HATTAVICK
Sign InJoin Alpha

Privacy Policy

Last updated: March 2026

1. Information We Collect

When you use Hattavick, we collect:

  • Account information: email address, username, and a hashed password (if using email/password auth) or OAuth provider profile (Google, Discord)
  • Content you create: campaigns, characters, notes, game systems, maps, stat blocks, and other creative content
  • Uploaded files: images, audio files, and PDFs you upload for use in campaigns and battlemaps
  • Usage data: pages visited, features used, and session duration (collected via self-hosted analytics)

2. How We Use Your Information

  • To provide and maintain the Platform
  • To authenticate your identity and manage sessions
  • To deliver content you create to your campaign members
  • To improve the Platform based on aggregate usage patterns
  • To send transactional emails (verification, password reset, campaign invites)

We do not sell your personal information to third parties. We do not use your data for advertising.

3. Data Storage

  • Database: your account and content data is stored in a PostgreSQL database hosted on Amazon Web Services (AWS) in the US.
  • File storage: uploaded images, audio, and PDFs are stored in AWS S3.
  • Sessions: authentication is managed via encrypted JWT tokens stored in browser cookies. We do not use server-side session storage.

4. Cookies

We use the following cookies:

  • Session cookie (authjs.session-token): an encrypted JWT that maintains your login session. Required for the Platform to function. Expires when you sign out or after 30 days.
  • CSRF token (authjs.csrf-token): prevents cross-site request forgery. Required for security.

We do not use third-party tracking cookies. Our analytics (self-hosted) do not use cookies or track individual users.

5. Third-Party Services

We use the following third-party services to operate the Platform:

  • Amazon Web Services (AWS): infrastructure hosting (EC2, RDS, S3, SES)
  • Cloudflare: DNS, CDN, and bot protection (Turnstile CAPTCHA)
  • GitHub: source code hosting and CI/CD

These services process data only as needed to provide their services and are bound by their own privacy policies.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, your data is permanently removed as described in Section 7 below. We may retain anonymized, aggregate data for analytics purposes.

7. Account Deletion

You can delete your account at any time from the Settings page. When you delete your account, we permanently remove:

  • Your profile, email, and authentication credentials
  • All characters, notes, and campaign memberships
  • Campaigns where you are the sole member (including all associated data)
  • Lab game systems, stat blocks, and templates you created
  • Uploaded files (images, audio, PDFs) from S3 storage

Content in campaigns with other members (e.g., shared notes, lore entries) may be retained as part of the campaign but will no longer be associated with your account.

8. Children’s Privacy

Hattavick is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete that account.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

10. Contact

Questions about this Privacy Policy? Reach us at the Contact page.