EARLY ACCESS
// LEGAL_DOCUMENT

Privacy Policy

Last updated: May 2026

1. Data Controller

This Privacy Policy describes how ArcQuill processes personal data. The data controller responsible for processing under the EU General Data Protection Regulation (GDPR) and equivalent local laws is:

Kerem Can Akdağ
37075 Göttingen
Germany

For all privacy-related questions and to exercise the rights described below, contact:

kerem@arcquill.com

2. Information We Collect

We collect information in several ways when you use ArcQuill ("the Service"). Here is what we gather and why.

Account Information

When you sign in with Google OAuth, we receive the following from your Google account:

  • Your name and display name
  • Your email address
  • Your profile picture
  • Your Google account ID (used solely for authentication)

Game Data

As you play, we store the content you create and interact with:

  • Worlds, including entities such as NPCs, locations, items, and factions
  • Characters and their associated details
  • Game sessions and chat messages (both your inputs and AI-generated responses)
  • Session Zero drafts and world-building configurations

Usage Data

We collect data about how you use the Service:

  • Credit consumption and token usage per interaction
  • Transaction and billing history
  • Session timestamps and activity logs

Technical Data

We automatically collect certain technical information when you access the Service:

  • Device type and operating system
  • Browser type and version
  • IP address (used for security, abuse prevention, debugging, and rate limiting; included in server access logs and error reports)
  • Error logs, stack traces, and performance metrics, which may include IP address, request path, and the request context that triggered an error

3. How We Use Your Information and Legal Basis

We use the information we collect for the following purposes. For users in the EU, EEA, and UK, we also identify the legal basis under GDPR Article 6:

  • Provide and improve the game experience (legal basis: performance of a contract, Art. 6(1)(b)). Your game data powers your adventures, and usage patterns help us make ArcQuill better.
  • Process billing and credit transactions (legal basis: performance of a contract, Art. 6(1)(b); legal obligation for tax and accounting records, Art. 6(1)(c)). We track credit usage and process payments so you can purchase and use credits.
  • Send important service updates (legal basis: legitimate interests, Art. 6(1)(f); legal obligation for security or breach notices, Art. 6(1)(c) where applicable). We contact you about significant changes to the Service, your account, or these policies.
  • Analyze usage patterns and product performance (legal basis: legitimate interests, Art. 6(1)(f)). We study how players use ArcQuill to prioritize features, fix issues, and improve performance.
  • Prevent abuse, fraud, and enforce our Terms (legal basis: legitimate interests, Art. 6(1)(f); legal obligation where required, Art. 6(1)(c)). We use technical and usage data to detect fraud, prevent misuse, and keep the platform safe.

4. Third-Party Services and Processors

ArcQuill relies on the following third-party services to function. Each service acts as a processor on our behalf and receives only the data it needs to perform its role.

Hetzner Online GmbH (hosting and storage)

Our application servers and object storage (S3-compatible) are hosted with Hetzner in Falkenstein, Germany. All primary user data (account, world, game session, character, message, and image data) is stored on Hetzner infrastructure within the EU. See Hetzner's privacy policy.

Google OAuth

We use Google OAuth for authentication. Google provides us with the basic profile information listed in Section 2. We do not receive or store your Google password. Google's privacy policy governs how Google handles your data.

Stripe

Payment processing is handled by Stripe. When you make a purchase, your payment details are sent directly to Stripe. We do not store your credit card number or full payment credentials on our servers. See Stripe's privacy policy for details on how they handle payment data.

OpenRouter

OpenRouter provides access to the AI models that power the Dungeon Master. Your game interactions (prompts, context, and chat messages) are sent to OpenRouter, which routes them to the upstream model provider for processing and response generation. See OpenRouter's privacy policy.

Google Gemini

We use Google Gemini for generating embeddings that power ArcQuill's world memory and semantic search. Game data such as entity descriptions and narrative context is sent to Gemini for this purpose. See Google's Gemini API terms.

Sentry

Sentry is used for error monitoring and performance instrumentation. When the Service encounters an error, Sentry receives a report that includes the stack trace, request path, browser/device information, your IP address, and the user identifier associated with the request. See Sentry's privacy policy.

Resend

Resend handles transactional email delivery (account notifications, billing receipts, important service updates). When we send you email, Resend processes your email address and the message content. See Resend's privacy policy.

