Legal

Privacy Policy

Effective date: 29 May 2026 · Last updated: 29 May 2026

Chronicles of Terros (“we”, “us”, “our”) is based in England. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our website and services at chroniclesofterros.com, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

1. Data Controller

The data controller responsible for your personal data is:

Chronicles of Terros
Email: support@chroniclesofterros.com

2. What Data We Collect

Account Data

When you create an account, we collect:

  • Email address
  • Display name (if provided)
  • Date of birth (used to determine age-appropriate content safeguards)
  • Authentication credentials (managed by Firebase Authentication; we do not store raw passwords)

Game Data

When you play Chronicles of Terros, we store:

  • Character data (name, class, race, stats, inventory, abilities)
  • Game state (quest progress, world state, companion relationships, narrative history)
  • Session data (episode progress, play duration)
  • Player choices and action history (used to drive narrative continuity)

Payment Data

Payments are processed by Stripe. We do not store your full card number, CVV, or bank details. Stripe provides us with:

  • Transaction ID and payment status
  • Last four digits of your card (for display purposes)
  • Billing email address
  • Country of the payment method

Waitlist & Charter Data

If you join the waitlist or express interest in the Charter Adventurer programme, we collect:

  • Email address
  • Whether you expressed charter interest
  • Whether you opted in to development updates

Automatically Collected Data

When you visit our website, our hosting provider (Vercel) may automatically collect:

  • IP address
  • Browser type and version
  • Pages visited and time spent
  • Referring URL

3. How We Use Your Data

PurposeLegal Basis (UK GDPR)
Providing and maintaining the game servicePerformance of contract (Art. 6(1)(b))
Processing paymentsPerformance of contract (Art. 6(1)(b))
Sending transactional emails (purchase confirmations, chronicle delivery)Performance of contract (Art. 6(1)(b))
Sending development updates (if opted in)Consent (Art. 6(1)(a))
Generating AI-driven narrative content based on your game actionsPerformance of contract (Art. 6(1)(b))
Compiling your Chronicle Book from gameplay dataPerformance of contract (Art. 6(1)(b))
Applying age-appropriate content safeguards for players under 18Legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f))
Preventing fraud and abuseLegitimate interest (Art. 6(1)(f))
Improving the service and fixing bugsLegitimate interest (Art. 6(1)(f))

4. AI-Generated Content

Chronicles of Terros uses Google Gemini (via Google Cloud) to generate narrative content — descriptions, dialogue, and story events. Your gameplay actions and character data are sent to this AI service as prompts to produce personalised narrative responses.

Important: All game mechanics (combat, HP, spell slots, dice rolls) are calculated by our deterministic code engine, not by AI. The AI generates narrative text only. Your game state is never directly modified by AI output.

Age-Based Content Safeguards

Your date of birth is used to apply hardcoded content safeguards for players under 18. These safeguards automatically filter graphic violence, sexual content, substance abuse depictions, and self-harm themes from AI-generated narrative before it reaches the player. This filtering is enforced at the code level and cannot be overridden by the AI. Your date of birth is not shared with third parties and is used solely for this purpose.

Google’s AI services process data under their own data processing terms. We do not use your gameplay data to train AI models. Prompts are processed in real time and not retained by Google beyond the request lifecycle.

5. Third-Party Services

ServicePurposeData Shared
Google FirebaseAuthentication, database, hostingEmail, account data, game state
Google Gemini AINarrative generationGame context, character data, player actions (as prompts)
StripePayment processingEmail, payment method details
VercelWebsite hosting and deploymentIP address, access logs
ResendTransactional email deliveryEmail address, email content

Each third-party service operates under its own privacy policy and data processing agreements. We only share the minimum data necessary for each service to function.

6. Cookies

We use the following cookies:

  • Authentication cookies — Essential. Maintain your logged-in session. Cannot be disabled without losing access to the game.
  • Stripe cookies — Essential. Required for secure payment processing during checkout.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not sell or share cookie data with advertisers.

7. Data Retention

  • Account and game data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Payment records: Retained for 7 years to comply with UK tax and accounting obligations.
  • Waitlist data: Retained until the public launch, then deleted unless you have created an account.
  • Server logs: Automatically deleted after 30 days by our hosting provider.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • All data transmitted over HTTPS (TLS encryption in transit)
  • Firebase Authentication with industry-standard credential hashing
  • Firestore security rules restricting access to authorised users
  • Stripe PCI-DSS compliant payment processing
  • No storage of raw passwords or full card numbers on our servers

No method of electronic storage or transmission is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

9. Your Rights (UK GDPR)

Under the UK GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate personal data.
  • Erasure — Request deletion of your personal data (“right to be forgotten”).
  • Restrict processing — Request that we limit how we use your data.
  • Data portability — Request your data in a structured, machine-readable format.
  • Object — Object to processing based on legitimate interest.
  • Withdraw consent — Withdraw consent for marketing communications at any time.

To exercise any of these rights, contact us at support@chroniclesofterros.com. We will respond within 30 days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where Google Cloud and Stripe are headquartered). These transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • The service providers’ compliance with applicable data protection frameworks

11. Children’s Privacy

Chronicles of Terros is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will notify registered users by email.

Your continued use of the service after changes are posted constitutes acceptance of the updated policy.

13. Contact

For any questions about this privacy policy or your personal data, contact:

Chronicles of Terros
support@chroniclesofterros.com