Privacy Policy

Last updated: May 13, 2026

Our Commitment

MudMonster is built by MUD players, for MUD players. We believe your data belongs to you — not to advertisers, data brokers, or anyone else. We collect the minimum necessary to run the platform, we never sell your information, and we never will.

This policy describes what we collect, why we collect it, and how you can control it.

What We Collect

Account information

When you register, we collect your email address, display name, and a hashed version of your password (we never store the plaintext). You may optionally provide an avatar color. We use this information solely to create and maintain your account.

Usage data

We log standard server-side request data (IP address, browser type, pages visited) for security, debugging, and abuse prevention. This data is not used for advertising and is deleted within 90 days.

Session and character data

If you use the MudMonster app, session logs and character profiles are stored server-side so you can sync them across devices. This data is yours — you can delete it at any time from your dashboard.

MUD activity

Votes you cast and reviews you write are associated with your account and are publicly visible. Your vote count per MUD is not displayed publicly; only the aggregate vote totals are shown.

What We Don't Do

  • We do not sell, rent, or trade your personal information to any third party.
  • We do not serve behavioural advertising or use tracking pixels.
  • We do not build advertising profiles from your data.
  • We do not use third-party analytics SDKs that harvest data beyond our control.

Cookies

We use a single session cookie — an httpOnly, Secure, SameSite=Strict token — to keep you logged in. No tracking cookies. No third-party cookies. No cookie banners (because we don't need them).

Third-Party Services

RevenueCat (subscriptions)

Paid subscriptions are processed through RevenueCat via the MudMonster mobile app. If you subscribe, RevenueCat processes payment through the App Store or Google Play. RevenueCat's privacy policy governs that data. We receive only your subscription status — not your payment details.

Resend (transactional email)

We use Resend to deliver transactional emails (account verification, password reset). Your email address is transmitted to Resend for delivery purposes only and is not used for marketing.

Apple / Google Sign-In (optional)

If you use social sign-in, Apple or Google authenticates you and provides us with a verified email address. We do not receive your social account password.

Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data is purged within 30 days. Anonymised aggregate statistics (e.g. total vote counts) may be retained indefinitely.

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete the personal data we hold about you. To exercise these rights, email us at privacy@mudmonster.site . We'll respond within 30 days.

Security

We use industry-standard security practices: passwords are bcrypt-hashed, all traffic is encrypted in transit (TLS), authentication tokens are short-lived and signed, and internal API requests use HMAC-signed payloads to prevent replay attacks.

Children

MudMonster is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal information, contact us and we'll delete it promptly.

Changes to This Policy

If we make material changes to this policy, we'll notify registered users by email and update the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Email privacy@mudmonster.site .