Note about AI providers: OpenRouter and Google Gemini process your game text to generate responses and embeddings. We do not send your personal account information (such as your email address or payment details) to AI providers. Only game-related content is transmitted.

International Data Transfers

Our primary infrastructure (Hetzner) is located in the European Union. Some processors listed above (Stripe, Sentry, Resend, and the AI providers) may process data in jurisdictions outside the EEA, including the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under GDPR Chapter V, including the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. You can request more information about the specific safeguards in place by contacting us.

AI Training and Model Improvement

ArcQuill does not train, fine-tune, or otherwise use your content to improve any AI models. Your game inputs, narratives, and AI-generated responses are processed solely to power your gameplay and are not used as training data by us. We rely on AI providers (OpenRouter and Google Gemini) whose API terms state that content sent to their endpoints is not used to train their models. Provider policies may change over time; we recommend reviewing them periodically using the links above.

5. Data Storage and Security

We take the security of your data seriously. Our measures include:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest: Database contents are encrypted on disk.
  • EU-based infrastructure: Primary data is stored on Hetzner servers in Falkenstein, Germany.
  • Regular backups: We perform regular backups to protect against data loss.
  • Access controls: Internal access to user data is restricted and audited.

While we implement reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

6. Data Sharing

We do not sell your personal information. We will never monetize your data by selling it to third parties.

We share data only in the following circumstances:

  • With our service providers: We share data with the third-party services listed in Section 4, strictly for the purposes described there.
  • When required by law: We may disclose your information if required to do so by law, regulation, legal process, or governmental request.
  • To protect rights and safety: We may share information when we believe it is necessary to prevent fraud, protect our rights, or ensure the safety of our users.

7. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal effects or similarly significantly affects you within the meaning of GDPR Article 22.

The Service uses generative AI to produce game narrative, characters, and Dungeon Master responses. This is creative output for entertainment purposes. It is not used to make decisions about your access to services, eligibility, pricing, employment, credit, or any other matter with legal or significant effect on you.

8. Your Rights

If you are located in the EU, EEA, or UK, you have the following rights under the GDPR and equivalent laws regarding your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification (Art. 16): Request that we correct any inaccurate or incomplete information we hold about you.
  • Right to erasure (Art. 17): Request deletion of your account and associated personal data, subject to legal retention obligations (such as tax records).
  • Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20): Request an export of your game data (worlds, characters, game history) in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including processing for analytics or service improvement.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you can withdraw that consent at any time without affecting processing carried out before withdrawal.

To exercise any of these rights, please contact us at:

kerem@arcquill.com

We will respond to your request within one month, as required by Article 12(3) GDPR.

Right to Lodge a Complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). For users in Germany, the competent authority for the data controller is:

Die Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
lfd.niedersachsen.de

9. Cookies and Local Storage

ArcQuill uses cookies and local storage strictly for functional purposes:

  • Session cookies: Used for authentication and maintaining your logged-in session.
  • HTTP-only cookies: Used to securely store JWT tokens. These cookies cannot be accessed by client-side JavaScript, providing additional security.
  • CSRF tokens: Used to protect against cross-site request forgery attacks.
  • Local storage: Used to store user preferences and cached data for a better experience.

We do not use third-party tracking cookies, advertising cookies, or any form of cross-site tracking.

10. Minors

ArcQuill is intended exclusively for adults aged 18 or over. We do not knowingly collect personal information from anyone under 18, and we do not allow anyone under 18 to create or maintain an account.

If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that information and terminate the account. If you believe a minor has provided us with personal information, please contact us at kerem@arcquill.com so we can take appropriate action.

11. Data Retention

We retain your data according to the following guidelines:

  • Account data: Retained for as long as your account is active. Deleted when you request account deletion.
  • Game data: Retained until you delete it or until your account is deleted.
  • Transaction records: Retained for 7 years to comply with legal and financial reporting requirements.
  • Server logs: Retained for 90 days, then automatically purged.

For a full breakdown of our retention practices, please see our Data Retention Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the "Last updated" date at the top of this page.

For significant changes, we will notify you via email or through an in-app notification. Your continued use of ArcQuill after updated policies are posted constitutes your acceptance of those changes. If you do not agree with the revised policy, you should stop using the Service.

13. Contact

If you have questions about this Privacy Policy, want to exercise your data rights, or have any privacy-related concerns, please contact us at:

kerem@arcquill.com