Starter draft. This document is a starter draft. The product owner is responsible for having a lawyer review it before commercial launch. GDPR, UK-GDPR, and CCPA / CPRA addenda still need qualified counsel review before serving EU, UK, or California residents.

Privacy Policy

UnderTheTable · Last updated: 2026-05-11

1. About this policy

This Privacy Policy explains what information UnderTheTable (the “Service,” available at underthetable.lol) collects, how we use it, who we share it with, how long we keep it, and what choices you have. We’ve tried to write this in plain English. If anything is unclear, email support@underthetable.lol and we’ll explain.

This Policy applies to everyone who uses the Service: DMs paying for a seat, players invited into a campaign, and visitors to underthetable.lol. By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

2. Information we collect

2.1 Account information

  • Email address. Used as your unique account identifier and for service emails (sign-in, password resets, billing receipts, security notices, policy updates).
  • Password. Stored only as a bcrypt hash. We never store your password in plaintext. We cannot recover it; we can only reset it.
  • Signup date and basic account metadata (display name if you set one, role within a campaign, account status).

2.2 Subscription and billing information

Payment processing is handled by Stripe. When you provide payment information, you provide it directly to Stripe; we never see or store your raw card details. From Stripe we receive a small amount of metadata so we can show your billing status in-app:

  • Your Stripe customer ID
  • Subscription plan and status (trialing, active, past-due, canceled)
  • Invoice and payment metadata (amount, date, currency, last four digits of the card — for display only)
  • Refund and dispute history relevant to your account

Stripe’s handling of your payment information is governed by Stripe’s own privacy policy.

2.3 Service data — your campaign

When you and your players use the Service, you produce real-time game data that we store on your behalf so we can serve it back to you. This includes:

  • Campaign metadata (name, settings, roster, invite history)
  • Character sheets (stats, skills, foci, descriptions, equipment, notes)
  • Tactical maps, tokens, fog-of-war, and battlemap state
  • Chat logs and dice-roll history
  • Faction data, sector data, scene notes, NPC libraries
  • Audio configuration, including playlist references to external services (for example, links to publicly available YouTube tracks for ambient music; we do not host that audio — see Section 4 below)

We do not read, mine, train models on, or analyze the contents of your campaign data for any purpose other than operating the Service for you, except in the narrow cases where we must investigate a specific abuse report or comply with a valid legal process.

2.4 User-uploaded media

DMs and players can upload images for character portraits, NPCs, scenes, battlemaps, and other in-game art. These images are stored on our servers and served back to the campaign that owns them. They are not made public, not indexed for search, and not shared with any other campaign.

2.5 Operational and security logs

  • IP addresses, used for rate limiting, abuse prevention, and security monitoring. Retained for up to 90 days, then purged from rolling logs.
  • Browser user-agent string, used for compatibility diagnostics.
  • Session identifiers and request timestamps, used to diagnose issues you report and to detect suspicious activity.

3. How we use that information

We use the information in Section 2 to:

  • Provide and operate the Service: serve your campaign, sync state between players in real time, render dice rolls, persist your data, restore from a local snapshot when needed.
  • Authenticate you and maintain login sessions.
  • Bill you via Stripe and reflect your subscription status in-app.
  • Send transactional emails via Resend: signup confirmation, password reset, invite links, billing receipts, security notices, and policy updates.
  • Investigate abuse, fraud, and security incidents.
  • Communicate service-essential information to you (incidents, scheduled maintenance, material policy updates).

We do not use your data for advertising. We do not run third-party marketing or analytics trackers. We do not build advertising profiles. We do not sell, rent, or trade your data to any third party for advertising or marketing purposes.

4. Who we share information with

We share data with a small number of carefully chosen processors who help us operate the Service. Each has its own privacy policy that governs how it handles data on our behalf.

  • Stripe — payment processing and the customer billing portal. See stripe.com/privacy.
  • Resend — transactional email delivery (signup, invites, password resets, billing receipts, security notices). See resend.com/legal/privacy-policy.
  • Hetzner — server hosting infrastructure (account data, campaign data, uploaded media live on infrastructure operated by Hetzner). The production server is located in Ashburn, Virginia, United States. See hetzner.com/legal/privacy-policy.
  • Caddy — TLS termination and HTTPS routing on our own infrastructure. Caddy is software we run; it is not a third-party processor receiving your data outside our environment.
  • Off-site backup provider — not yet wired in. The Service currently relies on daily local snapshots stored on the production server. An off-site encrypted backup overlay is on the operator’s pre-launch checklist; this section will be updated with the named processor before commercial launch.

External media links. If you configure ambient-music links that point at external services (for example, YouTube), playing those links causes your browser — or another player’s browser — to connect directly to that external service. That connection is governed by the external service’s own privacy policy, not ours.

No advertising partners. We do not share data with advertising networks, marketing partners, data brokers, or behavioral-analytics platforms.

Legal process. We will disclose information in response to a valid court order, subpoena, or other lawful demand. Where the law allows it, we will notify the affected account holder before disclosure so they can respond. We will narrow disclosure to what is strictly required by the order.

5. Cookies and similar technologies

We use a small set of strictly necessary cookies. We do not use analytics cookies, advertising cookies, or third-party trackers.

