Lurk's Dungeon · Privacy Policy

Effective Date: 2026-05-26

Who we are

Lurk's Dungeon ("the Game", "we", "us") is an indie game operated by LURK24 (the "Data Controller") as an individual creator, not a registered business entity.

Questions about this policy or how we handle your data: email privacy@lurksdungeon.com. We respond within 30 days. We don't publish a postal address; if you need to send postal correspondence (e.g. a formal data-protection request from a supervisory authority), email us first and we'll arrange a delivery address.

What this policy covers

This policy explains what personal data we collect when you play Lurk's Dungeon, how we use it, who we share it with, how long we keep it, and the rights you have over it. It applies to the game client at lurksdungeon.com and the back-end services that support it (account, run simulation, leaderboards, chat, cosmetics).

What information we collect

Account identifiers

Guest accounts: a random device identifier generated in your browser the first time you play (used to recognise the same device on return visits before you link a third-party account).
SSO accounts: the provider's user identifier (e.g. kick:<id>, twitch:<id>, google:<id>, epic:<id>, steam:<steamId64>) that the authentication handshake returns to us. We do not receive your password — the provider authenticates you, then tells us "this is the same person as last time."

Per-provider data we receive at sign-in

Provider	What we receive today
Kick	Provider user id, username, email (when Kick's userinfo response includes it; we request only the `user:read` scope, no separate email scope)
Twitch	Provider user id, display name, verified email — we request the `user:read:email` scope at sign-in
Google	Provider user id, display name, verified email — we request the `openid email profile` scope at sign-in
Epic	Provider user id, display name — we request only the `basic_profile` scope; no email
Steam	SteamID64, public persona name (Steam's own privacy controls govern what's "public"); Steam OpenID returns no email

We do not receive your password, your friends list, your purchase history with that provider, or any other field beyond what's listed above.

Profile data

Your display name (chosen by you, may differ from the SSO name)
Account suspension state (whether you've been timed out by a moderator, and what scope — login / chat / competitive)
Account creation timestamp and last-login timestamp
Your progression: character level, experience points, highest tier reached, unlocked classes
Your inventory: equipped gear, owned cosmetics

Game activity

Run records: each dungeon run produces a record with the seed used, challenge tier, party size, completion time, kill count, and the resulting leaderboard category placement (if any).
Leaderboard entries: your run records that qualify for a leaderboard category are stored on that board.
Chat: if you send messages in the in-game chat, we store the most recent 50 messages per channel to replay history for late joiners. Older messages are deleted automatically.

Diagnostic data

Operational metrics (request counts, latencies, error rates) are recorded for service health monitoring and do not include personal data.

Error reporting: we use Sentry (sentry.io, operated by Functional Software, Inc.) to capture unhandled exceptions on both our back-end services and the browser game shell so we can fix bugs that affect players. Each captured error includes the error message and stack trace, the URL (with query strings stripped to avoid leaking auth-flow parameters), your browser version (user-agent), and the language and screen size of your browser. We configure the Sentry SDK with sendDefaultPii: false, so IP addresses are not attached to events. Errors are retained for 30 days in Sentry and then automatically deleted. Browser-side capture is gated on your consent — the Sentry script is only loaded after you Accept in the consent banner, and if you later switch to Reject, all subsequent error events are gated and dropped client-side before they leave your browser. Server-side capture (on our own infrastructure) is always on under Article 6(1)(f) legitimate interests (security + service operations).

What we don't collect

Payment information. When the cosmetic shop launches, payments will be processed by a third-party payment processor (e.g. Stripe); we will receive only the data needed to grant the entitlement and reconcile the purchase, not card / payment-method details. The shop is not yet active — no payments are processed today. See Section 7 of the Terms of Service for the payment-model framing.
Physical address, phone number, government identification
Voice, video, camera, or microphone data
Precise geolocation (we don't use GPS or comparable APIs)
Browsing history outside the game
We do not sell your data. We do not show advertising. We do not use third-party analytics trackers.

A note on IP addresses: your IP address is processed at the edge for rate limiting (so a small number of misbehaving clients can't degrade the service for everyone) and is forwarded to back-end services via standard request headers for the duration of each request. We don't store IP addresses long-term, don't use them to identify you across sessions, and don't share them with third parties.

