Privacy Policy

Last Updated: November 18, 2025

This Privacy Policy describes how we collect, use, and protect your personal information when you use our Arkham Horror: The Card Game companion website.

1. Information We Collect

1.1 Information You Provide

When you create an account, we collect:

• Email address
• Username (if provided)
• Password (stored securely using industry-standard hashing)

1.2 Information Automatically Collected

We automatically collect certain information when you use our service:

• IP address
• Browser type and version
• Device information
• Usage data (pages visited, features used)
• Session cookies for authentication

1.3 Game Data

We store the following game-related data you create:

• Deck lists and configurations
• Campaign logs and progress
• Card collection (owned cards)
• Favorite cards
• Upgrade sheets

2. How We Use Your Information

We use the information we collect to:

• Provide and maintain our service
• Authenticate your account and manage sessions
• Store and sync your game data across devices
• Improve our service and user experience
• Send important service-related communications
• Comply with legal obligations

3. Third-Party Services

3.1 Firebase Authentication

We use Google Firebase Authentication to securely manage user accounts. When you sign in, Firebase processes your authentication credentials. Please review Google's Privacy Policy for information about how Firebase handles your data.

3.2 Font Awesome Icons

We use Font Awesome icons via CDN (cdnjs.cloudflare.com). This service may collect usage statistics. Please review Font Awesome's Privacy Policy.

4. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal information:

• Passwords are hashed using secure algorithms
• Data is transmitted over encrypted connections (HTTPS)
• Access to personal data is restricted to authorized personnel
• Regular security audits and updates

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your login session
• Remember your preferences
• Analyze site usage

You can control cookies through your browser settings. Note that disabling cookies may affect the functionality of our service.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide our services. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal purposes.

7. Your Rights Under GDPR and Other Data Protection Laws

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar data protection laws, you have the following rights:

7.1 Right of Access

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and information about how it is being processed.

7.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

7.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

7.4 Right to Restrict Processing

You have the right to restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

7.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes applicable data protection laws.

7.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@arkham606.com. We will respond to your request within one month (or two months if the request is complex). We may require verification of your identity before processing your request.

8. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal bases:

• Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party (providing the service you requested)
• Legitimate Interests: Processing is necessary for our legitimate interests in operating and improving our service, ensuring security, and preventing fraud
• Consent: Where you have given clear consent for specific processing activities
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject

9. Data Controller Information

Data Controller: The operator of this website

Contact Email: support@arkham606.com

Purpose of Processing: Providing and maintaining the Arkham Horror: The Card Game companion website service

10. Data Processing and Third-Party Processors

10.1 Data Processors

We use the following third-party processors who process personal data on our behalf:

• Google Firebase: Authentication and user management services. Data is processed in accordance with Google's Privacy Policy and Data Processing Terms.
• Hosting Provider: Website hosting and database services. Data is stored on secure servers with appropriate technical and organizational measures.

10.2 Data Processing Agreements

All third-party processors are bound by contractual obligations to process personal data only in accordance with our instructions and applicable data protection laws.

11. Data Retention Periods

We retain personal data for the following periods:

• Account Data: Retained for as long as your account is active. Upon account deletion, data is deleted within 30 days, except where retention is required by law.
• Game Data: Retained for as long as your account is active. Deleted upon account deletion.
• Log Data: Retained for up to 12 months for security and troubleshooting purposes.
• Legal Obligations: Some data may be retained longer if required by applicable laws, regulations, or legal proceedings.

12. Data Deletion Policy

12.1 Requesting Data Deletion

You have the right to request deletion of your personal data. To request data deletion, please send an email to support@arkham606.com with the subject line "Data Deletion Request" and include your account email address. We will process your request within 30 days of receipt.

12.2 Data That Will Be Deleted

Upon receiving a valid data deletion request, we will permanently delete the following data:

• Account Information: Email address, username, display name, and account settings
• Authentication Data: Password hashes and authentication tokens (deleted immediately upon account deletion)
• Game Data: All deck lists, campaign logs, card collections, favorite cards, and upgrade sheets
• User Preferences: All saved preferences and settings
• Session Data: All active session tokens and cookies

12.3 Data That May Be Retained

Certain data may be retained for legal, security, or operational reasons, even after account deletion:

• Legal Compliance: Data required to be retained by law, regulation, or court order
• Legal Proceedings: Data relevant to ongoing or potential legal disputes, investigations, or claims
• Security Logs: Anonymized security and access logs may be retained for up to 12 months for fraud prevention and security analysis
• Backup Systems: Data in backup systems may persist for up to 90 days due to backup rotation schedules, after which it will be permanently deleted
• Aggregated/Anonymized Data: Statistical or aggregated data that cannot be used to identify you may be retained indefinitely

12.4 Third-Party Data

When you request data deletion, we will also request deletion of your data from third-party processors (such as Firebase Authentication). However, third-party processors may have their own data retention policies. We will make reasonable efforts to ensure your data is deleted from all third-party systems under our control.

12.5 Verification Requirements

To protect your privacy and prevent unauthorized deletion requests, we may require verification of your identity before processing a data deletion request. This may include:

• Verification of the email address associated with your account
• Confirmation through your registered email address
• Additional identity verification if the request is made from an unverified email address

12.6 Deletion Timeline

Upon verification of your identity and receipt of a valid deletion request:

• Immediate: Account access will be disabled and authentication tokens will be invalidated
• Within 7 days: Personal data in active systems will be deleted
• Within 30 days: All personal data will be removed from our primary systems
• Within 90 days: Data will be removed from backup systems (subject to legal retention requirements)

12.7 Exceptions to Deletion

We may deny or delay a data deletion request if:

• We are required to retain the data by law or legal order
• The data is necessary for ongoing legal proceedings
• Deletion would compromise the integrity of our systems or other users' data
• The request is fraudulent or made in bad faith

If we deny a deletion request, we will provide you with a written explanation of the reason for denial and information about your right to appeal.

12.8 Confirmation of Deletion

Upon completion of the data deletion process, we will send a confirmation email to the address from which the deletion request was made (or your registered email address if different). This confirmation will include a summary of what data was deleted and what data (if any) was retained and why.

13. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by applicable law

By using our service, you consent to such transfers subject to these safeguards.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, and in any event within 72 hours of becoming aware of the breach, where feasible.

15. Children's Privacy

Our service is not intended for children under 13 years of age (or 16 years in the EEA). We do not knowingly collect personal information from children under the applicable age threshold. If you believe we have collected information from a child under the applicable age, please contact us immediately at support@arkham606.com and we will take steps to delete such information.

16. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated Privacy Policy on this page
• Updating the "Last Updated" date
• For significant changes, we may notify you via email or through a notice on our website

Your continued use of the service after changes become effective constitutes acceptance of the updated Privacy Policy.

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: support@arkham606.com

We will respond to all inquiries within a reasonable timeframe and in accordance with applicable data protection laws.

19. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

• The right to know: You have the right to request information about the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell personal information)
• The right to delete: You have the right to request deletion of your personal information, subject to certain exceptions. To request deletion, please contact us at support@arkham606.com.
• The right to opt-out: You have the right to opt-out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to correct: You have the right to request correction of inaccurate personal information

To exercise your California privacy rights, please contact us at support@arkham606.com.

20. Other Jurisdictions

If you are located in other jurisdictions with data protection laws (such as Canada's PIPEDA, Brazil's LGPD, etc.), you may have similar rights. Please contact us at support@arkham606.com to learn more about your rights and how to exercise them.