Privacy Policy
Quick Summary
- We’re a small, self-funded TTRPG campaign-management service operated from Czechia.
- We collect only what we need to run the Service: your email, your campaign content, and basic technical data.
- We use Google Firebase, Google Cloud Vertex AI (for AI features), and Stripe as our main sub-processors.
- We do not sell or share your personal information for advertising.
- You can access, export, correct, or delete your data at any time.
- Users must be 15 or older to use Oh My Lore!
For the shortest version: we treat your data the way we’d want ours treated. The long version is below.
1. Who We Are
Oh My Lore! (“we”, “us”, “our”) is operated by:
Tomáš Holocsy
71 Jabloňová
Praha, Hlavní město Praha 106 00
Czechia
Contact for privacy matters: support@ohmylore.app
Phone: (+420) 793 913 700
No Data Protection Officer has been appointed — we are not required to appoint one under GDPR Art. 37 at our current scale. You can reach us directly at the address above.
This Privacy Policy applies to our websites at ohmylore.app, ohmylore.eu, ohmylore.quest, and to the Oh My Lore! mobile application (together, the “Service”).
2. What Data We Collect
| Category | Examples | How we get it |
|---|---|---|
| Account data | Email address, Firebase UID, display name | You provide it at signup |
| Campaign content | Campaigns, maps, submaps, NPCs, notes, quests, characters | You create it in the Service |
| Media | Profile images, uploaded character/map images, AI-generated maps | You upload it or ask us to generate it |
| AI prompts | Text descriptions and image scans you submit to AI features | You provide it when using Scan / AI Generation |
| Technical data | IP address, browser type, device type, timestamps of use, AI-generation quotas | Automatically when you use the Service |
| Payment data | Last 4 digits of card, billing country (full card details stay with Stripe) | You provide it at checkout |
| Cookies & similar technologies | See our Cookie Policy | Set when you use the Service |
We do not collect: health data, political opinions, biometric data, or other GDPR “special category” data. Please do not include such data in your campaign content.
3. How We Use Your Data and Legal Basis
Under GDPR Art. 6, we process your data on the following bases:
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and maintain your account; sync campaigns across devices | Performance of a contract (Art. 6(1)(b)) |
| Generate AI content (maps, lore, note scans, recaps) | Consent (Art. 6(1)(a)) — you opt in per feature |
| Process payments and donations | Performance of a contract (Art. 6(1)(b)) and legal obligation (tax law) (Art. 6(1)(c)) |
| Protect against abuse (rate limiting, fraud prevention, quota enforcement) | Legitimate interest (Art. 6(1)(f)) — operating a safe service |
| Send service-related emails (account, billing, security) | Performance of a contract (Art. 6(1)(b)) |
| Send marketing emails, if any | Consent (Art. 6(1)(a)) — you opt in, can opt out anytime |
| Improve the Service and troubleshoot | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal requests (e.g. court orders) | Legal obligation (Art. 6(1)(c)) |
We do not use your content to train AI models. Our AI sub-processor (Google Cloud Vertex AI) is contractually prohibited from using your prompts, uploaded images, or generated outputs to train its foundation models under Google’s Cloud Service Specific Terms and Data Processing Addendum.
4. Who We Share Your Data With (Sub-Processors)
We share data only with the following categories of recipients, each acting as a processor on our behalf:
| Recipient | What we share | Why |
|---|---|---|
| Google LLC / Google Cloud (Firebase) | Account data, campaign content, media, technical data | Hosting, authentication, database (Firestore / Realtime DB), file storage |
| Google LLC / Google Cloud (Vertex AI) | AI prompts, uploaded images (maps, notes, character sheets) | AI generation and OCR features — processed ephemerally under the Google Cloud Data Processing Addendum; not used to train models |
| Stripe, Inc. | Email, payment token, billing country | Payment processing (we never see full card numbers) |
| Buy Me a Coffee | Donation amount, email (if you choose to share) | Voluntary donation processing |
Email: Transactional emails (sign-up confirmation, password reset, payment receipts) are sent by Firebase Authentication (Google) and Stripe directly — we do not operate a separate email provider at this time. Support correspondence goes through Google Gmail (support@ohmylore.app). If we add custom app notifications (e.g. campaign invites, session reminders), we will update this list and give active users at least 14 days’ notice.
We do not sell your personal information. We do not share it for cross-context behavioural advertising.
5. International Transfers
Some of our sub-processors are based in the United States (Google, Stripe, Buy Me a Coffee). Your data may therefore be transferred to the US.
We rely on the following safeguards under GDPR Chapter V:
- Google Cloud (including Vertex AI): certified under the EU–U.S. Data Privacy Framework (DPF). See dataprivacyframework.gov.
- Stripe: Standard Contractual Clauses (SCCs) under EU Commission Implementing Decision 2021/914.
- Buy Me a Coffee: Standard Contractual Clauses (SCCs).
You can request a copy of the relevant safeguards by emailing support@ohmylore.app.
6. Content Visibility Inside the Service
Oh My Lore! is a collaborative platform. Please understand how content visibility works:
- Public (within campaign): Visible to every member of that campaign.
- Private: Visible only to the creator and users explicitly named in the “Shared With” list.
- Game Masters (GMs): Have elevated visibility to run sessions, including seeing through “Fog of War” on maps.
- Guest mode: Stored only in your browser; nothing is written to our servers.
