Overview
Initiative Tracker ("we", "us", or "our") is a web application designed to help Dungeon
Masters run D&D 5e combat encounters. This policy explains what information we
collect, how we use it, and your rights regarding that information. We do not sell your
data to anyone.
Information We Collect
- Account information. When you register, we
store your first name, last name, email address, and a hashed (bcrypt) version of your password.
We never store your password in plain text.
- OAuth sign-in. If you sign in with Google
or Facebook, we receive your name, email address, and a unique identifier from that provider.
We do not receive or store your social media password.
- Combat and session data. We store the combat
state, combat history, session notes, and custom monsters you create within the app. This
data is associated with your account and is used solely to provide the service.
- Player messages. Messages sent from players
to the DM during a session are stored temporarily and associated with your game session.
Cookies
- dm_auth. A session cookie set when you log
in. It holds a random identifier (not your password) used to authenticate your requests. It
expires after 30 days.
- dm_guest. A temporary session cookie set
when you enter as a guest. It is cleared when you close the browser tab or log out.
- oauth_state / oauth_code_verifier. Short-lived cookies (10 minutes) used during the OAuth sign-in flow to prevent cross-site
request forgery. They are deleted immediately after sign-in completes.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
How We Use Your Information
- To create and manage your account.
- To save and restore your combat sessions and history.
- To authenticate your identity on each visit.
- To respond to support requests you send to us.
We do not use your data for advertising, profiling, or any purpose beyond operating the
application.
Data Sharing
We do not sell, rent, or share your personal information with third parties, except:
- Google / Facebook — only during the OAuth
sign-in flow, as required to authenticate you. Their use of your data is governed by their
own privacy policies.
- Legal obligations — if required by law or
to protect the rights and safety of our users.
Data Retention
Your account and associated data are retained for as long as your account is active. If
you wish to delete your account and all associated data, contact us at the email below and
we will process the request within 30 days.
Security
Passwords are hashed with bcrypt before storage. Authentication tokens are random, opaque
identifiers with no user-readable information. We use HttpOnly cookies to prevent
client-side script access to session tokens.
Children's Privacy
Initiative Tracker is not directed at children under 13. We do not knowingly collect
personal information from children under 13. If you believe a child has provided us with
personal information, please contact us so we can delete it.
Changes to This Policy
We may update this policy from time to time. When we do, we will update the "Last updated"
date at the top. Continued use of the service after changes constitutes acceptance of the
updated policy.