Legal

Privacy Policy

Last updated: 2 June 2026 · Status: Public beta

Draft. Written by the team to be honest and readable. Not a substitute for legal advice — review with a lawyer in your jurisdiction before relying on it.

1. Who we are

Tableward is a live companion tool for Dungeon Masters and Game Masters running tabletop roleplaying games. This Privacy Policy describes how we collect, use, and protect personal data when you visit our website at tableward.app ("the site") or use the application at table.tableward.app ("the app").

Tableward is currently operated by a single individual, not a company. "I" / "me" refers to that individual; "we" / "us" is used interchangeably where it reads more naturally.

Data controller: the individual operator of Tableward, based in the Netherlands. Contact: hello@tableward.app. A full postal address is available on written request to that address.

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws apply to the processing of your personal data, and you have the rights set out in section 8.

2. Transparency at a glance

If you only read this section, you should know exactly who is behind Tableward and where your data goes.

Who runs Tableward: a single individual, based in the Netherlands. There is no company behind it yet. Contact: hello@tableward.app.

Where your data is stored:

WhatWhereRegion
Account, sessions, settingsFirebase Authentication + Cloud FirestoreEuropean Union
Uploaded maps, tokens, AI imagesFirebase StorageEuropean Union
Server-side functionsFirebase Cloud FunctionsEuropean Union
Error / performance telemetrySentryEuropean Union
AI features (when you use them)Google AI Studio (Gemini)Google infrastructure — see section 5.1
Marketing-site beta signups & contact formLovable CloudEU (as configured by Lovable Cloud)

What we don't do:

  • We do not sell your data.
  • We do not run third-party advertising trackers.
  • We do not use third-party analytics (no Google Analytics, no Meta Pixel) in the app.
  • We do not use Your Content to train AI models.
  • We do not read your campaign notes, maps, or tokens unless you ask for support and explicitly share them.

Your campaigns, session content, and uploaded art are yours. You can export or delete them at any time.

If a processor on this list changes — for example we add a new analytics tool, or move data to a different region — we will update this page before that change goes live, not after.

3. What we collect

3.1 When you sign up to the app

  • Account data: email address, display name, password hash (for email/password sign-in) or Google account identifier (for Google sign-in), and the date your account was created.
  • Provider data: if you sign in with Google, we receive your name, email address, and Google account ID from Google. We do not receive your Google password.

3.2 When you use the app

  • Campaigns & sessions: session names, session join codes, collaborator email addresses you invite, timestamps of activity.
  • Map and token state: map calibration, grid settings, fog of war, token positions, conditions, initiative order, viewport — the state needed to mirror the DM view to your players.
  • Uploaded files: images and video you upload as maps, tokens, portraits, or backgrounds. Stored in Firebase Storage in the EU.
  • AI-generated images: if you use the AI token / object generation features, the resulting image is stored in your personal token library in Firebase Storage.
  • Settings: preferences such as your Gemini API key (if you provide your own), generation model, and prompt defaults, stored in your private user document.

3.3 When you visit the marketing site

  • Beta signup: if you join the beta waitlist, we collect the email address you submit and (optionally) the free-text message you write about your game.
  • Contact form: if you contact us via the site, we collect your name, email address, and message.
  • The marketing site is hosted on Lovable Cloud and stores form submissions in its managed EU database. We periodically import relevant entries into our main Firebase project.

3.4 When you join as a player

Players who open a session via a join link do not need to create an account and we do not ask for personal data from them. The session join code is the only credential. The player's browser does load the published session state (map, tokens, fog of war) and connects to Firebase to receive live updates.

3.5 Technical & diagnostic data

  • Error and performance telemetry is sent to Sentry, hosted in the European Union. This includes the URL, browser type, OS, a generated session identifier, the user's UID (so we can correlate a report with an account if you ask for help), and the stack trace of the error. We make a reasonable effort to scrub personal data from error reports.
  • Server-side logs from our Cloud Functions are processed by Google Cloud (Firebase) in the EU. These logs include timestamps, function name, and basic request metadata.

We do not use third-party analytics (e.g. Google Analytics, Meta Pixel) at this time.

4. Why we collect it (legal basis under GDPR)

PurposeDataLegal basis
Operating your account and the appAccount, session, file dataContract (Art. 6(1)(b))
Sending product email related to your account (e.g. password reset)Email addressContract (Art. 6(1)(b))
Beta waitlist & communications about the betaEmail address (+ optional message)Consent (Art. 6(1)(a)) — unsubscribe any time
Keeping the app secure, debugging, fixing errorsTelemetry, logs, account identifiersLegitimate interest (Art. 6(1)(f))
Responding to a contact form messageName, email, messageLegitimate interest (Art. 6(1)(f))
Optional AI featuresThe image / prompt you submitConsent (Art. 6(1)(a))

You can withdraw consent at any time without affecting the lawfulness of processing done beforehand.

