Privacy Policy
Last updated: 2026-05-19
This Privacy Policy explains how Yifan Ye Zhang ("we", "us") collects, uses, and shares personal data when you use Covenant (the "Service"). It applies to visitors of the website and registered users.
If you are in the European Economic Area (EEA), United Kingdom, or California, additional rights are described in Section 8.
1. Data Controller
Yifan Ye Zhang is the controller of personal data collected through the Service. Contact: privacy@covenantrpg.com.
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email, hashed password, display name, language, theme, faction, character data | You (sign-up, settings, gameplay) |
| Authentication data | Email-verification tokens, password-reset tokens, OAuth identifiers (Google) | You / OAuth provider |
| Gameplay data | Tasks, habits, objectives, journal entries, quest progress, combat results, inventory, gold, dice | You (gameplay) |
| Technical data | IP address, user agent, request timestamps, error reports | Automatically (via your browser) |
| Cookies | Session cookies, language preference, consent record | Automatically (see Cookie Policy below) |
We do not collect payment data — the Service is free during beta.
3. How We Use Data
We use personal data to:
- Provide the Service: authenticate you, save your progress, render the game.
- Communicate: send transactional email (verification, password reset, account notices).
- Operate and secure: rate-limiting, fraud and abuse prevention, error monitoring.
- Improve: aggregate analytics on feature usage (without identifying individual users where feasible).
- Comply with legal obligations.
Legal bases (GDPR): performance of a contract (account, gameplay), legitimate interest (security, abuse prevention, product improvement), consent (non-essential cookies, marketing if any), legal obligation.
4. Sharing
We share personal data only with processors that help us run the Service, under contractual confidentiality and security obligations:
| Processor | Purpose | Location |
|---|---|---|
| Railway | Hosting and managed PostgreSQL | United States |
| Brevo (Sendinblue) | Transactional email delivery | European Union |
| Sentry | Error monitoring — events are scrubbed before send to remove email, IP address, cookies, auth headers, and request bodies; only your user ID is attached so we can correlate an error to your account | United States / European Union |
| Upstash | Redis (rate limiting, sessions) | Multi-region |
| OAuth sign-in (only if you choose Google login) | Global |
We do not sell personal data. We may disclose data when required by law or to protect rights and safety.
5. International Transfers
Some processors are located outside your country (notably the US). When we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or the EU–US Data Privacy Framework where applicable.
6. Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion, except where law requires longer retention.
- Gameplay data: retained with your account; deleted alongside it.
- Logs and security data: retained up to 90 days, then aggregated or deleted.
- Email logs: retained by Brevo per their retention policy (typically 30 days).
7. Security
We use industry-standard measures: TLS in transit, hashed passwords (bcrypt-class), encrypted database storage, principle of least privilege for staff access, security headers (HSTS, X-Frame-Options, etc.), rate limiting, and email verification before sign-in.
No system is perfectly secure. If we detect a breach affecting your data, we will notify you and the relevant authorities as required by law.
8. Your Rights
Depending on your jurisdiction, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data (most fields are editable in
/settings). - Erase your data (delete your account in
/settings; "right to be forgotten" under GDPR / CCPA). - Port your data to another service (export feature is in development; until then, request via email).
- Object to processing based on legitimate interest.
- Withdraw consent at any time (does not affect processing already done).
- Lodge a complaint with your local data protection authority.
To exercise rights, email privacy@covenantrpg.com. We respond within 30 days.
California (CCPA/CPRA): you have the rights above, including the right to know what we collect, delete, and opt out of "sale" or "sharing" — we do not sell or share personal data as defined by CCPA.
9. Cookies
The Service uses cookies for essential functions only:
| Cookie | Purpose | Duration |
|---|---|---|
better-auth.session_token | Keeps you signed in | Session / 7 days |
i18nextLng | Remembers your language | 1 year |
covenant.cookie_consent | Records your cookie consent | 1 year |
Essential cookies do not require consent under GDPR. We do not currently use analytics or marketing cookies. If we add them, we will update this policy and request consent first.
10. Children
The Service is not directed to children under 16. We do not knowingly collect data from children under that age. If you believe a child has registered, contact privacy@covenantrpg.com and we will delete the account.
11. Changes
We may update this Privacy Policy. Material changes will be announced via the Service or by email. The "Last updated" date at the top reflects the latest revision.
12. Contact
Questions or to exercise your rights: privacy@covenantrpg.com.