Controller
The controller responsible for TappedRune is dacx_dev. TappedRune is operated from Austria, so this policy is written with the EU General Data Protection Regulation (GDPR) and Austrian data protection expectations in mind.
You can contact us through TappedRune.com for privacy questions, access requests, correction, deletion, objection, portability, restriction, or withdrawal of consent.
Data we process
Depending on how you use TappedRune, we may process the following categories of data:
- account details, such as username, email address, password hash, authentication state, and account settings;
- match and deck data you create, including match date, result, match type, legends, deck names, source, and notes;
- API key data used to authenticate API clients and extension features;
- newsletter signup data, such as email address, signup status, and unsubscribe state;
- technical data, such as IP address, request metadata, browser information, timestamps, security events, and server logs;
- messages or support details you send to us voluntarily.
Do not add sensitive personal data to match notes or deck records unless it is necessary for your own use. TappedRune is intended for gameplay tracking, not for storing special-category data.
Purposes and legal bases
We process personal data only where there is a practical reason and a legal basis.
- Providing the service
- Account, match log, deck, dashboard, API, and authentication data are processed to provide the TappedRune features you request. The legal basis is performance of a contract or pre-contractual steps.
- Newsletter and optional communications
- Newsletter data is processed when you sign up. The legal basis is your consent, which you can withdraw by unsubscribing or contacting us.
- Security and reliability
- Technical logs, abuse-prevention data, rate-limit signals, and debugging data are processed to keep the service secure and reliable. The legal basis is legitimate interests, balanced against your rights and interests.
- Legal obligations
- Where law requires records, disclosures, or responses to authorities, the legal basis is compliance with legal obligations.
Retention
- Account data is kept while your account exists and then deleted or anonymized unless retention is legally required.
- Match logs and deck data are kept until you delete them, delete your account, or request deletion.
- Newsletter data is kept until you unsubscribe or request deletion, with minimal suppression records retained if needed to honor opt-outs.
- API keys remain active until rotated, deleted, revoked, or the related account is deleted.
- Server and security logs are normally retained for up to 90 days, unless a longer period is needed to investigate abuse, enforce terms, debug incidents, or comply with law.
Your rights
If GDPR applies, you may have the right to:
- request access to your personal data;
- request correction of inaccurate or incomplete data;
- request deletion of your personal data;
- request restriction of processing;
- object to processing based on legitimate interests;
- request data portability where applicable;
- withdraw consent where processing is based on consent;
- lodge a complaint with a data protection authority.
The Austrian supervisory authority is:
Österreichische DatenschutzbehördeBarichgasse 40-42
1030 Vienna
Austria
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/
Children and changes
TappedRune is not intended for children under the age required to use the relevant TappedRune, Riftbound, or third-party services. We do not knowingly collect personal data from children.
We may update this Privacy Policy when TappedRune features, providers, security needs, legal requirements, or platform requirements change. Updated versions will be posted with a new "Last updated" date.