1. Who we are
The Service is operated by The Endlessness (referred to in this policy as "we", "us" or "the operator"), reachable at Rua Visconde Seabra nº27, 1600-766 Lisbon, Portugal. For all privacy matters, write to info@theendlessness.com.
For the personal data described in this policy, The Endlessness acts as the data controller within the meaning of Article 4(7) of the GDPR. We have not appointed a Data Protection Officer because our processing activities do not meet the thresholds in Article 37 of the GDPR. You can still raise any data protection question through the contact channels above.
2. Scope of this policy
This policy covers personal data you give us directly, data we generate when you interact with the Service, and data we receive from the limited set of service providers listed in section 6. It does not cover:
- content that you choose to share outside the Service (for example, posting a screenshot of your campaign on social media),
- websites or tools operated by third parties that we link to but do not control, or
- information that has been irreversibly anonymised so that it can no longer be linked to you.
3. Personal data we collect
We try to collect only what we need to run the Service well. The categories below describe everything a typical account might contain.
3.1 Account and identity data
- Email address, display name, and an authentication identifier issued by our authentication provider.
- Password credentials if you choose to sign in with email and password. We never see your password in clear text. It is hashed and stored by our authentication provider.
- Profile preferences you choose to save, such as preferred content ratings or default character settings.
3.2 Gameplay and user-generated content
- Characters you create, including names, backstories, inventory, ability scores and any notes you write.
- Campaign state, world state, non-player character records, quest progress, and the running chat log between you and the AI Dungeon Master.
- Dice roll history, combat state, and any images or files you attach to a campaign (if that feature is enabled for your account).
3.3 Billing and subscription data
- Subscription tier, renewal status, start and end dates, and the identifier our payments provider assigns to your customer record.
- Invoice history and VAT-relevant information required by Portuguese tax law. We do not receive or store your full card number. Payment card data is handled directly by our PCI-DSS compliant payments provider.
3.4 Technical and log data
- IP address, user-agent, device type, approximate geolocation derived from the IP address, timestamps of requests, and error logs.
- Crash reports and diagnostic events that help us fix bugs. These are retained for a short period and are not used to build a marketing profile of you.
3.5 Communications
- Emails, support tickets, and any messages you send to us, together with our replies.
4. Purposes and legal bases for processing
We process your personal data only when we have a lawful basis to do so. The table below sets out each purpose, the data involved, and the basis we rely on.
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Creating your account and providing the Service | Account and identity data, gameplay content | Performance of a contract (Art. 6(1)(b)): you cannot use the Service without an account |
| Running AI Dungeon Master sessions and saving progress | Gameplay content, chat transcripts, dice history | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Billing data, email address | Performance of a contract (Art. 6(1)(b)) and compliance with tax law (Art. 6(1)(c)) |
| Issuing invoices and keeping accounting records | Billing data, identity data | Legal obligation (Art. 6(1)(c)) |
| Protecting the Service from abuse, fraud, spam and unauthorised access | Technical and log data, account data | Legitimate interest in keeping the Service safe and available (Art. 6(1)(f)) |
| Improving the Service, fixing bugs, monitoring quality | Technical and log data, aggregated and pseudonymised usage metrics | Legitimate interest in operating and improving the Service (Art. 6(1)(f)) |
| Answering support requests and other communications | Communications, identity data | Performance of a contract and legitimate interest (Art. 6(1)(b) and Art. 6(1)(f)) |
| Sending service-related emails (security notices, billing notices, changes to this policy) | Email address | Performance of a contract (Art. 6(1)(b)) |
| Sending optional product news or promotional emails, when you opt in | Email address, preferences | Consent (Art. 6(1)(a)), which you can withdraw at any time |
| Exercising or defending legal claims and responding to lawful requests from public authorities | As necessary depending on the claim or request | Legitimate interest and legal obligation (Art. 6(1)(f) and Art. 6(1)(c)) |
We do not process special categories of personal data within the meaning of Article 9 of the GDPR. We ask you not to submit such data through the Service.
5. Sources of data
Almost all of the personal data we hold about you comes from you. A small amount comes from the service providers listed in section 6 (for example, an authentication provider tells us whether a sign-in attempt succeeded, and a payments provider tells us whether your subscription is active). We do not buy personal data from data brokers and we do not combine the Service with public social-media profiles.
6. Recipients and sub-processors
We keep the number of parties that can see your data as small as reasonably possible. Each provider listed below has signed a data processing agreement that meets the requirements of Article 28 of the GDPR.
| Provider | Role | Country of establishment |
|---|---|---|
| Render Services, Inc. | Cloud hosting for the application and stored campaign data | United States, with EU data residency available on request |
| Google Ireland Limited (for authentication) | Account authentication, password storage, sign-in security | Ireland, with processing on Google infrastructure |
| Stripe Payments Europe, Limited | Checkout, recurring billing, VAT handling, payment card processing | Ireland |
| Large language model inference provider(s) | Generating AI Dungeon Master narrative responses from the messages and gameplay context sent during a session | United States or European Union depending on routing. See section 7 on transfers. |
| Transactional email provider | Sending account, security and billing emails from our operational domain | European Union |
We may also disclose personal data to our legal, tax or accounting advisors, and to public authorities when required by law, court order or a valid request from law enforcement. We do not sell personal data and we do not share it with advertising networks for targeted advertising.
