Legal

Privacy Policy

Last updated: May 16, 2026

1. Information We Collect

We collect the following categories of information:

Information you provide directly:

• Email address — collected at registration; used to communicate with you about your account and send transactional and marketing emails (with your consent)
• Password — stored as a one-way bcrypt cryptographic hash; we cannot read your password
• Support communications — messages you send through our support form or via email

Information collected automatically:

• IP addresses — collected in HTTP access logs and our security audit log; used for abuse prevention, rate limiting, and incident response
• Authentication events — login attempts (successful and failed), password reset requests, and administrative access are logged in our security audit log with timestamps and IP addresses
• Instance activity timestamps — used to enforce inactivity policies and calculate storage usage
• Storage usage data — calculated hourly from your instance directory; used to enforce storage limits and display usage on your dashboard

Information we do not collect:

• We do not collect, store, or have access to your Foundry VTT license key
• We do not collect your campaign content, world data, character sheets, or any content you create within your Foundry VTT instance
• We do not collect payment card numbers, bank account details, or other financial data — this is handled exclusively by Stripe

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account and hosting instance
• Process payments through Stripe
• Send transactional emails — account verification, password reset, storage warnings, inactivity notices, and billing notifications
• Send marketing emails — upgrade offers, product updates, and newsletters — only with your consent and only to users who have not unsubscribed
• Monitor and enforce storage quotas and inactivity policies
• Detect, investigate, and prevent abuse, unauthorized access, and security incidents
• Respond to support requests
• Comply with legal obligations

We do not sell your personal information to third parties. We do not use your information for advertising profiling beyond the Google AdSense display advertising described below.

3. Security Audit Logging

We maintain a security audit log that records the following events with associated IP addresses and timestamps:

• Successful and failed login attempts
• Account creation (signup)
• Password reset requests
• Administrative dashboard access
• Custom subdomain changes

This log is used exclusively for security monitoring, abuse prevention, and incident response. It is not shared with third parties except as required by law. Audit log entries are retained for 90 days.

We also maintain standard HTTP access logs (IP address, request path, timestamp, response status) for operational purposes. These logs are retained for 30 days.

4. Third Party Services

We use the following third party services to operate Hearth Hosting. Each receives only the data necessary to perform their function:

• Stripe — payment processing. Stripe stores your billing information and payment history on our behalf. Stripe's privacy policy: stripe.com/privacy
• Resend — transactional and marketing email delivery. Resend processes your email address to deliver emails on our behalf. Resend's privacy policy: resend.com/legal/privacy-policy
• Cloudflare — DNS, DDoS protection, WAF, and CDN. Cloudflare processes all incoming requests and may log IP addresses and request metadata. Cloudflare's privacy policy: cloudflare.com/privacypolicy
• Cloudflare Turnstile — bot detection on our signup form. Turnstile analyzes browser signals to distinguish humans from bots. No personal data is stored by Hearth from Turnstile verification.
• Google AdSense — display advertising shown only to free tier (Adventurer) users on the dashboard. Google may use cookies to serve personalized ads. You can opt out at google.com/settings/ads. Upgrading to a paid tier removes all advertising.
• Google Fonts — web font delivery. Google may log requests for fonts served to your browser.
• Contabo — server infrastructure. Our servers are physically located in Germany and operated by Contabo GmbH.

5. Data Retention

• Account data — retained for as long as your account is active
• Free tier instance data — automatically deleted after 30 consecutive days of inactivity
• Paid tier instance data — retained until you cancel your subscription; instance data is deleted within 30 days of cancellation
• Audit log — retained for 90 days
• HTTP access logs — retained for 30 days
• Account deletion — if you request account deletion, we will delete your personal information within 30 days, except where retention is required by law (e.g., billing records required for tax purposes)

6. Data Security

We implement reasonable technical and organizational measures to protect your personal information including:

• Passwords stored using bcrypt hashing with cost factor 10
• All traffic encrypted via HTTPS/TLS through Cloudflare
• Payment data handled exclusively by PCI-compliant Stripe — we never see card details
• Server access restricted by SSH key authentication and UFW firewall rules
• Rate limiting on all authentication endpoints
• Cloudflare WAF and DDoS protection on all endpoints
• Automated security audit logging of all authentication events

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

7. Children's Privacy (COPPA)

8. Your Rights

You have the following rights regarding your personal data:

• Access — request a copy of the personal information we hold about you
• Correction — request correction of inaccurate personal information
• Deletion — request deletion of your account and personal information. Contact support and we will process your request within 30 days
• Portability — request your account data in a portable format. Note that your Foundry VTT world data can be exported at any time directly from within Foundry using its built-in export tools
• Opt out of marketing emails — unsubscribe at any time using the link in any marketing email, or by contacting support. Transactional emails (account verification, billing, security alerts) cannot be opted out of while your account is active

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

Hearth Hosting uses the following cookies:

• Session cookie — an HTTP-only, secure session cookie used for authentication. This cookie is strictly necessary for the Service to function and cannot be opted out of while using the Service
• Google AdSense cookies — set only for free tier (Adventurer) users viewing the dashboard. These may be used to serve personalized advertising. You can manage these through your browser settings or opt out at google.com/settings/ads. Upgrading to a paid tier eliminates AdSense cookies entirely

10. International Users and GDPR

Hearth Hosting is operated by a US company, but our servers are physically located in Germany (EU). We serve users globally.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including the right to lodge a complaint with your local data protection authority.

Our legal basis for processing your personal data is:

• Contract performance — processing necessary to provide the Service you signed up for
• Legitimate interests — security logging, abuse prevention, and fraud detection
• Consent — marketing emails (you can withdraw consent at any time)
• Legal obligation — compliance with applicable law

For GDPR-related inquiries, contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact Us

For privacy-related questions, data requests, or to exercise your rights:

• Email: [email protected]
• Business: Rinquist Holdings LLC, Arizona, United States