How we use your information

We process your data to:

Provide the game: authenticate you, save your progression, run the multiplayer simulation, post your leaderboard scores, deliver chat messages.
Anti-cheat: validate every authority-sensitive action server-side and reject impossible state transitions.
Moderation: investigate reports and apply suspensions tied to the reported account / SSO identity / device.
Service health: monitor and operate the back-end services.

Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, the legal basis for each kind of processing is:

Performance of a contract (Article 6(1)(b)): account, run records, leaderboards, chat — you signed up to play, we provide the service.
Legitimate interests (Article 6(1)(f)): anti-cheat, moderation, and basic security. Our interest is in providing a fair game; this is balanced against your right not to be unfairly suspended (we provide appeal paths and human review).
Consent (Article 6(1)(a)): any non-essential storage on your device (e.g. service-worker cache, the in-browser settings filesystem). A per-category consent control is being added (see the Cookie Policy); until it ships, you can withdraw by clearing site data for lurksdungeon.com in your browser's settings.

Who we share your data with

SSO providers (Kick, Twitch, Google, Epic, Steam): only during the OAuth handshake. We don't push data back to them. Their own privacy policies govern what they do with the fact that you used them to sign in to a third-party app.
Hosting provider: the back-end runs on DigitalOcean in a United States region. DigitalOcean processes data on our behalf under their standard Data Processing Agreement; they don't use your data for their own purposes.
Error reporting (Sentry): Functional Software, Inc. (sentry.io) receives the diagnostic-data fields described above (error message + stack trace, URL, browser user-agent, browser language, screen size) when one of our services or the browser shell throws an unhandled exception. We've configured the integration with sendDefaultPii: false so your IP address is not attached to events, and Sentry processes the data on our behalf under its standard Data Processing Addendum. Events are retained for 30 days and then automatically deleted.
Payment processor (for cosmetic purchases, when the shop is active): payments will be processed by a third-party payment processor (e.g. Stripe) directly on our behalf — not routed through a games-storefront partner. The processor handles the payment data; we receive only the information needed to grant the entitlement and reconcile the purchase. The specific processor and a link to its privacy policy will be named in this Section at the time the shop goes live. The shop is not yet active as of the Effective Date; no payment data is processed today.
Public leaderboards / profiles: your display name, account identifier, and run records appear on public leaderboards and (if you opt in) on a public profile page. You can opt out of public visibility from the in-game Account tab. Opting out takes effect immediately for the public profile endpoint and for any new run submissions you make. Already-published leaderboard rows stay visible until either your next leaderboard-eligible run submission (which retro-fills the hidden flag for all your rows) or until an operator-initiated sweep. If you need an existing row removed without playing another run, email privacy@lurksdungeon.com.
Operators acting on a legal request: if compelled by valid legal process. We disclose the minimum required and notify you where the law allows.

We do not sell your personal data to anyone, ever. We do not share it with advertising networks.

How long we keep your data

Data	Retention
Account profile	While your account is active. Self-serve deletion is available in the town hub Account tab with a 7-day recovery grace period — after the grace expires, profile + linked SSO identities + suspensions + reward-claim audit + run-kill-XP grants + live sessions are erased atomically. Operator-initiated deletion (same fanout, no grace) remains available on request — email `privacy@lurksdungeon.com`.
Run records	Indefinitely. Run records are stored separately in the game-session service and are not automatically removed when an account profile is deleted via the town-hub self-serve flow (which only touches auth-profile data — matching the existing operator admin delete). To erase run records as well, email `privacy@lurksdungeon.com` alongside or after your self-serve deletion; cross-service fanout from the self-serve flow to game-session + leaderboard + commerce is a separate planned task.
Leaderboard entries	Indefinitely (these are the historical record of the season). Your name can be anonymised on request even when the rank record remains.
Chat messages	Last 50 per channel only; older messages are deleted automatically.
Suspensions	Indefinitely (we keep moderation history so the same account / device can't dodge a ban by re-registering).
Service logs	Operational logs are kept for 30 days, then aggregated to anonymised metrics.