7. International data transfers
Some of the providers in section 6 process personal data outside the European Economic Area, primarily in the United States. When that happens we rely on one of the transfer tools listed in Chapter V of the GDPR, in this order of preference:
- An adequacy decision by the European Commission (for example, the EU-US Data Privacy Framework, for providers self-certified under it).
- The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), together with any supplementary measures that are appropriate after a transfer impact assessment.
- Your explicit consent under Article 49(1)(a), used only in narrow cases where no other tool applies and after you are informed of the risks.
You can request a copy of the safeguards in place for any specific transfer by writing to info@theendlessness.com.
8. How long we keep your data
We keep personal data only for as long as we need it. Specific retention periods are:
- Active accounts and gameplay content: for as long as your account is open, so that you can return to your campaigns.
- Closed accounts: up to 30 days of soft deletion, during which you can restore the account, followed by permanent deletion or irreversible anonymisation within a further 60 days.
- Billing and tax records: 10 years, to comply with Portuguese accounting and VAT retention rules.
- Security and abuse logs: 12 months, after which they are deleted or aggregated.
- Support messages: up to 24 months after the ticket is closed.
- Marketing consent records: for as long as your consent is active, plus 3 years after withdrawal, to be able to prove you were on the list lawfully.
Where we rely on legitimate interests, we delete data earlier if the interest no longer applies.
9. Your rights under the GDPR
You have the following rights in relation to your personal data. They apply whenever the conditions in the GDPR are met:
- Access (Art. 15): ask us whether we hold data about you and get a copy.
- Rectification (Art. 16): ask us to correct inaccurate data or complete incomplete data.
- Erasure (Art. 17): ask us to delete your data in the cases listed in the GDPR, including when it is no longer needed.
- Restriction (Art. 18): ask us to pause processing while we check a dispute.
- Portability (Art. 20): receive the data you gave us in a structured, commonly used, machine-readable format, and transmit it to another controller.
- Objection (Art. 21): object to processing that we base on legitimate interests, including profiling. We will stop unless we can show compelling grounds that override your interests.
- Withdraw consent (Art. 7(3)): withdraw any consent you have given, with effect for the future.
- Not be subject to solely automated decisions (Art. 22): see section 12 for how this applies to the AI Dungeon Master.
10. How to exercise your rights
Many rights can be exercised directly from your account settings at app.theendlessness.com, including downloading your campaigns, editing your profile and deleting your account. For anything you cannot do yourself, write to info@theendlessness.com.
We answer within one month of receiving your request. If the request is complex or we receive many from you, we may extend the deadline by up to two further months and will tell you why. To protect your account, we may need to verify your identity before acting, for example by asking you to reply from the email address associated with your account.
Requests are free. We may refuse or charge a reasonable fee only if a request is clearly unfounded or excessive, as allowed by Article 12(5) of the GDPR.
11. Right to lodge a complaint
If you think we have handled your data badly, we would rather you tell us first so we can fix it. You also have the right to lodge a complaint with a supervisory authority. In Portugal, that is the Comissão Nacional de Protecção de Dados (CNPD), Av. D. Carlos I, 134, 1º, 1200-651 Lisbon, Portugal, www.cnpd.pt. If you live in another EU or EEA country you can also complain to your local supervisory authority.
12. Automated decisions and the AI Dungeon Master
The AI Dungeon Master generates narrative responses, non-player character dialogue and rules adjudications by sending your messages and relevant gameplay context to a large language model inference provider. This processing is automated but it does not produce legal effects on you and does not significantly affect you in a way that falls within Article 22 of the GDPR. It produces a story.
You can always:
- edit, regenerate, or reject any AI output;
- ask a human to review a decision that affects your account, for example a billing dispute or a content moderation action, by contacting us at info@theendlessness.com;
- export or delete the underlying conversation.
We do not use your gameplay content to train the underlying AI models. Our inference providers are contractually barred from using your prompts or outputs to train their own models for other customers. If this ever changes for a given provider, we will update this policy and notify you before the change takes effect.
13. Children and minors
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has given us data, write to info@theendlessness.com and we will delete the account and its contents.
14. How we protect your data
We apply appropriate technical and organisational measures to protect your personal data against accidental or unlawful loss, alteration, disclosure or access. These include:
- encryption in transit (HTTPS/TLS) between your device, our servers and every sub-processor;
- encryption at rest for user data stored by our hosting and authentication providers;
- role-based access control, least-privilege principles and two- factor authentication for operator access;
- regular backups, logging, and periodic review of access rights;
- secure software development practices, code review, and dependency monitoring.
No system is perfectly secure. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the CNPD within 72 hours and, where the risk is high, we will notify affected users without undue delay, as required by Articles 33 and 34 of the GDPR.
16. Third-party links
The Service may link to third-party websites (for example, Wizards of the Coast or community forums). We are not responsible for how those sites handle your personal data. Read their own privacy policies before sharing anything with them.
17. Changes to this policy
We may update this policy from time to time. When we do, we will post the new version at https://theendlessness.com/legal/privacy and update the effective date at the top. If the change is material, we will also notify you by email or through the Service at least 14 days before it takes effect. Your continued use of the Service after the effective date means you have read and accepted the new version.
Questions about this document
Write to info@theendlessness.com or by post to The Endlessness, Rua Visconde Seabra nº27, 1600-766 Lisbon, Portugal. We answer in English or Portuguese.