BBag of Holding
← Back to Campaigns

Privacy Policy

Last updated: March 2026

This privacy policy explains how we collect, use, and protect your personal data when you use Bag of Holding, an AI-powered tabletop role-playing game.

PostHog runs in cookieless, memory-only mode. We do not store any tracking cookies or localStorage entries in your browser. Session replays mask every text node and input, console output is not captured, benign 404 routing exceptions are filtered, URL query strings are stripped from network timing, and product analytics events never include your name or email.

1. Data Controller

The data controller is Ivan Biruk, operating under overengd.dev. The service runs on self-hosted infrastructure. For privacy enquiries, contact us at privacy@overengd.dev.

2. What We Collect

We collect the following categories of personal data:

Account Data

When you sign in, we process your name, email address, and profile picture through Logto, our self-hosted authentication provider. Your credentials are never stored directly by the application.

Game Data

Characters you create (names, attributes, backstories), campaign data, session logs, quest progress, and chat messages within game sessions.

Analytics Data

With your consent, we collect page views, feature usage, browser type, screen resolution, and general location (country level). PostHog (EU Cloud) processes this data to help us improve the game; console output, benign 404 routing exceptions, and URL query strings are excluded.

Session Recordings

With your consent, we record user sessions (mouse movements, clicks, page navigation) using PostHog Session Replay for debugging and UX improvement. Console output is not captured in replay telemetry, and recordings are stored for 30 days.

3. Third-Party Services

We use the following third-party services to provide the game experience:

PostHog (EU Cloud)Product analytics, session replay, error tracking. Data is processed in the EU.
Anthropic (Claude AI)AI Dungeon Master — generates game narratives, character backstories, and NPC dialogue.
ReplicateGenerates scene images and character portraits during gameplay.
ElevenLabsText-to-speech for DM voice narration.
DeepgramSpeech-to-text for voice input during game sessions.
Logto (self-hosted)Authentication and user management. Runs on our own infrastructure — your auth data does not leave our servers.

4. Cookies

We use the following types of cookies:

Essential Cookies

Authentication session (Logto) and language preference (i18n_locale). These are required for the service to function and do not require consent.

Analytics Cookies

PostHog analytics runs in memory-only mode without analytics cookies. Network timing capture strips URL query strings before telemetry is sent.

5. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access — request a copy of your personal data.
  • Right to rectification — correct inaccurate personal data.
  • Right to erasure — request deletion of your personal data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing of your personal data.
  • Right to restriction — request that we limit how we use your data.

To exercise any of these rights, contact us at privacy@overengd.dev. We will respond within 30 days.

6. Children's Privacy

This service is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.

7. Data Retention

We retain your data for the following periods:

  • Game data (characters, campaigns, sessions) — kept while your account is active, deleted within 30 days of account deletion.
  • Analytics data — retained for 12 months, then automatically deleted.
  • Session recordings — automatically deleted after 30 days.
  • Account data — kept while your account is active. You may request deletion at any time.

8. AI-Generated Content

Game narratives, character backstories, NPC dialogue, scene descriptions, and images are generated by artificial intelligence. This content may occasionally be inaccurate, unexpected, or inappropriate. We apply content filters but cannot guarantee the AI will never produce objectionable material. Game data you provide (character descriptions, chat messages) may be sent to AI providers for processing.

9. Data Security

We use industry-standard security measures to protect your data, including encrypted connections (HTTPS), secure authentication, and regular backups. However, no method of transmission over the internet is 100% secure.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice on the website. Continued use of the service after changes constitutes acceptance.

11. Contact

For any privacy-related questions or requests, contact us at:

privacy@overengd.dev