PRIVACY POLICY
Adventure Generator — Adventure Generator Platform
Effective Date: 01/03/26 | Last Updated: 11/03/26
This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Adventure Generator platform.
Adventure Generator ABN 20426309120 Sydney, NSW, Australia
1. Introduction
Adventure Generator ABN 20426309120 (“Company”, “we”, “us”, or “our”) operates the Adventure Generator platform (the “Platform”), an AI-powered tool for generating Dungeons & Dragons adventure content. We are an Australian company and our principal place of business is Syndey, NSW, Australia.
We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs). Where we process personal data of individuals in the European Economic Area (EEA), the United Kingdom, or Switzerland, we also comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and equivalent local legislation.
This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have. By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2.1 Information You Provide to Us
We collect personal information that you voluntarily provide when using the Platform:
• Account Information: When you register, we collect your username, email address, and password (stored in hashed form). We require email verification before your account is fully activated.
• Adventure Prompts and Content: The text prompts you submit to generate adventures, any DM notes you create, session data from the Run Adventure feature (including player names, combat states, and pinned notes), and any content you choose to share to the community feed.
• Payment Information: When you purchase tokens or subscribe, payment details (credit/debit card numbers, billing address) are collected and processed directly by our third-party payment processor, Stripe. We do not receive or store your full card numbers. We retain your Stripe customer ID, subscription status, and transaction history for account management.
• Content Reports: If you report content on the community feed, we collect the reason for the report and any additional details you provide.
• Communications: If you contact us for support or feedback, we collect the content of your messages and your contact information.
2.2 Information Collected Automatically
When you access the Platform, certain information is collected automatically:
• Session and Authentication Data: We use Django session cookies to maintain your login state. Session cookies are set to expire after seven (7) days of inactivity and are transmitted only over HTTPS in production.
• CSRF Tokens: We use cross-site request forgery (CSRF) tokens as a security measure to protect against unauthorised form submissions. These are functional cookies essential to the Platform’s security.
• Server Logs: Our hosting infrastructure (Heroku) automatically collects standard server logs, which may include your IP address, browser type, referring URL, pages visited, and timestamps.
• Error and Performance Data: We log application errors and performance metrics to maintain and improve the Platform. These logs may incidentally contain IP addresses or request metadata.
2.3 Information from Third Parties
• Stripe: We receive confirmation of successful payments, subscription status updates, and Stripe customer IDs via Stripe webhooks. We do not receive your full payment card details from Stripe.
• OpenAI: Adventure prompts are sent to OpenAI’s API for content generation and content moderation. OpenAI processes this data under its API data usage policies, which state that API inputs and outputs are not used to train OpenAI’s models.
3. How We Use Your Information
We use the personal information we collect for the following purposes:
Service Delivery. To create your account, process your prompts, generate adventures, manage tokens and subscriptions, and provide the Run Adventure session feature.
Payment Processing. To process one-time token purchases and recurring subscription payments via Stripe, issue refunds, and prevent fraudulent transactions.
Communication. To send account verification emails, password reset links, subscription renewal notifications, and material service updates via SendGrid.
Content Moderation. To review user prompts and generated content using OpenAI's Moderation API to enforce our acceptable use policies and protect the community.
Community Features. To operate the shared adventure feed, including voting, search, filtering, and content reporting.
Security. To protect the Platform through rate limiting on login and registration endpoints, CSRF protection, HTTPS enforcement, and session security.
Platform Improvement. To analyse aggregated, non-identifying usage patterns to improve the adventure generation pipeline, fix bugs, and enhance platform features.
Legal Compliance. To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms and Conditions.
4. Lawful Basis for Processing (GDPR)
If you are located in the EEA, UK, or Switzerland, we process your personal data on the following lawful bases under the GDPR:
• Contractual Necessity (Article 6(1)(b)): Processing necessary to provide you with the Platform’s services, including account creation, adventure generation, payment processing, and subscription management.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests in operating, securing, and improving the Platform, including server logging, error monitoring, rate limiting, and content moderation. We balance these interests against your privacy rights.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, such as tax record-keeping and responding to lawful government requests.
• Consent (Article 6(1)(a)): Where required, we obtain your consent for specific processing activities (such as non-essential communications). You may withdraw consent at any time by contacting us.
5. Cookies and Tracking Technologies
The Platform uses a minimal set of cookies, all of which are functionally necessary to operate the service:
• Session Cookie (sessionid): Maintains your authenticated login state. Expires after seven (7) days of inactivity. Secure, SameSite=Lax, HTTPS-only in production.
• CSRF Cookie (csrftoken): Protects against cross-site request forgery attacks. Secure, SameSite=Lax, HTTPS-only in production.
We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies. We do not engage in cross-site tracking or behavioural advertising.
Because all cookies used by the Platform are strictly necessary for the service to function, separate cookie consent is not required under most privacy frameworks, including the GDPR ePrivacy Directive. However, we disclose their use here for full transparency.
6. Data Sharing and Third-Party Processors
We do not sell, rent, or trade your personal information. We share data with the following categories of third-party service providers, each of whom processes data on our behalf under contractual obligations to protect your information:
Stripe (Payment Processing). We share your email address, name (for your Stripe customer record), payment method details (processed directly by Stripe), transaction amounts, and subscription status with Stripe to process payments.
OpenAI (AI Content Generation and Moderation). Adventure text prompts and generated content are sent to OpenAI for content generation and moderation. OpenAI's API data usage policy states that API inputs and outputs are not used to train their models.
SendGrid/Twilio (Transactional Email Delivery). We share your email address, username (within the email body), and verification or password reset links with SendGrid to deliver transactional emails.
Heroku/Salesforce (Application Hosting and Database). All Platform data is stored on Heroku infrastructure. Heroku Postgres stores account, adventure, and session data.
