Privacy Policy
Last updated: 2026-05-07
This Privacy Policy explains how Isometra ("we", "us", "the service") collects, uses, and protects your data when you use the platform. By using Isometra you agree to the practices described below.
1. Who we are
Isometra is a 5E-compatible virtual tabletop for in-person and online tabletop roleplaying. The service is operated by an individual developer; the operator is the data controller for the purposes of GDPR/UK GDPR. See the Contact section at the bottom for how to reach us.
2. What we collect
We collect only what's needed to run the service.
Account data
- Email address (used as your sign-in identifier)
- An authentication identifier issued by our auth provider (Supabase)
- Display name and profile picture, if you set them
Game content you create
- Characters (name, race, class, ability scores, equipment, spells, backstory, portraits)
- Campaigns (name, setting, NPCs, locations, quests, sessions, handouts, maps)
- Notes, homebrew content, and any text you write inside the app
- Fork relationships (which campaign you forked from, who forked your campaign)
Chat content (AI features)
- Messages you send to the in-app AI personas (Loremaster for DMs, Lyra for players)
- The structured context the app sends with each message — your active character, campaign, recent events — so the AI can respond meaningfully
- The AI's responses
Diagnostic and operational data
- Server logs (which routes were called, how long they took, error stack traces)
- Browser-side error reports via Sentry (only if Sentry is enabled in your environment)
- Vercel analytics page-view counts (no personal identifiers; aggregated)
Cookies and similar
- A session cookie issued by Supabase auth so you stay signed in
- A consent cookie (if/when we add an explicit consent banner)
- Local storage entries for UI preferences (theme, sidebar state, last-active campaign)
We do not intentionally collect: precise geolocation, device fingerprints beyond what your browser auto-sends, payment information (the service is currently free and has no billing), or social-graph data from other platforms.
3. How we use your data
- Run the service. Render your characters, persist your campaigns, route AI chat, deliver pages.
- Improve reliability. Read logs and error reports to find and fix bugs.
- Communicate with you. Send transactional emails (password reset, account verification). We don't send marketing emails.
- Comply with legal obligations. Respond to lawful requests; preserve data where required by law.
We do not sell your data, share it with advertisers, or use it for advertising profiling.
4. Who processes your data on our behalf
Isometra uses third-party sub-processors for infrastructure. Each sub-processor receives only what they need to perform their function.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Supabase (Postgres + Auth) | Database, authentication | All persisted user data | US |
| Vercel | Application hosting, analytics, AI Gateway | App requests, analytics events, AI prompts | US (primarily) |
| Anthropic | AI model inference (via Vercel AI Gateway) | Chat messages and structured context for the AI personas | US |
| Google Generative AI (Gemini) | Image generation (via Vercel AI Gateway) | Image generation prompts you submit | US |
| Sentry | Error reporting (when enabled) | Error stack traces, request URL, user ID | US/EU |
| Open5e | D&D 5.1 SRD content lookup | Public SRD slug queries only | US |
5. AI processing disclosure
When you chat with an Isometra AI persona (Loremaster or Lyra) or use AI helpers like NPC suggestions, character portraits, or session summaries:
- Your messages and the structured context the app prepares are sent to Anthropic via the Vercel AI Gateway. Image generation requests are sent to Google via the Vercel AI Gateway.
- We use the AI provider's standard API; we do not opt-in to any provider training program. Provider-side handling is governed by Anthropic's privacy policy and the Vercel AI Gateway terms.
- AI responses are generated probabilistically and may contain inaccuracies. Treat AI-generated content as a draft, not a source of truth — especially for rules adjudication.
- The AI does not have access to your account credentials, payment information, or other users' private campaigns.
6. Data retention
- Active accounts: we retain your data while your account is active.
- Account deletion: when you delete your account from Settings, we soft-delete your characters, campaigns, and chat history. Hard-deletion (irreversible) happens within 90 days, except where law requires longer retention.
- Backups: routine database backups may retain copies for up to 35 days after deletion before they roll off.
- Logs and analytics: server logs and Vercel analytics events are retained per the provider's default retention (typically 30–90 days).
- Forked content: if another user forked one of your published campaigns before you deleted it, their fork is independent and survives your deletion. The attribution to your original work remains, but your name is replaced with "(deleted user)" if you've deleted your account.
7. Your rights
Depending on where you live, you have rights under GDPR, UK GDPR, CCPA/CPRA, or other privacy laws. We honor these rights regardless of jurisdiction:
- Access: request a copy of the data we hold about you.
- Correction: ask us to correct inaccurate data.
- Deletion: delete your account, which deletes your data subject to the retention rules above.
- Portability: request an export of your data in a structured, machine-readable format.
- Restrict / object: ask us to limit certain processing.
- Withdraw consent: where processing is based on consent (e.g. analytics), you can withdraw it at any time without affecting prior lawful processing.
- Lodge a complaint: with your local data protection authority.
To exercise any of these rights, see Contact.
8. Security
We use industry-standard practices: TLS in transit, Supabase Row-Level Security to scope every database query to the calling user, environment-level secret management, and sub-processors with their own security posture. No system is perfectly secure; if we discover a breach affecting your data, we will notify you in line with applicable law.
9. Children
Isometra is intended for users 13 and older. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us — we will delete it.
10. Changes to this policy
When we change this policy materially, we will update the "Last updated" date and surface a notice in the app. Continued use after the effective date constitutes acceptance of the updated policy.
11. Contact
For privacy questions, requests, or to exercise the rights above:
- Email: zwchristie@gmail.com
- Subject line: "Isometra Privacy" so it routes correctly
We aim to respond within 30 days for substantive requests.
See also: Terms of Service — Licensing & Attribution.