Privacy Policy

The data controller for NPC Factory is DougTren s.r.o. (referred to as "DougTren" throughout this policy), a limited liability company registered in the Czech Republic, Company ID 24973211, with registered office at Plzeňská 3352/156, Smíchov, 150 00 Praha 5, Czech Republic. Full identification is at legal.dougtren.com/company. For privacy questions or to exercise your rights, contact info@dougtren.com with the subject line "GDPR request."

• A pseudonymous opaque identifier (the sub claim returned by Google OAuth).
• Game-related data: character information, game state, session history, and ratings you submit.
• In-game prompts and AI-generated responses produced during your play.
• Technical logs: IP address, user-agent, and request metadata, as recorded by our CDN and backend.

We do not store your name, email address, or Google credentials.

Sign-in uses Google OAuth 2.0 / OpenID Connect. After the OAuth handshake, only the pseudonymous sub claim is retained. Your name, email address, and Google credentials are not stored.

• Art. 6(1)(b) — Contract. Processing of the opaque identifier, game data, and in-game content/responses is necessary to perform the Service contract with you.
• Art. 6(1)(f) — Legitimate Interest. Technical logs are processed to operate, secure, and protect the Service.

• Federated identity (mapping between your Google sub and your NPC Factory account): removed immediately when you delete your account, and within 30 days of any deletion request received via email. Once removed, no further sign-in to that account is possible.
• Game records: retained for the duration of an active shared game. On account deletion, your nickname is removed and your user record is marked as deleted; existing characters and games you participated in remain as shared records and display you as Deleted user.
• Prompts and AI-generated responses: retained as part of the game record. They are not retained separately by inference providers.
• Technical logs: up to 90 days, after which they are deleted or anonymized.

We rely on the following categories of processors. Specific vendor names within each category are not published in this policy for security reasons (reducing the public attack surface of the Service); the current list is provided on request to data subjects exercising their rights under GDPR Art. 15.

• Identity provider: Google LLC (USA), used solely for the OAuth handshake. Transfer basis: EU-US Data Privacy Framework.
• AI inference providers: LLM services in the EU and the USA, used to generate in-game content. Transfer basis: EU-US Data Privacy Framework where the recipient is DPF-certified, otherwise Standard Contractual Clauses.
• Cloud infrastructure: providers of compute, storage, database, and CDN services in EU and US regions. Transfer basis: same as above.
• Self-hosted servers: physical hardware located in the Czech Republic, under the direct control of the Operator.

Some processors are located outside the European Economic Area, including in the United States. Transfers rely on the EU-US Data Privacy Framework (for DPF-certified recipients) and on Standard Contractual Clauses where DPF certification does not apply. A full list of processors, their locations, and the applicable safeguards is available on request.

Under the GDPR you have the right to access, rectify, erase, restrict processing of, port, or object to the processing of your personal data. You may also lodge a complaint with a supervisory authority — in the Czech Republic, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).

To erase your account: use the delete-account page. You will be asked to sign in with Google to verify the account is yours, and to confirm before anything is deleted. Because we store no email or name on file, signing in is the only way for us to identify which account a deletion request concerns.

For all other rights — access, rectification, restriction, portability, objection, complaints — email info@dougtren.com with the subject line "GDPR request." We act on valid requests within 30 days, in line with GDPR Art. 12(3).

AI-generated in-game content does not constitute automated decision-making with legal or similarly significant effects under GDPR Art. 22. Your content is not used to train or improve any model. We do not perform marketing or eligibility profiling.

DougTren does not sell personal data.

We protect data in transit with TLS, restrict backend access to authenticated and authorized parties, and prefer pseudonymous identifiers wherever feasible. In the event of a personal data breach posing a high risk to your rights and freedoms, we will notify affected users in line with GDPR Art. 34.

The Service is intended for users 18 years of age or older. If we discover that data has been collected from a user under 18, that data will be deleted.

We may update this Privacy Policy. The current version and effective date are shown at the top of this page. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.