Privacy Policy

1 Who we are

Dungeonwright is a personal project by Marvin Vomberg. If you have any questions about this policy, contact us at privacy@dungeonwright.com.

2 Data stored only on your device

The following data never leaves your device unless you enable cloud sync (see Section 4):

• All campaign content — NPCs, quests, locations, sessions, lore entries, maps, and player characters
• Your OpenAI API key — stored in the app's local secure store, sent directly to OpenAI from your device. It is never transmitted to Dungeonwright's servers.
• App preferences and settings
• Images you import into campaigns

3 Account registration

To use cloud sync or the mobile apps, you can create an account. When you register, we collect:

• Email address — used to identify your account and for password recovery
• Password — stored as a secure hash (bcrypt). We never store your plain-text password.
• Authentication token — a session token issued after login, stored locally on your device

We use Laravel Sanctum token-based authentication. No cookies are used for authentication.

4 Cloud sync

Cloud sync is opt-in. If you choose to enable it, your campaign data is transmitted to and stored on our API servers at api.dungeonwright.com so it can be accessed across your devices.

This includes all entities in your campaigns (NPCs, quests, locations, sessions, lore, maps). Data is transmitted over HTTPS and associated only with your account.

If you delete your account, all server-side data is permanently deleted. Local data on your device is not affected and remains yours.

5 AI features & OpenAI

AI writing features are powered by OpenAI. You supply your own API key — it is stored in the app's local secure store and sent directly from your device to OpenAI. No content you generate passes through Dungeonwright's servers.

Your use of AI features is subject to OpenAI's Privacy Policy. Dungeonwright has no control over how OpenAI processes data sent to their API.

6 What we do not do

• We do not sell your data to third parties
• We do not run advertising or tracking pixels
• We do not use analytics services (no Google Analytics, Mixpanel, etc.)
• We do not read or process your campaign content for any purpose other than syncing it back to you
• We do not store your OpenAI API key on our servers

7 Data retention & deletion

Account data (email, hashed password) and any synced campaign data is retained as long as your account is active. You may request deletion of your account and all associated server-side data at any time by emailing privacy@dungeonwright.com.

Local data on your own device is always under your control — uninstalling the app or deleting your vault folder removes it entirely.

8 Security

All communication between the app and our API uses HTTPS/TLS. Passwords are hashed with bcrypt. Authentication tokens are stored in the device's local secure store. We follow reasonable security practices, but no system is 100% secure — please use a strong, unique password for your account.

9 Children

Dungeonwright is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

10 Changes to this policy

If we make material changes, we will update the effective date at the top of this page. For significant changes, we will notify registered users by email. Continued use of the app after changes constitutes acceptance of the updated policy.