International transfers

Our services run on DigitalOcean infrastructure in the United States. If you access the game from outside the US, your data is transferred to and processed there. For transfers out of the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the equivalent UK International Data Transfer Addendum, both of which are incorporated into DigitalOcean's Data Processing Agreement.

Your rights

You have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate data (most of it is editable directly in-game; for anything else, contact us).
Delete your account and all associated personal data (subject to the retention rules above; we may retain anonymised aggregate data after).
Restrict or object to certain processing (e.g. moderation data, where we balance your right against our legitimate interest).
Port your data: receive an export in machine-readable JSON.
Withdraw consent for non-essential storage at any time via the consent banner.
Lodge a complaint with your local data-protection supervisory authority — for the UK, the ICO (ico.org.uk); for EEA residents, the authority in your country of residence.

To exercise any of these rights:

In-game: open the Account tab in the town hub.
- Download my data (JSON) sends a self-describing JSON snapshot of everything the auth-profile service holds for your account (profile, linked SSO identities, suspensions, reward-claim audit rows, and any pending deletion request).
- Schedule account deletion opens a 7-day grace window before the irrevocable erasure. You can sign in normally during the grace and click Cancel scheduled deletion to keep your account; sign-in alone does not cancel. After 7 days a background sweep runs the same fanout the operator admin path runs — profile, SSO identities, device mappings, suspensions, reward-claim audit, run-kill-XP grants, and live bearer sessions are erased atomically.
By email: for anything the in-game tools don't cover (or as a backup if you can't sign in), contact us at privacy@lurksdungeon.com. We respond within 30 days.

For California residents, the same rights apply under the CCPA / CPRA; we treat "right to know" as access, "right to delete" as deletion, and "right to opt out of sale" as not-applicable (we don't sell).

Children's data

The Game is rated Teen (suitable for ages 13+). The signup flow requires you to explicitly tick "I confirm I am 16 years of age or older" before the sign-in button becomes active — 16 is the age of consent for data processing under GDPR Article 8 in the strictest member states. The server records the affirmation with a timestamp on your profile at account creation and rejects any signup attempt that arrives without it. We do not knowingly collect personal data from children under 16, and we'll delete any such data we discover. If you believe a child has provided us with personal data, contact us at privacy@lurksdungeon.com.

Security

Public traffic to lurksdungeon.com is served over HTTPS / TLS once the production stack is live; until then, pre-release testing may use plain HTTP. Internal service-to-service traffic runs on our hosting provider's private network.
Server-side secrets are stored in environment variables, never in source control, and are rotated periodically.
Admin access is gated by a separate token; no internal staff member can read your password (we never have your SSO password) or impersonate your account silently.
A backup pipeline with encryption-at-rest is being added as part of our launch checklist (see queue item P1-157); until it's live, the operational database does not have an automated backup.

Cookies and similar technologies

See the dedicated Cookie Policy for the full mechanism-by-mechanism breakdown, the per-storage-type "strictly necessary vs functional" classification, and the controls you have today.

Short version: we use browser storage to make the game work, not to track you. We set no HTTP cookies on the lurksdungeon.com domain; everything is first-party browser-local storage (IndexedDB for your session token, the service-worker Cache Storage API for PWA asset caching, and the Godot web export's in-browser settings file for your preferences). We have no third-party advertising cookies, no analytics trackers, and no cross-site identifiers. A consent banner over the loading screen on first visit gates the non-essential storage (service-worker cache + Godot settings file); your choice persists locally and we re-prompt after 6 months on Accept or 30 days on Reject. See the Cookie Policy for the full description.

Changes to this policy

When we make material changes, we update the Effective Date at the top and surface a notice in the game shell (the same "Update available" banner that flags stale builds). For minor wording changes we may update silently; you can see the full revision history in our public repository.

Contact

Privacy questions: privacy@lurksdungeon.com
Data Controller: LURK24 (operating as an individual creator)
Postal correspondence: email first and we'll arrange a delivery address
EU/UK supervisory authority complaints: the ICO (UK) or your local EEA data-protection authority.