Privacy Policy
How DM Companion handles your data.
Last Updated
March 22, 2026
What We Collect
DM Companion collects and stores the following data to provide its services:
- Account information - Your email address (used for authentication). If you sign in with Google or GitHub, we receive your email and profile avatar from those services.
- Campaign data - Campaign names, session notes, world notes, and other content you create within the app.
- Player and character data - Player names, NPC names, creature stat blocks, and character sheet information you enter.
- Application preferences - Theme selection, sidebar state, and other UI settings stored in your browser's local storage.
We do not collect analytics, tracking data, or advertising identifiers.
How We Store Your Data
- Server-side - Campaign data, session notes, players, NPCs, and creatures are stored in a Supabase PostgreSQL database. All data is protected by Row-Level Security (RLS), ensuring only you can access your own data. Data is encrypted in transit via HTTPS.
- Browser storage - UI preferences (theme, sidebar state), character sheet data, campaign-to-player mappings, locations, maps, encounter state, and initiative tracker state are stored in your browser's localStorage and sessionStorage. This data never leaves your device.
- API response cache - Reference data fetched from Open5e and D&D 5e API (spells, monsters, classes, items) is cached in your browser's localStorage for up to 4 hours to improve load times. This cache contains only public SRD data, not personal information, and is automatically cleared after expiry.
Third-Party Services
DM Companion uses the following third-party services:
- Supabase (supabase.com) - Database hosting and authentication. Their privacy policy.
- Google OAuth (optional) - If you choose to sign in with Google. Google's privacy policy.
- GitHub OAuth (optional) - If you choose to sign in with GitHub. GitHub's privacy statement.
- Open5e API (open5e.com) - Provides D&D 5e reference data (spells, monsters, items). No personal data is sent to this service.
- D&D 5e API (dnd5eapi.co) - Provides D&D 5e reference data. No personal data is sent to this service.
- GitHub Pages - Hosts the static web application files. No user data is processed by GitHub Pages.
Cookies and Tracking
DM Companion does not use cookies for tracking or advertising. The only cookies set are by Supabase for authentication session management. We do not use any analytics services (no Google Analytics, no tracking pixels, no fingerprinting).
For full details on every cookie and browser storage key we use, see our Cookie Policy.
Data Retention
Your data is stored for as long as your account exists. If you wish to delete your data, see "Your Rights" below.
Your Rights
Under GDPR and similar privacy regulations, you have the right to:
- Access - Request a copy of all data we store about you.
- Rectification - Update or correct your data at any time through the app.
- Deletion - Permanently delete your account and all associated data using the Delete Account button in your profile menu, or by contacting us at the email below.
- Portability - Export your data in machine-readable JSON format at any time using the Export Data button in your profile menu.
- Restriction - Request that we limit processing of your data.
To exercise any of these rights, contact: arany.mak@gmail.com
Data Security
- All connections use HTTPS encryption.
- Database access is protected by Row-Level Security - users can only access their own data.
- Passwords are hashed by Supabase (never stored in plain text).
- Only the public anonymous API key is used in the client - the service key is never exposed.
Children's Privacy
DM Companion is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us to have it removed.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the app after changes constitutes acceptance of the updated policy.