Privacy

Introduction

LFG IRL is an app for tabletop miniature gamers, based in the European Union. We built the platform around privacy.

This policy explains what data we collect, why we collect it, and how we protect it. Plain language only. No legal jargon.

Data Controller

Julien Cornuwel operates LFG IRL from France. He is the data controller under GDPR.

Full contact details are available on our Contact page.

What We Collect

Data collected:

• Account: username, email, guardian-consent status, profile information (optional).
• Content: photos, army lists, galleries, and battle reports. Stored in Europe. We create optimized variants for faster loading.
• Matches: turns, phases, VP scores, city, venue (optional).
• Technical: IP address, browser, device, functional cookies.

Data Usage

We use your data to:

• Run the platform
• Store and display your photos, galleries, battle reports
• Process army list exchanges
• Associate matches with cities and venues
• Send essential emails (account, security)
• Fix bugs and improve the service
• Secure the platform and prevent abuse

Legal Bases

GDPR requires a legal basis to process your data. Ours:

• Contract: running your account, storing photos, processing list exchanges, recording matches. Necessary for the service.
• Legitimate Interests: secure the platform, prevent abuse, fix bugs, improve the service.
• Legal Obligations: we keep certain records (invoices, consent logs) because the law requires it.
• Consent: optional features require your explicit agreement. Revocable anytime.

We process no data beyond what's strictly necessary for the service.

Who Sees Your Data

We never sell, trade, or rent your data. Who can see it:

• Users: your public content is visible. Your username appears on it. Private content stays private.
• Providers: third-party companies listed below. Access limited to what they need.
• Authorities: if required by law.

Security

We protect your information from unauthorized access, changes, and deletion. No system is 100% secure. We do our best.

Your Rights

Your GDPR rights, wherever you live:

• Access your information
• Correct errors
• Delete your data
• Restrict processing
• Download your data (portability)
• Object to processing

View and control your data anytime. Delete your account whenever you want.

Transparency

Every access to your data by our team is logged.

Administrative Audit Trail

We log every administrative action on accounts. When a team member views or modifies your data, the system creates a record.

• Data Access

  Access to your personal information, galleries, or matches for support or moderation.

• Account Modifications

  Account changes by administrators (username, profile, status).

• Moderation Actions

  Suspensions, unsuspensions, or content removals with detailed reasoning.

• Consent Access

  Access to your consent details (IP, browser) for legal audit.

Retention & Deletion

We don't keep your data indefinitely. Clear retention rules apply.

Audit Trail Cleanup: After 3 months, we automatically simplify audit trail details. Essential records remain.

Automatic Deletion: We automatically delete accounts inactive for 12 months.

Advance Notice: We notify you at 11 months of inactivity. Log in to keep your account.

Data Deleted

• Personal information (username, email, profile)
• Photos and galleries
• Army lists and matches
• Battle reports, captions, comments
• Audit trail and access logs
• Settings and preferences

Cookies

We use only essential cookies. A session cookie secures your sign-in. A remember-me cookie stays active if you enable it. We do not use analytics, advertising, or tracking cookies.

Third-Party Services

Trusted services used. Main infrastructure and backups stay in the EU where possible:

• Cloudflare

  Security, CDN, performance. Speeds up loading and protects against attacks.

  Global network, EU processing

• OVH Cloud

  Main hosting and primary object storage. Your live app data and photos are stored here.

  France (EU)

• Hetzner

  Encrypted offsite backups for database recovery and original photos only.

  Finland (EU)

• Healthchecks.io

  Scheduled job and backup heartbeat monitoring; receives check metadata and short failure messages.

  Germany (EU)

• Mailgun

  Transactional emails (confirmation, password reset).

  EU

• Honeybadger

  Error tracking. Fast bug fixes.

  US (error data only)

• Google

  Optional login and maps.

  Global

• Discord

  Optional login.

  US

• Facebook

  Optional login.

  US

Login providers (Google, Discord, Facebook) only receive identity data. Hetzner receives encrypted backup objects for disaster recovery, and Healthchecks.io receives uptime and scheduled-job heartbeat metadata.

International Transfers

Main storage stays in the EU (OVH France). Encrypted offsite backups also stay in the EU (Hetzner Finland). Some providers operate outside the EU (Honeybadger, Google, Discord, Facebook, Cloudflare).

For transfers outside EU, we apply Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

Your data stays protected by contracts enforcing EU standards, even outside Europe.

Children's Privacy

In France, users under 15 need consent from a parent or legal guardian before they can finish account setup.

At onboarding, the user declares whether guardian consent is required. If so, we collect the guardian email address, send an approval request, and keep the account pending until approval.

Users who can consent for themselves accept the Terms of Service and Privacy Policy directly.

No Automated Decision-Making

No automated decisions apply to your data. A human reviews all moderation and account decisions.

Complaints

You can file a complaint with a data protection authority. In France, the relevant authority is CNIL.

You can also contact your country's authority. Contact us first if possible—we'll try to resolve the issue directly.

Policy Changes

We may update this policy. When we do, we notify you and update the date at the top.