Privacy Policy

1. Information We Collect

1.1 Information from Discord

When you authenticate with Discord, we collect:

• Discord user ID and username
• Discord server (guild) ID you're accessing from
• Email address associated with your Discord account
• Profile avatar (if provided)
• Discord server membership information

1.2 Campaign & Character Data

To provide our service, we store:

• Campaign names, descriptions, and settings
• Character sheets (stats, abilities, inventory, backstory)
• Session transcripts and summaries
• Homebrew content you create (classes, species, items)
• Quest logs, NPC data, and location information
• Dice rolls and game interactions

1.3 AI Interaction Data

• Conversation history with the Pathway bot
• AI hour usage and billing information
• Prompt inputs and AI-generated responses
• Session duration and activity timestamps

1.4 Payment Information

We use third-party payment processors (Stripe) to handle payments. We do NOT store your full credit card information. We retain:

• Subscription tier and billing cycle
• Payment history and invoices
• Last 4 digits of card (from payment processor)
• Billing email address

1.5 Usage & Analytics Data

• IP address and location data
• Device type and browser information
• Page views and navigation patterns
• Feature usage and engagement metrics
• Error logs and performance data

1.6 Cookies & Tracking

We use cookies for authentication, analytics, and marketing. See our Cookie Policy for details.

2. How We Use Your Information

• Service Delivery: Run PF2e sessions, manage campaigns, track characters
• AI Processing: Send your game context to Anthropic's Claude API to generate AI Dungeon Master responses
• Billing: Process subscriptions, track AI hour usage, issue invoices
• Analytics: Understand how users interact with our platform and improve features
• Communication: Send service updates, billing notifications, and marketing (if opted in)
• Security: Detect fraud, prevent abuse, enforce terms of service
• Legal Compliance: Comply with legal obligations and respond to legal requests

3. Third-Party Services We Use

We share data with the following third-party services:

4. Data Retention

• Active Accounts: We retain your data as long as your account is active
• Deleted Accounts: Data is deleted within 30 days of account deletion, except as required by law
• Backups: Backup copies may persist for up to 90 days for disaster recovery
• Legal Holds: We may retain data longer if required by law or legal proceedings
• Anonymized Analytics: Anonymized data may be retained indefinitely for research

5. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data (right to be forgotten)
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing for marketing purposes
• Withdraw Consent: Opt out of optional data processing

To exercise these rights, email us at privacy@pathway.gg. See our GDPR Compliance page for EU-specific rights.

6. Data Security

We implement industry-standard security measures:

• Encryption: All data in transit uses TLS 1.3 encryption
• Database: Encrypted PostgreSQL database with access controls
• Authentication: OAuth2 via Discord with JWT token security
• Infrastructure: AWS security best practices, VPC isolation
• Backups: Automated daily backups with encryption
• Monitoring: Real-time security monitoring and error tracking

However, no system is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access beyond our reasonable control.

7. Children's Privacy (18+ Only)

Our service is intended for users 18 years and older. We do not knowingly collect information from individuals under 18. If you believe a minor has provided us with personal information, contact us immediately at privacy@pathway.gg and we will delete it promptly.

8. International Data Transfers

Our servers are located in the United States (AWS US-East-1). If you access our service from outside the US, your data will be transferred to and stored in the United States.

For EU users: We rely on Standard Contractual Clauses (SCCs) and AWS's Data Processing Addendum for GDPR compliance. See our GDPR page for details.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or prominent notice on our website. Continued use of our service after changes constitutes acceptance of the updated policy.