CloudCube/S3 (Media File Storage). Generated adventure cover images and climax images are stored on CloudCube, an S3-compatible storage service.
Redis/Heroku (Caching and Task Queue). Session cache data, rate-limiting counters, and background task metadata are processed through Redis on Heroku's infrastructure.
We may also disclose your personal information if required by law, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of the Company, our users, or the public.
7. International Data Transfers
The Company is based in Australia. Our third-party service providers (Stripe, OpenAI, SendGrid, Heroku, CloudCube) may process and store data in the United States or other countries outside Australia and the EEA.
When personal data is transferred internationally, we ensure appropriate safeguards are in place:
• For EEA/UK users: We rely on the European Commission’s Standard Contractual Clauses (SCCs) or adequacy decisions where available. Our Data Processing Agreements with sub-processors incorporate these safeguards.
• For Australian users: We take reasonable steps to ensure overseas recipients handle personal information in accordance with the APPs, as required by APP 8.
You may request a copy of the safeguards we use for international transfers by contacting us at admin@adventure-generator.com.
8. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required by law.
• Account Data: Retained for the duration of your account. If you close your account, we will delete or anonymise your personal data within thirty (30) days, except where retention is required for legal, tax, or audit purposes.
• Adventure Content: Generated adventures, DM notes, and Run Session data are retained for the duration of your account. Shared adventure copies on the community feed may persist after your account is closed (see our Terms and Conditions).
• Payment Records: Transaction records and Stripe event logs are retained for seven (7) years to comply with Australian tax and financial reporting obligations.
• Server Logs: Application and access logs are retained for up to ninety (90) days for security monitoring and debugging purposes, then automatically purged.
• Content Moderation Logs: Moderation results (flagged categories and scores) are retained in server logs for up to ninety (90) days. The content of prompts is not separately stored for moderation purposes beyond the adventure generation pipeline.
9. Data Security
We implement technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
• HTTPS/TLS encryption for all data in transit, enforced via HSTS with a one-year duration and preload.
• Passwords are stored using Django’s PBKDF2 hashing algorithm and are never stored in plain text.
• CSRF protection on all form submissions and state-changing API endpoints.
• XSS protection via Content Security Policy (CSP) headers, X-Frame-Options (DENY), and content type sniffing prevention.
• Session cookies are marked Secure and SameSite=Lax, and are transmitted only over HTTPS.
• Rate limiting on authentication endpoints (login, registration, email resend) to prevent brute-force attacks.
• Payment card data is processed exclusively by Stripe (PCI-DSS Level 1 certified) and is never stored on our servers.
• Uniform error responses on authentication endpoints to prevent account enumeration.
While we take reasonable precautions to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.
10. Your Rights
10.1 Rights Under the Australian Privacy Act
Under the Australian Privacy Principles, you have the right to:
• Access the personal information we hold about you (APP 12).
• Request correction of inaccurate, out-of-date, or incomplete personal information (APP 13).
• Complain about a breach of the APPs. We will investigate and respond to your complaint within thirty (30) days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
• Opt out of receiving direct marketing communications at any time.
10.2 Additional Rights for EEA/UK Users (GDPR)
If you are in the EEA, UK, or Switzerland, you also have the right to:
• Right of Access (Article 15): Request a copy of the personal data we process about you.
• Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Article 17): Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
• Right to Restriction (Article 18): Request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.
To exercise any of these rights, please contact us at admin@adventure-generator.com. We will respond within thirty (30) days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.
11. Children’s Privacy
The Platform is not directed at individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information as promptly as possible. If you believe a child has provided us with personal information, please contact us at admin@adventure-generator.com.
12. Data Breach Notification
In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act 1988, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable if the breach is likely to result in serious harm.
For users in the EEA or UK, we will also comply with GDPR breach notification requirements, including notifying the relevant supervisory authority within seventy-two (72) hours of becoming aware of a qualifying breach, and notifying affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
13. AI-Specific Privacy Considerations
The Platform uses OpenAI’s API services to generate adventure content and to perform content moderation. The following details are specific to how your data interacts with AI services:
• Prompt Processing: Your adventure prompts are transmitted to OpenAI’s API for processing. Under OpenAI’s API data usage policy, data submitted through the API is not used to train or improve OpenAI’s models.
• Content Moderation: User prompts and generated adventure content may be assessed by OpenAI’s Moderation API to detect potentially harmful content. Moderation scores and categories are logged for operational purposes but the content itself is not separately retained for moderation beyond the generation pipeline.
• No Automated Decision-Making with Legal Effects: We do not use AI to make decisions that produce legal effects or similarly significantly affect you. Content moderation decisions (which may restrict content sharing) are operational measures, not decisions with legal or similarly significant effects.
• Sensitive Data in Prompts: We strongly advise against including personal information, real names, or sensitive data in your adventure prompts. Prompts are processed by third-party AI services and stored as part of your adventure record.
14. Third-Party Links and Services
The Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to the Platform. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party services you interact with, including Stripe (stripe.com/privacy), OpenAI (openai.com/privacy), and SendGrid (twilio.com/legal/privacy).
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform with a revised “Last Updated” date, and for significant changes, by sending an email to the address associated with your account at least thirty (30) days before the changes take effect.
Your continued use of the Platform after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree with the updated policy, you should discontinue use of the Platform and close your account.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:
Company: Adventure Generator
ABN: 20426309120
Privacy Officer: admin@adventure-generator.com
General Enquiries: admin@adventure-generator.com
Postal Address: Sydney, NSW, Australia
For complaints about our handling of personal information:
• Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
• EU/EEA: Your local data protection supervisory authority
• UK: Information Commissioner’s Office (ICO) — ico.org.uk