Draft — pending legal review. This document is a template and should be reviewed by qualified legal counsel before use in production.

Privacy Policy

Last updated: April 11, 2026

Foundry Online ("we", "us", or "our") operates the website and hosting service at foundryvttonline.com (the "Service"). This Privacy Policy explains what we collect, why we collect it, who we share it with, and what rights you have over it.

1. Information We Collect

1.1 Account information

You can create an account using any of three methods. We collect different fields depending on the method:

  • Sign in with Google — your email address, display name, profile photo, and Google account identifier (the OAuth sub field). We use these only to identify you on return visits.
  • Sign in with Discord — your email address, Discord username, avatar URL, and Discord user ID. We do not request any other Discord scopes (we cannot read your DMs, see your servers, etc.).
  • Email + password — your chosen display name, email address, and password. Your password is stored as a bcrypt hash with a per-user salt; we never see or store your plaintext password. We also create short-lived hashed verification tokens (24 hours) and password reset tokens (1 hour) to support email verification and recovery flows; these tokens are stored as SHA-256 hashes and deleted after use or expiry.

Whichever method you use, we store the resulting account in a single record in our database. If you sign in with a method that has the same verified email as an existing account, the two are auto-linked into one account so you can use any of the methods to sign in afterward.

1.2 Payment information

Payments are processed by Stripe and PayPal. We do not store your full credit card number, CVV, or bank account details. Both processors are PCI-DSS Level 1 certified and handle card data on their own infrastructure. We receive and store only:

  • Your Stripe customer ID and subscription ID (if you subscribe via Stripe)
  • Your PayPal subscription ID and the billing-cycle metadata they return (if you subscribe via PayPal)
  • Plan tier, subscription status, billing-cycle dates, and payment-failure state
  • Invoice IDs and amounts (so we can show you your billing history under /account)

For details on how the processors handle your card data, see Stripe's Privacy Policyand PayPal's Privacy Policy.

1.3 Service usage data

  • Foundry VTT world data — every world, scene, actor, journal entry, module, asset, and any file you upload via SFTP is stored on our server in an isolated container assigned to your account. We do not read the contents of these files. They are backed up automatically per your plan (see §3 and §6).
  • Server activity logs — connection timestamps, IP addresses of users who connect to your Foundry instance, and basic request logs for security, debugging, and our idle-detection feature
  • Storage usage — we measure disk usage per server to enforce plan limits and display the gauge on your dashboard
  • Server health metrics — CPU, memory, and uptime per running container, displayed to you in the dashboard's Server Health card. This data is not retained long-term; it is read on demand from the container runtime.

1.4 Support ticket data

When you submit a ticket through Contact Support, we collect and store:

  • The name and email address you provide (auto-filled from your account if you are signed in)
  • The category you select and the full text of your message
  • Any subsequent messages you send in the resulting threaded conversation
  • The IP address from which the ticket was submitted (for spam and abuse prevention)
  • Star ratings you provide on resolved tickets

Tickets are visible to members of our support team ("Support Staff"), who may be independent contractors compensated based on the rating you assign to their resolutions. See the Support Staff Agreementfor more on how staff are compensated and obligated to protect your data. Support Staff are bound by confidentiality obligations and are not permitted to use your ticket data for any purpose outside resolving your issue.

Discord notification: When you submit a new ticket, a summary of the ticket (your name, email, category, and the first portion of your message, truncated to ~1800 characters) is also sent to a private Discord channel where our support team is alerted in real time. This channel is internal and customers cannot read it. Subsequent customer replies to a ticket also fire a Discord notification with similar content.

1.5 Referral program data

We operate a referral program. If you participate as a referrer, we generate and store a unique 8-character referral code tied to your account, track which servers were created using your code, record commission amounts you have earned, and store the PayPal email address you provide for receiving payouts. If you participate as a referred user, we record which referral code you used (linking you to the referrer for commission tracking) and apply the corresponding 10% discount to your subscription.

1.6 Audit logs

For security, fraud investigation, and operational debugging, we maintain a log of significant actions taken on the platform — sign-ins, server lifecycle events (create / start / stop / delete), payment events, support actions, and admin actions. Each entry includes the actor (user or system), the action, the affected resource, a timestamp, and the originating IP address. Audit logs are retained for 2 years and are visible only to administrators.

1.7 Technical information

We automatically collect when you visit the website:

  • IP address
  • Browser type and version
  • Operating system
  • Access timestamps and pages visited
  • Referring URL (if you arrived via an external link)

2. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases under Article 6 of the GDPR:

  • Performance of a contract — to provide the hosting service you have signed up for, including account creation, server provisioning, billing, backups, and support
  • Legitimate interest — for security logging, fraud detection, basic analytics on aggregate usage to improve the service, and audit logs
  • Legal obligation — for retaining billing and tax records, responding to lawful requests from authorities, and compliance with applicable law
  • Consent — for any optional cookies or marketing communications (we currently do not use either, but we will rely on consent if we add them in the future)

3. Third-Party Services and Data Processors

We rely on the following third-party services to operate the platform. Each one is a "data processor" under the GDPR and we have or will have data processing agreements in place with each:

  • Google (OAuth) — authentication for "Sign in with Google" only. We never store your Google password. Google's Privacy Policy.
  • Discord (OAuth) — authentication for "Sign in with Discord" only.Discord's Privacy Policy.
  • Discord (webhook channel) — incoming support tickets and ticket activity events are also posted to a private Discord channel via webhook so our support staff can respond in real time. Customer name, email, category, and message preview are sent. Discord's Privacy Policy.
  • Stripe — payment processing (subscriptions, refunds, dunning) and the customer billing portal.Stripe's Privacy Policy.
  • PayPal — payment processing (alternative to Stripe) and PayPal Payouts (used to disburse referral commissions and support staff earnings).PayPal's Privacy Policy.
  • Resend — transactional email delivery (welcome, verification, password reset, payment confirmation, support replies, payouts, etc.). All emails we send to you flow through Resend.Resend's Privacy Policy.
  • Google Drive (service account) — automated backups of your Foundry VTT world data are stored in a Google Drive Shared Drive owned by us. The backups are gzipped tar archives and remain encrypted in transit. Google's Privacy Policy.
  • Cloudflare — DNS, CDN, DDoS protection, and TLS termination at the edge.Cloudflare's Privacy Policy.
  • Hetzner / our hosting provider — physical server infrastructure where the dashboard, containers, and database run. Foundry VTT world data lives here.

We do not sell your data, share it with advertising networks, or use it for any purpose unrelated to providing the Service.

4. Cookies and Local Storage

We use only first-party cookies and local storage for functional purposes. We do not use any analytics, tracking, or advertising cookies. We do not embed third-party trackers.

NameTypePurposeDuration
next-auth.session-tokenStrictly necessaryMaintains your signed-in session30 days
next-auth.csrf-tokenStrictly necessaryCSRF protection on auth flowsSession
ref_codeStrictly necessary (functional)Remembers a referral code if you visit via a referral link, so the discount can be applied at checkout30 days
cookieConsent (localStorage)Strictly necessaryRemembers your accept/reject choice on the cookie bannerUntil cleared
referralCode (localStorage)Strictly necessary (functional)Mirror of the ref_code cookie used by the client-side referral capture flowUntil cleared

We do not use any cookies that fall outside the "strictly necessary" category, so the cookie banner does not currently gate any tracking. The Reject button is provided for transparency and to give you the choice to decline future optional cookies if we add them.

5. Data Retention

We retain different categories of data for different lengths of time:

  • Active account information — retained for as long as you have an active subscription, plus 30 days after cancellation to allow easy reactivation
  • Foundry VTT world data + backups — retained for 30 days after subscription cancellation, then permanently deleted from our servers and from Google Drive backups
  • Billing records and invoices — retained for 7 years for tax and accounting compliance, even after you delete your account
  • Audit logs — retained for 2 years for security investigation and fraud response, even after you delete your account
  • Support tickets — retained for 2 years after resolution for quality assurance and possible re-opening; then anonymized or deleted
  • Verification and password-reset tokens — automatically deleted after they expire (24h and 1h respectively) or after they are used

You may request earlier deletion of any non-legally-required data by contacting us through the Contact Support form. We will honor the request promptly except where retention is required by law.

6. Backups

We perform automated backups of your Foundry VTT world data and store them as gzipped tar archives in a Google Drive Shared Drive owned by us. Backup frequency depends on your plan:

  • Basic — weekly backups, 7 retained
  • Default — nightly backups, 7 retained
  • Pro — nightly backups + on-demand backups, 14 retained

You can restore from any retained backup via your server's dashboard. Backups are deleted along with your other server data 30 days after subscription cancellation. We strongly recommend you also keep your own local copies of any critical world data.

7. Data Security

We implement reasonable technical and organizational safeguards including:

  • HTTPS / TLS for all web traffic, SFTP for file transfer
  • Per-user isolated containers so one customer cannot read another customer's data
  • bcrypt password hashing (10 rounds) for local accounts; we never see or store your plaintext password
  • Hashed verification and reset tokens (SHA-256) so a database leak does not expose live tokens
  • Rate limiting on authentication and sensitive endpoints to slow brute-force attempts
  • Audit logging of administrative actions for after-the-fact investigation
  • OAuth provider verification of email addresses for Google and Discord; mandatory email verification for local accounts before first sign-in

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security and you use the Service at your own risk.

8. Your Rights

Depending on your location, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we correct inaccurate or incomplete data
  • Deletion — request deletion of your account and personal data (subject to legal retention requirements)
  • Portability — request your data in a machine-readable format
  • Objection — object to our processing of your data on legitimate-interest grounds
  • Restriction — request that we restrict processing in certain circumstances
  • Withdraw consent — where we rely on consent (currently only the cookie banner)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us through the Contact Support form using the "Account" category, or use the self-service "Delete My Account" button in your /account page (this cancels all subscriptions, deletes all servers, and removes your account from our systems within 24 hours).

9. Children's Privacy

Our Service is not directed to children under 13 (or under 16 in jurisdictions that set a higher minimum age for digital service consent). We do not knowingly collect personal information from children below these ages. If you believe we have collected such information, please contact us immediately and we will delete it.

10. International Data Transfers

Our primary infrastructure is hosted in the United States. Some of our data processors operate globally:

  • Stripe, PayPal, Resend, Discord, and Cloudflare are all headquartered in the United States and may process data in multiple regions
  • Google Drive backups may be replicated across multiple Google data center regions

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we and our processors rely on the EU Standard Contractual Clauses (or equivalent UK/Swiss frameworks) where applicable. By using the Service, you consent to your data being transferred to and processed in the United States and other countries.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes (such as new categories of data collection or new third-party processors) will be notified to active users via email at least 30 days before they take effect. The "Last updated" date at the top of this page is always current.

12. Contact Us

Questions about this Privacy Policy, or want to exercise any of your rights under §8? Contact us through the Contact Support form selecting "Account" as the category. For GDPR or other regulatory inquiries, please mention "Data Protection" in the subject line.