Privacy Policy
This Privacy Policy is provided pursuant to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR) and applicable German data protection law (BDSG).
1. Controller
The controller responsible for the processing of your personal data is the operator of Kobold Kronikler, whose full contact details are set out in the Impressum.
For data-protection enquiries, please contact us using the email address listed in the Impressum with the subject line “Data Protection / Datenschutz”.
A Data Protection Officer has not been appointed, as there is currently no statutory obligation to do so (Art. 37 GDPR / §38 BDSG).
2. Personal Data We Collect
We collect only the data that is necessary (“data minimisation”, Art. 5(1)(c) GDPR):
| Category | Data | Collected when |
|---|---|---|
| Account data (GM) | Name or display name, email address, bcrypt-hashed password | Registration |
| Account data (Player) | Username, email address (optional), bcrypt-hashed password, character name and description (optional) | Invitation / first login |
| Campaign content | Campaign names, plot descriptions, world events, news articles, GM notes, player notes, and any other content you voluntarily enter | Active use |
| Technical / log data | IP address, browser type, operating system, pages visited, timestamps (retained in server logs) | Every page request |
| Cookie / consent data | Cookie preferences and consent record - see our Cookie Policy | First visit |
3. Legal Basis and Purposes
Every processing activity must have a legal basis under Art. 6 GDPR. We rely on the following:
| Purpose | Legal basis |
|---|---|
| Providing the Service (account creation, authentication, storing campaign data) | Art. 6(1)(b) GDPR - performance of a contract to which you are a party |
| Security, fraud prevention, CSRF protection, server-side rate limiting | Art. 6(1)(f) GDPR - our legitimate interest in securing the Service and protecting users |
| Server / access log retention (IP address, request metadata) | Art. 6(1)(f) GDPR - legitimate interest in diagnosing errors and detecting abuse |
| Non-essential cookies (analytics, functional) if enabled by you | Art. 6(1)(a) GDPR - your explicit consent via the cookie preference banner |
| Responding to support enquiries or data-subject requests | Art. 6(1)(c) GDPR - compliance with a legal obligation; and/or Art. 6(1)(f) GDPR - legitimate interest in providing support |
4. Data Retention
We retain personal data only for as long as necessary for the stated purpose and no longer than required by law:
- Account data: Retained for as long as your account is active. Upon deletion of your account, account data is deleted within 30 days, unless a longer retention period is required by law (e.g. German commercial or tax retention obligations under HGB / AO, typically up to 10 years).
- Campaign content: Retained for as long as your account is active and for 30 days following account deletion.
- Server / access logs: Retained for a maximum of 7 daysin the normal course of operations, unless a specific security incident requires longer retention.
- Cookie consent records: Retained for 1 year from the date of consent, in accordance with §25 TTDSG.
5. Data Sharing and Third-Party Processors
We do not sell your personal data. We may share data with the following categories of recipients:
- Hosting provider - Hetzner Online GmbH: The Service is hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Server infrastructure is located within the European Economic Area (EEA). Hetzner acts as a data processor under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. Hetzner’s privacy policy is available at hetzner.com/legal/privacy-policy.
- Legal authorities: We may disclose personal data to law-enforcement or other authorities where required to do so by applicable law.
We currently use no third-party analytics, advertising, or marketing services.
6. International Transfers
Your personal data is stored and processed within the European Economic Area (EEA). We do not intentionally transfer personal data to third countries outside the EEA. If this changes in the future, we will update this policy accordingly and ensure that appropriate safeguards are in place (e.g. Standard Contractual Clauses under Art. 46 GDPR).
7. Automated Decision-Making
We do not use automated decision-making or profiling with legal or similarly significant effects as described in Art. 22 GDPR.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are stored using bcrypt hashing (12 rounds) - plaintext passwords are never stored.
- All connections to the Service are encrypted via HTTPS/TLS.
- HTTP security headers are applied on all responses: Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
- CSRF tokens are used to protect all authenticated requests.
- Rate limiting is applied to login, registration, and note-creation endpoints to limit brute-force and credential-stuffing attacks.
- Inline images are not permitted in user-generated markdown content - this prevents external image requests that would expose a viewer’s IP address to third-party servers.
- Markdown output is sanitised using DOMPurify to prevent cross-site scripting (XSS).
- The database is accessible only from within the internal Docker network and is not exposed to the public internet.
- Data is stored on Hetzner infrastructure within the EEA, and Hetzner’s technical and organisational measures (TOM, Art. 32 GDPR) supplement our own.
No system is entirely free from risk. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required by Art. 34 GDPR, inform affected users without undue delay.
9. Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise any of them, contact us using the details in the Impressum with the subject line “Data Subject Request”. We will respond within one month (Art. 12(3) GDPR).
| Right | What it means |
|---|---|
| Access (Art. 15) | You may request a copy of all personal data we hold about you and information about how it is processed. |
| Rectification (Art. 16) | You may request correction of inaccurate or incomplete personal data. |
| Erasure (Art. 17) | You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent. |
| Restriction (Art. 18) | You may request that we restrict processing of your data in certain circumstances, e.g. while accuracy is contested. |
| Portability (Art. 20) | Where processing is based on consent or contract and carried out automatically, you may request a machine-readable copy of your data or have it transferred to another controller. |
| Objection (Art. 21) | You may object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Withdraw consent (Art. 7(3)) | Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal. For cookies, use the cookie preference banner or our Cookie Policy. |
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a data-protection supervisory authority at any time (Art. 77 GDPR). The supervisory authority competent for the operator is the data protection authority of the German federal state (Bundesland) in which the operator is located. A list of all German supervisory authorities is available at: bfdi.bund.de - Supervisory Authorities
If you are located in another EU member state, you may also contact your local supervisory authority.
11. Cookies
For detailed information about the cookies we use, their purposes, duration, and how to manage your preferences, please see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law or our data practices. Material changes will be communicated to registered users by email or by a prominent notice within the Service before taking effect. The “Last updated” date at the bottom of this page indicates when this policy was last revised.
Last updated: 21 February 2026