account information: email address, username, and a hashed password (if using email/password auth) or OAuth provider profile (Google, Discord)
  • Content you create: campaigns, characters, notes, game systems, maps, stat blocks, and other creative content
  • Uploaded files: images, audio files, and PDFs you upload for use in campaigns and battlemaps
  • Usage data: pages visited, features used, and session duration (collected via self-hosted analytics)

2. How We Use Your Information

  • To provide and maintain the Platform
  • To authenticate your identity and manage sessions
  • To deliver content you create to your campaign members
  • To improve the Platform based on aggregate usage patterns
  • To send transactional emails (verification, password reset, campaign invites)

We do not sell your personal information to third parties. We do not use your data for advertising.

3. Data Storage

  • Database: your account and content data is stored in a PostgreSQL database hosted on Amazon Web Services (AWS) in the US.
  • File storage: uploaded images, audio, and PDFs are stored in AWS S3.
  • Sessions: authentication is managed via encrypted JWT tokens stored in browser cookies. We do not use server-side session storage.

4. Cookies

We use the following cookies:

  • Session cookie (authjs.session-token): an encrypted JWT that maintains your login session. Required for the Platform to function. Expires when you sign out or after 30 days.
  • CSRF token (authjs.csrf-token): prevents cross-site request forgery. Required for security.
  • Cloudflare Turnstile cookies (cf_chl_*, __cf_bm): set by our bot protection service on pages with forms (registration, contact). These are third-party security cookies.

We do not use third-party tracking cookies. Our analytics (self-hosted Umami) do not use cookies or track individual users. For the full cookie inventory, see our Cookie Policy.

5. Third-Party Services

We use the following third-party services to operate the Platform:

  • Amazon Web Services (AWS): infrastructure hosting (EC2, RDS, S3, SES)
  • Cloudflare: DNS, CDN, and bot protection (Turnstile CAPTCHA)
  • GitHub: source code hosting and CI/CD
  • Anthropic (Claude API): AI processing for import and generation features. When you use AI-powered features (PDF import, character sheet import, AI encounter generation), the content you provide is transmitted to Anthropic’s API for processing. Anthropic processes this data under their commercial terms and does not train on customer API inputs. See Anthropic’s privacy policy.

These services process data only as needed to provide their services and are bound by their own privacy policies.

5a. AI-Assisted Features

Several features use Anthropic’s Claude models to process content you provide. When you trigger an import or generation feature, your input (PDF text, character sheet data, encounter context) is sent to Anthropic’s API in the United States and processed to generate the output. The output becomes your content. We retain neither your input nor the AI output beyond what is needed to deliver the result to your campaign.

Anthropic acts as a data processor on our behalf under their commercial terms. Anthropic does not use customer API inputs for model training. For details, see Anthropic’s Commercial Terms.

5b. Legal Basis for Processing (GDPR)

If you are in the EU, UK, or EEA, we process your personal data under the following legal bases (GDPR Article 6):

  • Performance of a contract (Art 6(1)(b)): Creating and managing your account, campaigns, and content
  • Legitimate interests (Art 6(1)(f)): Analytics, abuse prevention, security monitoring, and platform improvement
  • Consent (Art 6(1)(a)): Non-essential cookies (see our Cookie Policy)
  • Legal obligation (Art 6(1)(c)): Retaining records as required by applicable law

5c. Your Rights (GDPR & UK GDPR)

If you are in the EU, UK, or EEA, you have the following rights regarding your personal data:

  • Right of access (Art 15): Download all your personal data from Settings → Data & Privacy
  • Right to rectification (Art 16): Change your email from Settings → Data & Privacy, or contact us for other corrections
  • Right to erasure (Art 17): Delete your account from Settings → Danger Zone
  • Right to data portability (Art 20): Download your data in JSON format from Settings → Data & Privacy
  • Right to object (Art 21): Contact us to object to processing based on legitimate interests
  • Right to withdraw consent (Art 7(3)): Clear your browser localStorage to reset cookie consent

To exercise any of these rights, contact us. We will respond within 30 days.

5d. International Data Transfers

Your data is stored on Amazon Web Services (AWS) in the United States (us-east-1 region). If you are in the EU, UK, or EEA, this constitutes a transfer of personal data outside the EEA. We rely on AWS’s Standard Contractual Clauses (SCCs) as the transfer mechanism. AWS has SCCs incorporated into their Data Processing Addendum. See AWS EU Data Protection.

AI processing via Anthropic’s API also involves transfer to the United States. Anthropic’s commercial terms include data processing commitments.

5e. Data Protection Contact

For privacy questions or to exercise your data subject rights, you can also contact us at privacy@hattavick.com .

6. Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Key retention periods:

  • Account data: until you delete your account
  • Email verification tokens: 24 hours after expiry, then automatically purged
  • Password reset tokens: 1 hour after expiry, then automatically purged
  • Session tokens: 30 days from issue
  • Chat messages (VTT): 90 days
  • Analytics events: 24 months
  • Uploaded files: until account or campaign deletion

For the full retention schedule including cleanup mechanisms, see our Data Retention Policy. We may retain anonymized, aggregate data for analytics purposes after account deletion.

7. Account Deletion

You can delete your account at any time from the Settings page. When you delete your account, we permanently remove:

  • Your profile, email, and authentication credentials
  • All characters, notes, and campaign memberships
  • Campaigns where you are the sole member (including all associated data)
  • Lab game systems, stat blocks, and templates you created
  • Uploaded files (images, audio, PDFs) from S3 storage

Content in campaigns with other members (e.g., shared notes, lore entries) may be retained as part of the campaign but will no longer be associated with your account.

8. U.S. State Privacy Rights

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other states with similar consumer privacy laws, you have additional rights:

  • Right to know what personal information we collect about you (see Section 1 above)
  • Right to delete your personal information (see Section 7 — Account Deletion, or Settings)
  • Right to correct inaccurate personal information (contact us via the Contact page)
  • Right to opt out of sale or sharing for advertising — we do not sell or share your personal information for advertising purposes, so no opt-out is needed
  • Right to non-discrimination — we will not treat you differently for exercising these rights

Categories of personal information we collect: identifiers (email, username), internet activity (pages visited via self-hosted analytics), and content you create. We do not collect commercial information, biometric data, or sensitive personal data.

Sources: directly from you, from OAuth providers (Google, Discord) if you use them, and automatically from your browser (IP address, user agent).

To exercise any of these rights, contact us.

9. Children’s Privacy

Hattavick is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete that account.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

11. Contact

Questions about this Privacy Policy? Reach us at the Contact page.