← Back to Home
The GM DeckThe GM Deck

Privacy Policy

Last updated: April 15, 2026

This Privacy Policy explains how The GM Deck (“we”, “us”, “the service”) collects, uses, stores, and discloses information about you when you use our website and application. By creating an account or using the service, you agree to the practices described below.

1. Who we are

The GM Deck is a product of Mirrorhead Creative, an independent business operating in the United Kingdom. The GM Deck is a tool for tabletop roleplaying game Dungeon Masters and is hosted on Amazon Web Services (AWS). For any privacy enquiry or data request, contact us at info@mirrorhead.uk.

2. Information we collect

Account information

When you create an account with email and password, we collect your email address and a securely hashed password, managed by Amazon Cognito. When you sign in with Google, we receive your email address, your Google account ID, and your name as returned by Google’s OAuth service. We do not receive your Google password.

Content you create

The service lets you create worlds, entity pages (characters, locations, factions, items, lore), campaigns, sessions, plotlines, timelines, maps, and notes. All of this content — including any text, tags, relationships, descriptions, and uploaded images — is stored on our AWS infrastructure and associated with your account.

Information about other people you add

When you invite players to a session, you provide their email addresses so that calendar invitations can be sent. These email addresses are stored as part of your session data and are used only to deliver the invitation you requested. We do not use these addresses to contact players for any other purpose, do not share them with third parties, and do not create accounts for them. You are responsible for ensuring that any player information you enter is shared with the consent of the person it concerns.

Billing information

Subscription payments are processed by Paddle, acting as our merchant of record. Paddle collects and stores your payment details (card number, billing address, tax information) directly. We do not see or store your full card number. We store only a Paddle customer identifier, your current subscription status, your plan tier, and the billing cycle dates.

Usage and diagnostic data

Our servers record standard request logs (IP address, timestamp, user-agent, requested resource) for security and troubleshooting. These logs are retained on AWS infrastructure for a limited period. Your browser may receive a session cookie used to keep you signed in; we do not use third-party advertising or tracking cookies.

3. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve the service.
  • Authenticate you and keep your account secure.
  • Deliver the content you create back to you on any device you sign in from.
  • Send transactional emails (account verification, password reset, session calendar invites).
  • Process subscription payments through Paddle and notify you about billing.
  • Respond to support requests.
  • Comply with legal obligations and prevent abuse of the service.

We do not sell your personal information, do not share it with advertisers, and do not use your content to train machine-learning models.

4. Third parties we use

We share information only with the service providers needed to operate the platform:

  • Amazon Web Services (AWS) — hosting, storage, authentication, email delivery, and computing.
  • Google — only if you choose to sign in with Google; see Google’s privacy policy for details.
  • Paddle — payment processing and subscription management.
  • Linear / GitLab — internal tools used by us for bug tracking and deployment; these do not receive your personal data unless you include it in a support request.

We do not transfer your data to any other third party except where required by law (e.g. a valid court order) or as part of a merger, acquisition, or sale of assets, in which case we will notify you before your data becomes subject to a different privacy policy.

5. Where your data is stored

Your account and content are stored in AWS data centres in Europe (London, eu-west-2). If you access the service from outside this region, your data will be transferred to and processed in the United Kingdom. AWS maintains appropriate security and compliance certifications; details are available from AWS Compliance.

6. How long we keep your data

We retain your account and content for as long as your account remains active. If you delete your account, all of your worlds, entities, campaigns, sessions, plotlines, timelines, maps, and uploaded images are permanently removed from our databases and object storage. Billing records may be retained by Paddle and by us for up to seven years where required by tax or accounting law. Server logs are retained for a limited period and then purged.

7. Your rights

Depending on where you live, you may have the right to access the personal data we hold about you, correct inaccuracies, request deletion, restrict or object to processing, and export your data in a portable format. To exercise any of these rights, email info@mirrorhead.uk. You can also change your email address, password, and delete your account from the Settings page inside the app.

If you are in the UK or EU and believe we have not handled your data properly, you can lodge a complaint with your local data protection authority (the Information Commissioner’s Office in the UK).

8. Security

We protect your data in transit using HTTPS/TLS and at rest using AWS-managed encryption. Passwords are never stored in plain text — Amazon Cognito handles credential hashing. Access to production infrastructure is limited to authorised maintainers and protected by strong authentication. No online service can guarantee perfect security, but we take our responsibility to protect your content seriously.

9. Children

The service is not directed at children under the age of 13 (or 16 where required by local law). We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete the account.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through the app.

11. Contact

Questions, concerns, or requests about this policy or your data? Email info@mirrorhead.uk and we’ll respond within a reasonable time frame.