Lumen VTT legal
Privacy Policy
Effective: April 17, 2026
Lumen VTT ("we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect when you use our virtual tabletop service at lumenvtt.com (the "Service"), how we use it, and the choices you have.
Information we collect
Account information
When you create an account, we collect your email address. If you sign in with Google or Discord, we receive basic profile information from that provider via OAuth, such as your name or username, email address, and profile picture. We request only basic identity scopes for authentication and do not access your Gmail, Drive, Calendar, Discord servers, Discord messages, or other account data.
Content you create
Campaign data you produce while using the Service, including characters, NPCs, maps, notes, and chat messages, is stored on our servers so you can access it across devices.
API keys and local settings
If you choose to use third-party services, such as Google Gemini or Together AI, your API keys for those providers are stored only in your browser's local storage. We proxy requests to those providers on your behalf but do not persist your keys on our servers.
Technical logs
Standard server logs, including IP address, user agent, timestamps, and request paths, are collected automatically to operate, secure, and troubleshoot the Service. These logs are retained for a limited period and are not used for advertising.
How we use your information
- To provide, maintain, and improve the Service
- To authenticate you and keep your account secure
- To respond to your support requests
- To detect, prevent, and respond to abuse or security issues
- To comply with legal obligations
We do not sell or rent your personal information, and we do not serve third-party advertising.
Third-party service providers
We work with a small number of third-party providers to operate Lumen VTT. The providers below receive data about you as part of normal Service operation:
- Discord - if you sign in with Discord, Discord processes your authentication and returns basic profile details such as your username, email, and avatar to us
- Supabase - authentication and primary database hosting, including account email, password hash, and campaign content
- Google - if you sign in with Google, Google processes your authentication and returns your name, email, and profile picture to us
- Hosting and content-delivery providers - reputable infrastructure partners that host our application and serve it to your browser. These providers do not persistently store your personal data; they pass requests through in transit.
The following providers are only involved if you explicitly opt in by supplying your own API key in Settings. You can remove the key at any time to stop using them:
- Google Gemini API - generates text content on request when you provide a Gemini key
- Together AI - generates images when image generation is enabled
Each provider has its own privacy practices. If you have questions about how a specific provider handles your data, contact us at support@lumenvtt.com and we'll point you to the relevant policy or provide a current sub-processor list on request.
Cookies and local storage
We use a small number of essential cookies and localStorage entries to keep you signed in and to remember your app preferences. We do not use advertising, analytics, or tracking cookies.
Data retention
We retain your account information and content for as long as your account is active. If you delete your account, we will delete associated data within 30 days, except where retention is required by law.
Your rights and choices
- Access and export - request a copy of the data we hold about you
- Correction - update inaccurate information
- Deletion - request deletion of your account and content
- Opt-out - disable or remove any third-party integration at any time
To exercise any of these rights, email us at support@lumenvtt.com. Depending on your jurisdiction, you may have additional rights under GDPR, UK GDPR, or CCPA; we honor those rights on request.
Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
Security
We use industry-standard safeguards, including encrypted connections, secure password hashing via Supabase Auth, and restricted server access. No online service can guarantee absolute security; you are responsible for keeping your account credentials confidential.
International users
The Service is operated from the United States. If you access it from outside the US, your information will be transferred to and processed in the US and jurisdictions where our providers operate.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced in-app or via email to registered users. Continued use of the Service after an update constitutes acceptance of the revised policy.
Contact
Questions about this Privacy Policy? Reach us at support@lumenvtt.com.