Privacy Policy

1. Introduction

GDD.studio ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our Game Design Document editor at gdd.studio ("the Service").

We comply with the General Data Protection Regulation (GDPR) and applicable European privacy laws.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address - for authentication and communication
• Name - for display within the Service
• Avatar - if provided or imported via OAuth
• OAuth provider ID - if you sign in via GitHub or Google

2.2 Content Data

We store the content you create within the Service:

• Game design documents, sections, and elements
• Uploaded images and assets
• Scenario data and element links

2.3 Payment Data

Payment processing is handled by Lemon Squeezy. We do not store your credit card details. Lemon Squeezy may collect billing information as described in their privacy policy.

2.4 Usage Data

We collect minimal technical data to operate the Service:

• IP address (for security and rate limiting)
• Browser type and version
• Pages visited and features used
• Error logs for debugging

3. How We Use Your Data

We use your data exclusively to:

• Provide and maintain the Service
• Authenticate your identity
• Process your subscription payments (via Lemon Squeezy)
• Send transactional emails (account verification, password resets)
• Improve the Service based on aggregated, anonymized usage patterns
• Respond to support requests

We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. Data Storage and Security

Your data is stored on servers located in the European Union (Hetzner, Germany). We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted connections (TLS/HTTPS)
• Encrypted database backups
• Access controls and authentication
• Regular security updates

5. Data Retention

• Active accounts: Data is retained as long as your account is active.
• Deleted accounts: Your content is retained for 30 days after account deletion, then permanently removed.
• Backups: May contain your data for up to 90 days after deletion.

6. Your Rights (GDPR)

As a user in the EU, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Delete your data ("right to be forgotten")
• Export your data in a portable format (JSON, Markdown, PDF)
• Restrict processing of your data
• Object to processing of your data
• Withdraw consent at any time

To exercise these rights, contact us at hello@gdd.studio. We will respond within 30 days.

7. Cookies

We use only essential cookies required for the Service to function:

• Session cookie - to keep you logged in
• CSRF token - for security
• Theme preference - stored in localStorage (not a cookie)

We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Third-Party Services

We use the following third-party services:

• Lemon Squeezy - payment processing
• Hetzner - server hosting (EU)
• GitHub / Google - optional OAuth login

Each third-party service has its own privacy policy. We only share the minimum data necessary for these services to function.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

11. Contact

For any privacy-related questions or requests, contact us at:

• Email: hello@gdd.studio