1. Data Controller
The data controller responsible for your personal data is:
If you have any questions about this Privacy Policy or how your data is handled, please contact us at the email address above.
2. What Data We Collect and Why
TomeWorld is a Warhammer 40,000 10th Edition army builder web application. We collect only the minimum data necessary to provide the service.
Server-Side Data (PostgreSQL Database)
| Data | Purpose |
|---|---|
| Email address | Account registration, login authentication, and account recovery |
| Password (bcrypt-hashed) | Secure authentication โ your raw password is never stored |
| Army list data (JSON) | Saving and loading your army lists across sessions and devices |
| Timestamps (created_at, updated_at) | Record management and data integrity |
| Supporter status | Tracks whether you have an active supporter subscription |
| Supporter expiry date | Records when your supporter status expires |
| PayPal transaction ID | Submitted by you to verify your donation; used only for manual verification |
Client-Side Data (Browser localStorage)
| Key | Purpose |
|---|---|
wh40k-auth-token |
JWT authentication token to keep you logged in |
wh40k-armies |
Local cache of your army list data for offline access |
wh40k-last-army-id |
Remembers which army list you last worked on |
wh40k-theme |
Your chosen UI theme preference (e.g., Necrons, Chaos, Space Marines) |
What We Do NOT Collect
- We do not use cookies.
- We do not use analytics or tracking tools.
- We do not serve or integrate with advertising networks.
- We do not sell, rent, or share your personal data with anyone.
3. Legal Basis for Processing
We process your personal data under the following legal bases:
- Consent (Art. 6(1)(a) GDPR): When you register an account, you consent to the processing of your email address and password for authentication purposes.
- Legitimate Interest (Art. 6(1)(f) GDPR): We have a legitimate interest in processing data necessary to operate, maintain, and secure the service โ including storing army list data, maintaining server logs, and ensuring the application functions correctly.
You may withdraw your consent at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
4. Data Retention
Your personal data is retained for as long as you maintain an active account with TomeWorld. Specifically:
- Account data (email, hashed password): Retained until you request account deletion.
- Army list data: Retained until you delete individual army lists or request full account deletion.
- localStorage data: Stored in your browser until you clear it manually or log out.
Upon receiving a valid account deletion request, all associated personal data will be permanently removed from our database within 30 days.
5. Third-Party Services
TomeWorld uses a minimal number of third-party services:
Google Fonts
We load typefaces (Oswald and Roboto) from Google Fonts. When the page loads, your browser connects to Google's servers, which may log your IP address. Google's privacy policy applies to this data collection.
Learn more: Google Privacy Policy ยท Google Fonts Privacy FAQ
Railway (Hosting Provider)
TomeWorld is hosted on Railway. As part of normal server operations, Railway may collect server logs that include IP addresses and request metadata. This data is governed by Railway's own privacy practices.
Learn more: Railway Privacy Policy
PayPal (Supporter Donations)
TomeWorld offers an optional supporter subscription (โฌ5/year) processed through PayPal. When you choose to donate, you are redirected to PayPal.me to complete the payment. TomeWorld does not process, access, or store any payment card details, bank account information, or PayPal account data.
The only payment-related data we store is the PayPal transaction ID that you voluntarily submit to verify your donation. This ID is used solely for manual verification of your supporter status.
Learn more: PayPal Privacy Policy
6. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:
- Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten").
- Right to Data Portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format (JSON).
- Right to Restrict Processing (Art. 18): You can request that we limit how we process your data.
- Right to Object (Art. 21): You can object to processing based on legitimate interest.
- Right to Lodge a Complaint: You have the right to file a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully.
To exercise any of these rights, see Section 14 below.
7. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know: You can request details about what personal information we collect, the purposes of collection, and whether it is disclosed or sold.
- Right to Delete: You can request deletion of personal information we have collected from you.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will receive equal service and pricing regardless.
We do NOT sell personal information. TomeWorld has never sold personal information and has no plans to do so. No personal data is shared with third parties for monetary or other valuable consideration.
8. Browser Local Storage
TomeWorld uses your browser's localStorage API (not cookies) to store small amounts of data on your device. This data never leaves your browser unless you explicitly sync your army lists to the server.
What Is Stored
wh40k-auth-tokenโ A JSON Web Token (JWT) that keeps you authenticated so you don't need to log in every visit.wh40k-armiesโ A local copy of your army list data for quick loading and offline access.wh40k-last-army-idโ The ID of the army list you most recently viewed, so the app can reopen it automatically.wh40k-themeโ Your selected visual theme (e.g., "necrons", "chaos", "space-marines").
How to Clear localStorage
You can clear this data at any time:
- Open your browser's Developer Tools (usually
F12). - Navigate to the Application (Chrome) or Storage (Firefox) tab.
- Select Local Storage and find the TomeWorld domain.
- Delete individual keys or clear all entries.
Alternatively, logging out of the app will clear authentication-related localStorage data.
9. Data Security
We take reasonable measures to protect your personal data:
- Password Hashing: All passwords are hashed using bcrypt before storage. We never store or have access to your plaintext password.
- JWT Authentication: Session management uses signed JSON Web Tokens, eliminating the need for server-side session storage and reducing attack surface.
- HTTPS Encryption: All data transmitted between your browser and our servers in production is encrypted via HTTPS/TLS.
- Minimal Data Collection: We follow the principle of data minimisation โ we only collect what is strictly necessary to provide the service.
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@tomeworld.online.
10. Children's Privacy
TomeWorld is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@tomeworld.online and we will promptly delete that information.
11. International Data Transfers
TomeWorld is hosted on Railway, whose servers may be located in the United States or other regions. If you access the service from outside the United States, your data may be transferred to, stored, and processed in the US or other countries where Railway operates infrastructure.
By using TomeWorld, you acknowledge that your data may be transferred internationally. We rely on the necessity of the transfer for the performance of the service and your consent at registration as the legal basis for such transfers.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- The "Last updated" date at the top of this page will be revised.
- For significant changes, we may provide additional notice (e.g., a banner in the app).
We encourage you to review this page periodically. Your continued use of TomeWorld after any changes constitutes acceptance of the updated policy.
13. Contact
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
TomeWorld Support
Email: support@tomeworld.online
We aim to respond to all privacy-related enquiries within 30 days.
14. How to Exercise Your Rights
You can exercise your privacy rights in two ways:
Option A: Email Request
Send an email to support@tomeworld.online with the subject line "Privacy Request". Please include:
- The email address associated with your TomeWorld account.
- A description of the right you wish to exercise (e.g., data access, data deletion, data export).
We will verify your identity before processing any request and respond within 30 days.
Option B: In-App Account Settings
Where available, you can use the in-app account settings to:
- Export your data โ Download all your army lists and account data in JSON format.
- Delete your account โ Permanently remove your account and all associated data from our servers.