  • Session cookie. Keeps you signed in. Set with HttpOnly, Secure, and SameSite=Lax.
  • CSRF token cookie. Implements the double-submit pattern to defend against cross-site request forgery on state-changing endpoints.
  • Local storage. The Service stores some lightweight UI state (last-open tab, dice-roller preferences) in your browser’s local storage. This stays on your device.

6. Data retention

  • Active accounts. Account and campaign data is retained as long as your subscription remains current and you continue to use the Service.
  • Cancelled accounts. Your campaign data is retained for 90 days from the date of cancellation, then permanently deleted from production. This gives you a buffer to come back, decide you weren’t actually done, and pick up where you left off.
  • Archived campaigns. If you archive a specific campaign while keeping your account active, that campaign’s data is retained for 90 days from the archive date, then permanently deleted from production.
  • Operational logs. Rolling logs (IP addresses, request metadata, security audit trails) are retained for up to 90 days, then purged.
  • Local snapshots. Daily local snapshots of the data directory follow a rolling rotation (currently 14 days on the production server). Deleted data may persist in a snapshot until that snapshot ages out and is overwritten. Off-site encrypted backups are on the operator’s pre-launch checklist; this section will be updated when that overlay is in place.
  • Stripe billing history. Subscription and invoice history retained in Stripe is governed by Stripe’s own retention policy. We typically retain billing metadata in our system long enough to meet our own tax and accounting obligations.

When permanent deletion is triggered, we remove your data from active production systems. Once local snapshots age out on their normal schedule, your data is no longer recoverable from any system we operate.

7. Your rights

  • Access. You can download an export of your campaign data from your account settings (where the in-app export covers your data) at any time. If something you want is not yet covered by the in-app export, email support@underthetable.lol and we’ll help.
  • Correction. You can correct your account information from your account settings, or email us if you need help.
  • Deletion. You can delete your account from your account settings at any time. Deletion starts the 90-day retention window described in Section 6, during which the account is recoverable; after that window, deletion is permanent.
  • Export. Same as Access — available from settings, or by request.
  • Portability. Your campaign export is provided in a structured, machine-readable format so you can move it to another tool if you choose.

7.1 EU / UK residents (GDPR / UK-GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described above plus the right to rectification, erasure, restriction of processing, data portability, and to object to processing where it is based on a legitimate interest. You also have the right to lodge a complaint with your national data-protection authority. Email support@underthetable.lol to exercise any of these rights. The lawful bases for our processing are contract performance (running the Service you signed up for) and our legitimate interest in keeping the Service secure and abuse-free. Full GDPR-specific addenda are pending counsel review.

7.2 California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to access and delete it, to correct inaccurate information, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information in the CCPA/CPRA sense. Email support@underthetable.lol to exercise your rights. We will not discriminate against you for doing so. Full CCPA-specific addenda are pending counsel review.

8. Security

We take reasonable technical and organizational measures to protect your information, including:

  • Passwords stored only as bcrypt hashes — never plaintext, never recoverable.
  • TLS in transit across all endpoints, terminated by Caddy.
  • Session cookies with HttpOnly, Secure, and SameSite=Lax flags; CSRF protection on state-changing endpoints.
  • Rate limiting on authentication endpoints to mitigate brute-force and credential-stuffing attacks.
  • Daily local snapshots of the data directory with rolling retention. You can also export your full data from your account page anytime as a self-service archive. Off-site encrypted backups are on the operator’s pre-launch checklist and will be listed here once wired in.
  • Principle-of-least-privilege access: the only people with access to production are the operator and (where unavoidable) the named processors listed in Section 4.
  • No third-party access to your data beyond the processors listed in Section 4.

That said, no system is perfectly secure. If we confirm a security incident that affects your personal information, we will notify affected users within 72 hours of confirmation, by email and (where appropriate) by in-app notice, describing what happened, what data was affected, and what we are doing about it. Final wording of this commitment is pending reconciliation with applicable breach-notification law and is subject to counsel review.

9. Children

The Service is intended for users aged 13 years or older (and 16 or older in jurisdictions whose data-protection law sets a higher digital-services age of consent, including the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children below those ages. If you believe a child below the applicable age has provided us with personal information, email support@underthetable.lol and we will take steps to delete that information.

10. International users and cross-border data transfer

The Service is hosted on a server located in Ashburn, Virginia, United States. Daily local snapshots are stored on the same server. If you are accessing the Service from outside the United States, your personal information is transferred to and stored in the United States, which may have different data-protection laws than your country of residence. (When an off-site backup overlay is wired in, this section will be updated to reflect the secondary storage location and its lawful-transfer mechanism.)

For users in the European Economic Area, the United Kingdom, and Switzerland: we will rely on Standard Contractual Clauses or another lawful transfer mechanism for cross-border transfers of your personal information. The exact mechanism is pending counsel review before commercial launch.

11. Changes to this Policy

We may update this Policy from time to time. For material changes, we will notify registered DM accounts by email at least 30 days before the changes take effect, and post a notice in the dashboard. Non-material clarifications (fixing typos, clarifying phrasing without changing meaning) take effect when posted, with the “Last updated” date at the top of this document updated accordingly. The “Last updated” date is the canonical version marker.

12. Contact

Privacy questions, data-subject requests, or anything else covered by this Policy? Email support@underthetable.lol and write “Privacy” in the subject line so we can route it correctly. (We may later add a dedicated privacy@underthetable.lol alias; until then, support@ is the right address.) We aim to respond within two business days, and within 30 days for any formal data-subject request.