Privacy Policy
Last updated: 5 July 2026
This Privacy Policy explains how Daniel Taylor trading as Lore Beholder, a sole trader in the United Kingdom ("we", "us", "our") collects, uses, and protects personal data when you use our Service at app.lorebeholder.com. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data controller
The data controller is Daniel Taylor, trading as Lore Beholder, a sole trader in the United Kingdom. For privacy questions or to exercise your rights, contact: [email protected].
2. Personal data we collect
We collect the following categories of personal data:
Account and identity data
- Email address, display name, and Clerk user identifier
- Authentication session data managed by Clerk
- Organisation membership and billing plan status (where applicable)
Content and activity data
- Games, campaigns, scenes, characters, and posts you create
- Invite tokens, membership in games, and role information (for example, game master or player)
- Timestamps and metadata associated with your activity on the Service
Payment data
- Subscription status, plan type, and billing events. Payment card details are collected and processed directly by Stripe (via Clerk Billing); we do not store full card numbers on our servers.
Technical and usage data
- IP address, browser type, device information, and request logs
- Diagnostic and performance telemetry (for example, OpenTelemetry traces sent to Honeycomb when enabled)
- Cookies and similar technologies used for authentication and security (see section 9)
Communications
- Transactional emails (invites, account notices, billing-related messages) sent via Postmark
- Messages you send to our support or legal/privacy inboxes
3. How we use your data and legal bases
We use personal data for the purposes below. UK GDPR legal bases are noted in parentheses.
- Provide the Service — create and manage your account, sync your profile, run games, and deliver features you request (contract; legitimate interests in operating a secure platform)
- Billing and subscriptions — process payments, manage trials, and handle dunning (contract; legal obligation for tax/accounting where applicable)
- Security and fraud prevention — authenticate users, detect abuse, and protect the Service (legitimate interests; legal obligation where required)
- Communications — send service-related emails you need to use the Service (contract; legitimate interests)
- Improve and maintain the Service — debugging, analytics, and reliability monitoring (legitimate interests, balanced against your rights)
- Legal compliance — respond to lawful requests and enforce our Terms (legal obligation; legitimate interests)
- Marketing — we do not sell your personal data. If we send optional product updates or marketing emails in future, we will do so only with your consent where required, and you may opt out at any time.
4. Who we share data with
We share personal data only as needed to operate the Service, with processors bound by appropriate contractual safeguards:
- Clerk — authentication, user management, and billing orchestration (US)
- Stripe — payment processing (US/EU, depending on configuration)
- Postmark — transactional email delivery (US)
- Honeycomb — observability and tracing when enabled (US)
- DigitalOcean — application hosting (EU/UK regions where configured)
- Cloudflare — DNS, CDN, and edge security
We may also disclose data if required by law, to protect rights and safety, or in connection with a merger or acquisition (with notice where practicable).
5. International transfers
Some processors are located outside the UK, including in the United States. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), UK Addendum to EU Standard Contractual Clauses, or adequacy regulations where applicable. You may request more information about transfers by contacting [email protected].
6. How long we keep data
- Account data — retained while your account is active and for a reasonable period after deletion to handle disputes, backups, and legal obligations (typically up to 90 days unless a longer period is required by law)
- Game content — retained while your account or the relevant game exists; deleted or anonymised when you delete your account or when a game owner removes content, subject to backup cycles
- Billing records — retained as required for tax, accounting, and fraud prevention (generally up to 7 years where UK law requires)
- Logs and telemetry — retained for a limited period appropriate to debugging and security (typically 30–90 days unless needed for an incident investigation)
7. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data in certain circumstances ("right to be forgotten")
- Restrict processing — ask us to limit how we use your data
- Data portability — receive certain data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise these rights, email [email protected]. We may need to verify your identity. We will respond within one month, or inform you if we need more time.
You may delete your account through Clerk account settings. Deleting your account triggers removal or anonymisation of associated data in our systems, subject to legal retention requirements and content owned by shared games (for example, posts in a campaign may remain visible to other participants in anonymised form where necessary for game continuity).
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.
8. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us data, contact [email protected] and we will take steps to delete it.
9. Cookies and similar technologies
Under UK law (PECR and UK GDPR), we must tell you about cookies and similar technologies we use. We currently use essential cookies only — those strictly necessary to provide the Service you request (sign-in, security, and payment). We do not use analytics, advertising, or marketing cookies, so we do not show a cookie consent banner at launch.
If we introduce non-essential cookies in future (for example, optional analytics), we will update this policy and ask for your consent before setting them.
Cookies on the app (Lore Beholder)
These cookies may be set when you visit app.lorebeholder.com, including public pages such as sign-in, sign-up, and pricing:
Cookies on the brochure site (www.lorebeholder.com)
Our marketing site at www.lorebeholder.com is static
HTML with no first-party cookies. Cloudflare may still set essential security cookies (such as __cf_bm or cf_clearance) when the site is served through their network.
We do not run analytics or advertising scripts on the brochure site.
Managing cookies
You can control cookies through your browser settings. Blocking essential cookies will prevent sign-in, checkout, or access to protected parts of the Service. Server-side telemetry (for example, OpenTelemetry traces sent to Honeycomb) is not stored in your browser and is not covered by PECR cookie rules.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, and secure hosting. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
11. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. For material changes, we will provide additional notice where required by law.
13. Contact
Daniel Taylor trading as Lore Beholder, a sole trader in the United Kingdom
United Kingdom
Privacy: [email protected]
Legal: [email protected]