← Lofi Dungeon

Privacy Policy

Effective May 26, 2026

The short version

Lofi Dungeon is run by one developer. We collect the minimum personal data needed to run the game, save your progress across devices, and process payments. We never sell your data, and you can delete your account at any time from the in-game Settings or by emailing support@lofidungeon.com.

Who we are

Lofi Dungeon (the "Service") is an independent project ("we", "us"). Contact: support@lofidungeon.com. This Policy explains what personal data we collect, how we use it, and the rights you have over it.

Data we collect

We only collect what we need to run the game.

  • Email address. Required to create an account (we use magic-link sign-in, so no password). We use it to send the sign-in link, transactional purchase receipts, and — only if you opt in — occasional product updates.
  • Cloud save data. Your character progress, gold, settings, and unlocked content. Stored against your account so you can sign in on another device and keep playing.
  • Purchase history. For each purchase: the product key, USD amount, Stripe session ID, timestamp, and whether the grant was applied. Used to verify fulfillment and process refunds.
  • Technical data. Standard server logs: IP address, browser user agent, request timestamps, referring URL. Used to diagnose bugs and detect abuse.
  • Local browser storage. A local copy of your save lives in your browser's localStorage so the game works offline; your auth session token also lives there while you're signed in. Both are deleted if you clear browser data.

We do not collect: payment card details (Stripe handles those directly), precise location data, contact lists, facial-recognition data, or biometrics.

Who we share data with

We rely on a small set of third-party "sub-processors" to run the service. Each one only sees the data it needs:

ProviderWhat they seeWhy
SupabaseEmail, cloud save, purchase recordsDatabase + auth backend
StripeEmail, purchase amount, payment method, IP at time of purchasePayment processing
NetlifyIP, browser, page requestsWeb hosting + CDN
ResendEmail address (only if you opt in to marketing)Sending newsletter / update emails

We do not sell your personal data to anyone, and we do not share it with advertisers. We may disclose data if required by a valid legal process (court order, subpoena) — if that happens, we will push back where appropriate and notify you unless legally barred.

How long we keep data

  • Account data + cloud save: as long as your account is active. If you delete your account, we remove these immediately. Inactive accounts (no sign-in for 24+ months) may be auto-deleted after we notify your email.
  • Purchase records: kept for as long as tax and accounting law requires (typically 7 years in the US). When you delete your account, your name and user-id are removed from these records but the financial entry remains anonymized.
  • Server logs: rolling 90 days, then purged.

Your rights

Depending on where you live, you have some or all of the following rights over your personal data:

  • Access — request a copy of the data we hold about you
  • Correction — ask us to fix data that is inaccurate
  • Deletion ("right to be forgotten") — ask us to delete your account and personal data. You can do this yourself from in-game Settings → Delete Account, or by emailing support@lofidungeon.com.
  • Portability — ask us to export your data in a machine-readable format
  • Opt out of marketing — unsubscribe link in every newsletter, or change the preference in your account
  • Withdraw consent — for any processing you previously consented to
  • Complaint — California residents may complain to the CA Attorney General; EU/UK residents may complain to their data-protection authority

We will respond to rights requests within 30 days (sometimes faster — usually within a couple of business days). We will never charge you for exercising these rights.

Cookies and local storage

We use a small number of "strictly necessary" cookies and local-storage entries to run the service. We do not use advertising or tracking cookies.

  • Auth session — your Supabase sign-in token (set by us, lives in localStorage)
  • Game settings + local save — your preferences and a local copy of your character (localStorage, never sent anywhere except as part of cloud-save syncing)
  • Stripe checkout — Stripe sets its own cookies on its checkout pages during a purchase; those follow Stripe's privacy policy

Since all of these are necessary to provide the service you asked for, we do not show a cookie consent banner under GDPR's "strictly necessary" exemption.

Children's privacy

The Service is intended for users aged 13 and older. We do not knowingly collect personal data from anyone under 13. If we learn we have, we will delete the account and refund any payments. Parents who believe their child has signed up: please email support@lofidungeon.com and we will act quickly.

International transfers

Our infrastructure providers (Supabase, Stripe, Netlify, Resend) may store and process data outside the country where you live — including in the United States. Where required (e.g., for EU/UK users), these transfers rely on Standard Contractual Clauses or equivalent safeguards published by each provider.

Security

We use HTTPS everywhere, Supabase's row-level security for the database (each user can only read their own rows), magic-link authentication (no passwords to leak), and a strict separation between the public game client and the privileged server-side service-role key (which lives only in our edge-function environment). No system is perfectly secure; if we ever suffer a breach affecting your data, we will notify affected users promptly and as required by law.

Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated to registered users by email at least 14 days before they take effect. The effective date at the top reflects the latest revision.

Contact

For privacy questions, deletion requests, or anything else covered by this Policy: support@lofidungeon.com