Privacy Policy

1. Introduction

This Privacy Policy explains how Gnome's Cauldron of Cards ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our Service. We are committed to safeguarding your privacy and handling your data transparently.

2. Data We Collect

We collect and process the following categories of personal data:

• Account information — your email address, used for authentication, password resets, and service-related notifications.
• User content — card data (text, settings, configurations) that you create within the Service.
• Uploaded images — image files you upload to use on your cards, stored in cloud storage.
• Subscription & billing data — plan tier, subscription status, and billing history. Payment details (credit card numbers, etc.) are handled exclusively by Dodo Payments and never stored by us.
• Usage data — basic analytics such as card counts, image storage usage, and feature usage to enforce plan limits and improve the Service.

3. How We Use Your Data

Your data is used to:

• Provide, maintain, and improve the Service.
• Authenticate your identity and manage your account.
• Process subscriptions and enforce plan limits.
• Generate AI-powered card text and images when you use those features.
• Send service-related communications (password resets, account notifications).
• Comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for advertising or marketing purposes beyond service communications.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance — to provide the Service you signed up for, including account management, content storage, and subscription processing.
• Legitimate interest — to operate, maintain, and improve the Service, and to prevent abuse.
• Legal obligation — to comply with applicable laws and regulations.

5. Third-Party Processors

Your data is processed by the following third-party sub-processors, each of whom maintains their own privacy and data protection policies:

• Supabase — database hosting, authentication, and file storage. Your account data, card content, and uploaded images are stored on Supabase infrastructure.
• Dodo Payments — payment processing and subscription management. Dodo Payments acts as merchant of record and handles all payment details directly. We never see or store your full payment information.
• OpenAI — AI text and image generation. When you use AI features, your prompts and any uploaded reference images are sent to OpenAI for processing. OpenAI's data usage policies apply to this processing.

6. International Data Transfers

Our sub-processors may store or process data outside the European Union or Serbia. Such transfers are governed by standard contractual clauses or adequacy decisions as applicable under GDPR and Serbian data protection law (ZZPL).

7. Data Retention

Your data is retained for as long as your account is active. If you downgrade your plan and your stored content exceeds plan limits, we reserve the right to delete excess content after a 90-day grace period, with advance notice to your registered email.

Upon account deletion, all associated data — including card content and uploaded images — is permanently removed from our systems.

8. Cookies & Local Storage

Gnome's Cauldron of Cards uses browser local storage to persist application preferences and session data. We do not use tracking cookies or third-party analytics cookies. No advertising or profiling cookies are used.

9. Your Rights

EU/EEA residents (GDPR) and Serbian residents (ZZPL): You have the right to:

• Access your personal data.
• Correct inaccurate or incomplete data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format.
• Restrict or object to processing.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at support@gnomescauldron.com. We will respond within 30 days.

10. Data Security

We take reasonable measures to protect your data, including encrypted connections (HTTPS), secure authentication via Supabase Auth, and row-level security policies on database access. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

11. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions or requests, contact us at: support@gnomescauldron.com