This Privacy Policy explains what information Oathbound Post ("we", "us", "our") collects about you when you use the game at oathbound-post.com, why we collect it, and how we handle it.
We operate under the New Zealand Privacy Act 2020. If you are located in the European Union, the UK, or other regions with data protection laws, we apply the same principles of transparency and data minimisation.
We collect the following information. The legal basis column applies to users in the EU/EEA under the GDPR (Article 6).
| Data | When collected | Why | Legal basis (GDPR) |
|---|---|---|---|
| Username | Account creation | Your in-game identity | Contract performance |
| Email address | Account creation | Account recovery, service notices | Contract performance |
| Password (hashed) | Account creation (email sign-up) | Authentication | Contract performance |
| Google account ID | Google sign-in (if used) | Authentication via Google OAuth | Contract performance |
| Timezone | Account creation | Scheduling in-game events to local time | Contract performance |
| Discord username | Optional, in account settings | Community linking; only if you provide it | Consent (optional) |
| Game save data | Ongoing play | Storing your progress, stats, inventory, quests | Contract performance |
| Server logs | Ongoing | Debugging, security, and abuse prevention | Legitimate interests |
| Terms acceptance record | Account creation | Recording your agreement to our Terms | Legitimate interests (demonstrating compliance) |
We do not collect payment information, precise location, or any sensitive personal information. We do not use third-party advertising or analytics trackers.
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Google OAuth: If you sign in with Google, we receive a Google account identifier and your email address from Google. We do not receive your Google password. By using Google Sign-In, your data is transferred to Google's servers, which are located outside New Zealand. We rely on Google's compliance with applicable privacy standards as the basis for this transfer. Google's use of your data is governed by Google's Privacy Policy. The security of your game account when using Google Sign-In depends in part on the security of your Google account — we recommend enabling two-factor authentication on your Google account.
Discord: If you link your Discord account in settings, we store your Discord username. This is optional and can be removed at any time from your account settings.
Hosting: Player data is stored on servers hosted outside New Zealand. We select hosting providers that maintain reasonable security practices consistent with the NZ Privacy Act 2020.
We do not use Google Analytics, Meta Pixel, or any similar tracking services.
We use a single session cookie to keep you logged in. This cookie contains no personal information and is not used for advertising or tracking. It expires when you log out or close your browser session.
Your account and game data is retained for as long as your account is active. Server logs are retained for up to 90 days and then deleted. Terms acceptance records are retained for the duration of your account and for 3 years following account deletion. If you request deletion of your account, we will remove your personal information within 30 days. Anonymised aggregate data may be retained indefinitely.
Passwords are stored as salted hashes and are never stored in plain text. We limit access to player data to those who require it for operating the Game. We take reasonable steps to protect your information, but no system is perfectly secure.
Data breach notification: If we become aware of a security breach that is likely to cause serious harm to you, we will notify you and the New Zealand Privacy Commissioner as required under the Privacy Act 2020. We will contact affected users via the email address associated with their account as soon as practicable.
Under the New Zealand Privacy Act 2020, you have the right to:
If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner.
If you are in the EU/EEA, you have the following rights under the GDPR:
As a small-scale operator whose processing of EU personal data is occasional and low-risk, we rely on the Article 27 GDPR exemption and have not appointed an EU representative. A list of EU supervisory authorities is available at edpb.europa.eu.
Also: Lodge a complaint — contact your national data protection supervisory authority. A list is available at edpb.europa.eu.
To exercise any of the above rights, contact us at [email protected]. We will respond to access and correction requests within 20 working days.
We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. We will provide at least 14 days' notice of material changes via in-game patch notes or the website before they take effect. The date and version number at the top of this page reflect the most recent revision.
Questions or requests: [email protected]