Anything you mark public within a campaign is seen by the players in that campaign. That is intentional and necessary for the Service to work.
7. How Long We Keep Your Data
| Data | Retention |
|---|---|
| Account & campaign data | As long as your account is active |
| Account deleted — “Keep Campaigns” mode | Personal profile & claimed characters removed; campaigns you created remain accessible to other players |
| Account deleted — “Delete Everything” mode | All your campaigns, maps, notes, quests, images permanently removed from active databases |
| Deleted map images in Firebase Storage | Up to 30 days in a “trash” state before permanent purge |
| AI prompts (sent to Google Cloud Vertex AI) | Processed ephemerally for the request; not retained by us |
| Technical / IP logs | Up to 30 days for security and rate-limiting purposes |
| Backups | Up to 90 days in encrypted backups before full rotation |
| Billing records (invoices, payment history) | 10 years — required by Czech Act No. 235/2004 Sb. on VAT and Act No. 563/1991 Sb. on accounting |
8. Your Rights Under GDPR
If you are in the EU, EEA, UK, or Switzerland, you have the following rights:
- Right of access (Art. 15) — ask what data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure / “right to be forgotten” (Art. 17) — delete your data. You can trigger this from Account Settings.
- Right to restrict processing (Art. 18).
- Right to data portability (Art. 20) — export your campaign data in a machine-readable format.
- Right to object (Art. 21) — to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — for AI features and marketing, at any time.
- Right not to be subject to solely automated decision-making (Art. 22) — we do not make automated decisions with legal or similarly significant effects about you. AI generation produces content; it does not decide anything about your access or rights.
- Right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, Czech Republic — https://www.uoou.cz/. You may also complain to the supervisory authority in your country of residence.
To exercise any of these rights: email support@ohmylore.app. We will respond within 30 days (GDPR Art. 12(3)). We may ask you to verify your identity before acting on the request.
There is no fee for a reasonable request. For manifestly unfounded or excessive requests (especially repetitive ones), we may charge a reasonable fee or refuse the request, per Art. 12(5).
9. California Residents — CCPA / CPRA
If you reside in California, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act.
Categories of personal information we collect (as defined by Cal. Civ. Code §1798.140):
- Identifiers (email, user ID, IP address)
- Customer records (billing name, country)
- Internet / device activity (browser type, usage)
- Geolocation data — approximate, derived from IP only
- User-generated content (your campaigns, notes)
Sources: directly from you; automatically from your device when you use the Service.
Purposes: as described in Section 3 above.
We do NOT sell or share personal information for cross-context behavioural advertising, in the meaning of CCPA / CPRA.
Your California rights:
- Right to know what personal information we collect, use, disclose, and share.
- Right to delete.
- Right to correct.
- Right to opt out of sale or sharing (we don’t sell or share — included for completeness).
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising these rights.
To exercise these rights: email support@ohmylore.app with “CCPA Request” in the subject. We may ask you to verify your identity (at a minimum, we will verify you control the email associated with your account).
You may use an authorized agent; we will require written proof of authorization.
10. Security
We use:
- HTTPS (TLS) for all traffic.
- Strict Content Security Policy and HTTP Strict Transport Security headers.
- Firebase Security Rules to ensure only authorised users access specific campaign data.
- Encryption at rest provided by Google Cloud Storage and Firestore.
- Rate limiting and abuse prevention.
No system is 100% secure. If we become aware of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ÚOOÚ within 72 hours and, where appropriate, notify you directly, as required by GDPR Art. 33 and 34.
11. Children
Oh My Lore! is not intended for users under 15 years of age. This reflects the digital-consent age set by Czech Act No. 110/2019 Sb. §7 for GDPR Art. 8 purposes.
We do not knowingly collect personal data from users under 15. If you are a parent or guardian and you believe a user under 15 has provided us with personal data, please contact support@ohmylore.app and we will delete the information promptly.
Users between 15 and 18 should review this policy with a parent or guardian.
12. AI and Automated Processing
Oh My Lore! includes AI features: map generation, map scanning, lore generation, note scanning, and AI recap. These features are opt-in and clearly labelled.
When you use them:
- Your prompt (text and/or image) is sent to Google Cloud Vertex AI for processing.
- The AI returns generated content.
- Google processes the data ephemerally for that request and does not retain it for other purposes.
- We do not use your content to train AI models, and Google Cloud Vertex AI is contractually prohibited from using your prompts, uploaded images, or generated outputs to train its foundation models under the Google Cloud Data Processing Addendum.
- You retain ownership of inputs and outputs under our Terms and Conditions.
AI-generated content is produced by a machine and may contain errors, biases, or unexpected content. You are responsible for reviewing anything you share with your campaign.
We do not make solely-automated decisions that produce legal or similarly significant effects about you. Quota enforcement and rate limiting are purely technical and do not affect your rights.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if we have your address) and via an in-app notice before the change takes effect. The “Last updated” date at the top of this document will always reflect the most recent version.
Continued use of the Service after a change takes effect means you accept the updated Policy.
14. Contact
- Email: support@ohmylore.app
- Post: Tomáš Holocsy, 71 Jabloňová, Praha, Hlavní město Praha 106 00, Czechia
- Phone: (+420) 793 913 700
- Czech supervisory authority: https://www.uoou.cz/
Oh My Lore! is a self-funded project. We process your data only as described above and only for as long as necessary. If anything here is unclear or you’d like something changed, we’d genuinely like to hear from you.