Privacy Policy
Effective date: 24 April 2026
Site: https://www.clocktower.monster/
Operator / data controller: Turner Monroe, an individual, operating Clocktower as a non-commercial fan/tool project.
Contact: me@turnercore.dev
This Privacy Policy explains how Clocktower collects, uses, stores, and shares personal information when you use the website and related services.
Clocktower is a shared clock tool for tabletop role-playing games. It is not a store, does not sell products, and is not operated by a corporation. Even so, the site may process personal information because it uses accounts, backend storage, hosting, and realtime synchronization.
1. Personal information we collect
Account information
Depending on the login methods enabled, we may collect:
- email address;
- username or display name;
- authentication provider identifier, such as a GitHub, Google, Discord, or other OAuth account ID if you choose a social login provider;
- account metadata provided by the login provider;
- password-related authentication data if email/password login is enabled. Passwords are handled through Supabase Auth and should not be visible to the site operator.
Clock and gameplay content
When you create or use clocks, we may store:
- clock names, labels, segment counts, state, progress, and other settings;
- share links, room identifiers, or similar IDs used to synchronize clocks;
- timestamps such as creation, update, and deletion times;
- user ID or account ID associated with clocks you create while logged in.
Avoid putting private, sensitive, or personally identifying information into clock names, notes, or shared links.
Technical and usage information
When you access the site, the hosting and backend providers may process technical information such as:
- IP address;
- browser and device information;
- pages or endpoints requested;
- timestamps;
- error logs, request logs, and security logs;
- authentication session tokens and related metadata.
Communications
If you contact the operator by email or another support channel, we may process your name, email address, message contents, and any information you choose to include.
2. How we use personal information
We use personal information to:
- provide the site and shared clock functionality;
- create, authenticate, and maintain user accounts;
- synchronize clocks in realtime;
- save clocks and user preferences;
- prevent abuse, spam, fraud, security incidents, and unauthorized access;
- debug, maintain, and improve the site;
- respond to support, privacy, and legal requests;
- comply with legal obligations.
3. Legal bases for processing, where GDPR or UK GDPR applies
Where EU or UK data protection law applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing logged-in accounts, saved clocks, shared clock links, and realtime synchronization | Contract / providing the requested service |
| Essential authentication, security, abuse prevention, debugging, and service reliability | Legitimate interests |
| Responding to user messages and privacy requests | Legitimate interests or legal obligation, depending on the request |
| Non-essential analytics, advertising, marketing emails, or non-essential tracking, if added in the future | Consent, unless another lawful basis clearly applies and the technology does not require consent |
| Compliance with applicable laws or valid legal requests | Legal obligation |
4. Cookies and browser storage
Clocktower may use cookies, local storage, session storage, or similar browser storage for:
- authentication sessions;
- keeping you signed in;
- protecting the site from abuse;
- remembering interface preferences such as theme or accessibility settings;
- maintaining the functionality of shared clocks.
See the Cookie and Local Storage Policy for more detail.
As currently drafted, Clocktower does not intentionally use advertising cookies, cross-site tracking cookies, or marketing pixels. If those are added, this policy should be updated and, where required, consent should be requested before those technologies are used.
5. Service providers and sharing
We do not sell personal information.
We share personal information only as needed to operate the site, comply with law, protect rights and safety, or with your direction. Current or expected service providers include:
| Provider | Purpose | Notes |
|---|---|---|
| Vercel | Hosting, deployment, edge/network services, request handling, logging, security, and site availability | Vercel may process technical data about site visitors and requests. |
| Supabase | Database, authentication, APIs, realtime synchronization, and storage of account and clock data | Supabase Auth stores user and auth data in the project database. |
| Login/OAuth providers, if enabled | Authenticating users who choose social login | Examples may include GitHub, Google, Discord, or other providers. Their own privacy terms apply to their services. |
| Email/support provider, if configured | Handling support or account emails | Operator email only; no separate support email provider intentionally configured. |
| Analytics/error monitoring provider, if configured | Usage analytics, performance monitoring, or debugging | None intentionally used as of this draft. |
We may also disclose information if required by law, legal process, or to protect the site, users, the operator, or others.
6. International data transfers
The operator, Vercel, Supabase, login providers, and other service providers may process information in countries other than the country where you live. These countries may have different data protection laws.
If GDPR, UK GDPR, or Swiss data protection law applies, transfers may rely on mechanisms such as adequacy decisions, Standard Contractual Clauses, provider data processing terms, or other lawful transfer mechanisms.
Supabase project region: USA
Vercel deployment/data processing region details: Vercel-managed hosting infrastructure; exact deployment and data processing region depends on the Vercel project settings.
7. Retention
We keep personal information only as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law.
Typical retention approach:
| Data type | Retention |
|---|---|
| Account data | Until your account is deleted, plus a reasonable backup/security period. |
| Clock data | Until you delete it, your account is deleted, or the data is removed as inactive/abandoned. |
| Shared/public clock links | Until deleted, expired, or disabled. |
| Technical logs | For a limited period needed for security, debugging, abuse prevention, and provider operations. Exact retention may depend on Vercel/Supabase settings. |
| Support messages | As long as needed to respond and maintain records of the request. |
| Legal/security records | As long as needed to comply with law, resolve disputes, enforce terms, or protect the site. |
Add or adjust exact retention periods once the production database, backup, and log retention settings are confirmed.
8. Security
We use reasonable technical and organizational measures to protect personal information, including managed hosting/backend providers and access controls. No internet service can be guaranteed to be completely secure.
Users are responsible for keeping login credentials secure and for not sharing private clock links with people who should not access them.
9. Your privacy rights
Depending on where you live, you may have rights to:
- access personal information we hold about you;
- correct inaccurate information;
- delete information;
- object to or restrict certain processing;
- receive a portable copy of certain information;
- withdraw consent where processing is based on consent;
- complain to a data protection authority.
To exercise privacy rights, contact: me@turnercore.dev.
We may need to verify your identity before responding to a request. Some information may be retained where required or permitted by law, for security, fraud prevention, or recordkeeping.
10. Account deletion and data export
Current account deletion/export process:
Send me an email and I will gladly delete your data, no questions asked.
Suggested minimum process before publishing:
- provide a contact email for deletion/export requests; or
- add an in-app account deletion button; and
- delete or anonymize account-linked clocks unless retention is required for security or legal reasons.
11. Children
Clocktower is not intended for children under 13. If you are under the age required to consent to online services in your country, you should use Clocktower only with permission from a parent or guardian.
If you believe a child has provided personal information without appropriate permission, contact me@turnercore.dev.
12. Third-party links and services
The site may link to third-party websites or services, including login providers, source code repositories, tabletop RPG publishers, or community resources. Their privacy practices are governed by their own policies.
13. Changes to this policy
We may update this Privacy Policy from time to time. The updated version will be posted on the site with a new effective date. Material changes may be communicated through the site or by email where appropriate.
14. Contact
For privacy questions or requests:
Email: me@turnercore.dev
Operator: Turner Monroe
Jurisdiction / mailing contact: Malmo Sweden