Privacy Policy

Effective Date: April 17, 2026

1. Introduction

This Privacy Policy describes how Spellforge Studios LLC ("Spellforge Studios," "we," "us," or "our") collects, uses, stores, and protects information when you use SPELLFORGE™ and related services (the "Service") at https://spellforge.app, including any related mobile applications.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

When you create an account, we collect your username, email address, password (stored in hashed form), and optional profile information such as your display name, avatar, and bio.

Payment Information:

When you subscribe to a paid tier (Spellcaster or Archmage), payment processing is handled entirely by Stripe, Inc. We do not store your credit card numbers, bank account details, or other sensitive financial information on our servers. We receive and store your Stripe customer ID, subscription ID, subscription status, billing interval, and transaction history metadata from Stripe.

Deck Data:

Card lists, deck names, descriptions, format tags, and power-level analysis results that you upload or create within the platform.

Tournament Data:

Tournament entries, match results, pairings, standings, moderator rulings, and related competitive play information.

Communications:

Messages sent through community chat, private matchmaking lobbies, and any correspondence you send to us (e.g., support requests, feedback).

Discord Account:

If you connect your Discord account for Archmage-tier access, we receive your Discord user ID and username. We do not access your Discord messages, friends list, or server memberships beyond the Spellforge Archmage server.

2.2 Information Collected Automatically

Video and Audio Streams:

Spellforge Studios uses WebRTC peer-to-peer technology for voice and video chat during matches. Your video and audio streams are transmitted directly between you and your match opponents. We do not record, store, or monitor the contents of your video or audio streams. TURN relay servers may temporarily route encrypted media traffic when direct peer-to-peer connections cannot be established, but no recordings are made.

Usage Data:

We automatically collect information about how you interact with the Service, including pages visited, features used, match history, queue times, session duration, matchmaking preferences, and timestamps.

Device Information:

We collect device type, operating system, browser type and version, screen resolution, IP address, and general geographic location (city/region level, not precise).

Cookies and Similar Technologies:

We use essential cookies for authentication and session management, functional cookies for user preferences, and analytics cookies to understand usage patterns. See Section 8 for details.

2.3 Information from Third Parties

Scryfall API:

We retrieve publicly available Magic: The Gathering card data from the Scryfall API for deck building and power-level analysis features. This does not involve any of your personal data.

Authentication Providers:

If you sign in via a third-party authentication provider (e.g., Google, Discord OAuth), we receive your name, email address, and profile picture from that provider as authorized by you.

3. How We Use Your Information

  • To provide, operate, and maintain the Service, including matchmaking, tournaments, deck management, and real-time communication features
  • To process subscriptions and payments through Stripe
  • To manage your account and provide customer support
  • To personalize your experience, including matchmaking algorithms and recommended content
  • To communicate with you about updates, security alerts, and administrative messages
  • To enforce our Terms of Service and maintain platform integrity
  • To detect, prevent, and address technical issues, fraud, abuse, and violations of our policies
  • To analyze usage trends and improve the Service
  • To comply with legal obligations

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

  • Stripe, Inc. — Payment processing, subscription management, tax calculation
  • Vercel, Inc. — Website hosting and serverless function execution
  • Neon, Inc. — Database hosting (PostgreSQL)
  • Upstash — Redis caching and rate limiting
  • Sentry — Error tracking and performance monitoring
  • Discord — Archmage community integration (opt-in only)

4.2 Other Users

Certain information is visible to other users: your username, avatar, subscription tier badge, match history, tournament results, and video/audio during matches.

4.3 Legal Requirements

We may disclose your information if required by law or to protect our rights, prevent fraud, or ensure user safety.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

5. Data Retention

  • Account data: Retained while active + 30 days after deletion request
  • Match history and tournament records: Retained for the lifetime of the Service
  • Payment records: Retained as required by tax regulations (typically 7 years)
  • Chat messages: Retained for 90 days, then automatically purged
  • Server logs and analytics: Retained for 12 months
  • Video/audio streams: Not retained — peer-to-peer only, never recorded

6. Data Security

  • All data transmitted is encrypted using TLS 1.2 or higher (HTTPS)
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • Database access is restricted by role-based permissions
  • Stripe handles all PCI DSS compliance for payment data
  • WebRTC streams are encrypted end-to-end using DTLS-SRTP
  • Regular security audits and dependency vulnerability scanning
  • Rate limiting to prevent abuse (tiered by subscription level)

7. Your Rights and Choices

All users have the right to: access, update, correct, and delete their personal data; opt out of non-essential communications; and disconnect third-party integrations.

EEA Users (GDPR):

Additional rights include data portability, right to restrict processing, right to object, and right to withdraw consent. Contact privacy@spellforge.app to exercise these rights.

California Residents (CCPA/CPRA):

Rights include right to know, right to delete, right to opt out of data sales (we do not sell data), right to non-discrimination, and right to correct inaccurate information.

8. Cookies and Tracking

We use essential cookies (authentication, CSRF), functional cookies (preferences), and privacy-focused analytics cookies. We do not use advertising cookies or tracking pixels. We do not participate in cross-site advertising.

9. Children's Privacy

The Service is not intended for children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. Contact privacy@spellforge.app if you believe a child has provided personal information.

10. International Data Transfers

Your information may be transferred to servers located outside your country, including the United States. We ensure appropriate safeguards including Standard Contractual Clauses (SCCs) for EEA transfers.

11. Intellectual Property Notice

Spellforge Studios is not affiliated with Wizards of the Coast LLC or Hasbro, Inc. Magic: The Gathering trademarks are property of Wizards of the Coast. Card data is sourced from the Scryfall API.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an updated effective date. Continued use constitutes acceptance.

13. Contact Us

Email: privacy@spellforge.app

Website: https://spellforge.app