5. Where your data is stored, and who processes it

We pick processors deliberately, and we prefer EU hosting where the option exists.

ProcessorWhat we use it forRegion
Google Firebase (Auth, Firestore, Storage, Functions, Hosting)Account auth, application data, file storage, server-side logic, app hostingEuropean Union (europe-west*)
SentryError and performance monitoringEuropean Union
Google AI Studio (Gemini API)AI image generation when you use that featureGoogle infrastructure — see section 5.1
Lovable CloudMarketing site hosting, beta signup form, contact formEU (as configured by Lovable Cloud)

5.1 About AI processing

When you use an AI feature in the app, the prompt you submit (and any image you reference) is sent to Google AI Studio for processing. Google's terms apply to that processing. We do not retain a separate copy of the prompt beyond what is needed to return the result to you and to log that the feature was used (for fair-use limits).

If you provide your own Google AI Studio API key in your user settings, requests are made on your account and you are the customer of Google for that processing.

If you use the app-provided AI quota during beta, requests are made on our account. We do not use your prompts to train any model; we cannot guarantee Google's downstream handling beyond what their own terms commit to. If this matters to you, you can disable AI features or supply your own key.

5.2 International transfers

Some processors (notably Google) may transfer data outside the EEA. Where that is the case, we rely on the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework, as published by each processor.

6. How long we keep your data

  • Account and content — for as long as your account is active. If you delete a session, we delete the session document and its uploaded files from Firebase Storage. If you delete your account, we delete your user document, private settings, personal token library, and your sessions within 30 days of the deletion request. Backups may persist for up to a further 30 days before they roll over.
  • Beta waitlist — until you ask to be removed, or until 12 months after the beta phase ends, whichever is sooner.
  • Contact form messages — up to 24 months after the conversation ends.
  • Error & telemetry data in Sentry — by default, 90 days.
  • Server logs in Firebase — by default, retained per Google Cloud's default log retention.

7. Sharing your data

We do not sell your personal data. We share it only with:

  • The processors listed in section 5, strictly to deliver the service.
  • Collaborators you explicitly invite to a session (they can see that session's content, but never your account settings).
  • Law enforcement, if we are legally required to (a court order, valid subpoena, or equivalent).
  • A successor entity, in the event of a merger, acquisition, or sale of assets — we will notify you in advance if this happens, and your rights under this policy carry over.

We do not run advertising. We do not use third-party tracking pixels.

8. Your rights

If you are in the EEA, UK, or Switzerland, the GDPR gives you the right to:

  • Access the personal data we hold about you.
  • Rectify data that is wrong or incomplete.
  • Erase your data ("right to be forgotten").
  • Restrict or object to certain kinds of processing.
  • Port your data — receive a machine-readable copy and / or have it sent to another controller.
  • Withdraw consent at any time, where processing is based on consent.
  • Complain to a supervisory authority — for residents of the Netherlands, that is the Autoriteit Persoonsgegevens; in other EU countries, your national data protection authority.

To exercise any of these rights, email hello@tableward.app. We respond within one month.

Residents of the United States in states with applicable privacy laws (California, Colorado, Connecticut, Utah, Virginia, and others) have equivalent rights under their state laws and may use the same contact address.

9. Children

Tableward is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, email hello@tableward.app and we will delete it.

We are aware that tabletop RPGs are played by families and younger players. The player-join flow does not require an account and does not collect personal data from players. The DM is responsible for any account-level activity in their session.

10. Cookies and local storage

The app uses localStorage and IndexedDB in your browser to keep you signed in (a Firebase auth token) and to persist per-image map configuration locally (a key like dnd-mapconfig-{sessionId}-{imageId}). We do not use cookies for advertising or third-party tracking.

The marketing site uses only the strictly-necessary storage required to run forms and remember theme preference. It does not set advertising or analytics cookies.

11. Security

  • All traffic is encrypted in transit (TLS).
  • Authentication is handled by Firebase Authentication.
  • Firestore and Storage access is governed by per-document security rules so that only authenticated DMs and explicitly-invited collaborators can read or modify a session's private state; only published session snapshots are readable by holders of a join link.
  • Passwords are never stored by us in plaintext — Firebase Authentication handles hashing.
  • We take reasonable steps to keep our systems patched and our access controls minimal.

No service is 100% secure. If you believe your account or your data has been compromised, email hello@tableward.app immediately.

12. Changes to this policy

This is a live document and the product is in beta — we will update this policy as the product evolves. Material changes will be announced at the top of this page and, where you have given us an email address, by email at least 30 days before they take effect.

13. Contact

For any privacy question, request, or complaint:

hello@tableward.app
The individual operator of Tableward, Netherlands.
(Full postal address available on written request.)