Grim Story

Privacy Policy

Last Updated: 7 May 2026

← Back to home

1. Introduction

Grim Story (“we”, “us”, or “our”) is a web application designed to help tabletop roleplaying game (TTRPG) players build, track, and develop their characters and campaigns. We are committed to protecting your personal information and handling it in a transparent, responsible way.

This Privacy Policy explains what information we collect, why we collect it, how we use and store it, and your rights in relation to that information. By using Grim Story, you agree to the practices described in this policy.

Grim Story is a product of Grim Maven, based in New South Wales, Australia. We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where our services are accessed by users in the European Economic Area or United Kingdom, we also apply the relevant requirements of the General Data Protection Regulation (GDPR) and UK GDPR.

2. What Information We Collect

2.1 Account Information

When you register for Grim Story, we collect:

  • Email address
  • Password (stored in hashed form — we never store your password in plain text)
  • Display name or username (if provided)

2.2 Character and Campaign Data

The core purpose of Grim Story is to store your TTRPG character and campaign information. This may include:

  • Character names, race, class, level, and attributes
  • Ability scores, skills, proficiencies, spells, and inventory
  • Character backstory, lore, and notes
  • Campaign names, session logs, and narrative notes
  • Any other creative content you choose to enter into the platform

This content is personal to you and is treated as user-generated content under your control.

2.3 Uploaded Content

Grim Story provides features that allow you to upload or paste documents, notes, or session logs for processing. When you use these features, the content you submit is temporarily processed and the results are stored against your character or campaign record. We do not retain raw uploaded files beyond the processing session unless you explicitly save the output.

2.4 AI Processing Data

Grim Story uses AI features powered by the Anthropic API to assist with character import and session log processing. When you use these features:

  • The content you submit is sent to Anthropic's API for processing
  • Anthropic does not use your content to train its AI models under its standard API terms
  • AI-generated suggestions are presented to you for review before any data is saved — nothing is written to your account automatically
  • We do not store the raw prompts or API responses beyond what is necessary to display results to you

For more information on how Anthropic handles data, please refer to Anthropic's Privacy Policy at anthropic.com.

2.5 Usage and Technical Data

We collect certain technical information to operate and improve the service:

  • IP address and approximate geographic location
  • Browser type and version
  • Device type
  • Pages accessed and features used within Grim Story
  • Date and time of access
  • Error logs and performance data

2.6 Payment Information

Grim Story offers paid subscription tiers. Payment processing is handled by a third-party payment processor (such as Stripe). We do not store your full credit card or payment details — all payment information is handled directly by the payment processor. The payment processor's own privacy policy governs the handling of your payment information.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To create and manage your account
  • To store and display your character and campaign data
  • To provide AI-assisted features including character import and session log parsing
  • To process payments and manage subscriptions
  • To communicate with you about your account, updates, or support requests
  • To monitor and improve the performance, security, and reliability of the service
  • To detect and prevent fraudulent, abusive, or unauthorised use
  • To comply with our legal obligations

We do not use your data for advertising purposes. We do not sell your personal information to third parties.

4. How We Store and Protect Your Information

4.1 Storage Infrastructure

Grim Story uses the following third-party infrastructure providers:

  • Supabase — for database storage and user authentication. Supabase is SOC 2 Type II certified and stores data on AWS infrastructure. Our database is hosted in the us-east-1 (United States) region. This means your personal data, including character and account information, is stored in the United States. Please refer to Section 6 for how we address cross-border data transfers under Australian Privacy Principle 8.
  • Vercel — for application hosting and content delivery. Vercel is SOC 2 Type II certified.
  • Cloudflare — for DNS management and network security. Cloudflare may process connection-level data such as IP addresses as part of providing DDoS protection and routing services.

4.2 Security Measures

We implement the following security controls:

  • All data in transit is encrypted using TLS/HTTPS
  • All data at rest is encrypted within our database provider
  • User passwords are hashed using industry-standard algorithms and are never stored in plain text
  • Access to the database is restricted by row-level security (RLS) policies — users can only access their own data
  • Authentication tokens are short-lived and managed securely
  • We do not hardcode credentials or API keys in client-side code

While we implement these measures, no system is completely secure. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorised access to your account.

4.3 Data Retention

We retain your personal information and content for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain it for longer.

Usage logs and error data may be retained for up to 90 days for operational and security purposes.

5. Third-Party Service Providers

We share data with third-party providers only to the extent necessary to operate Grim Story. Our current providers include:

  • Supabase — Database and user authentication. Data is stored in the United States (us-east-1 region). Supabase is SOC 2 Type II certified. Privacy policy at supabase.com/privacy.
  • Vercel — Application hosting and deployment. Privacy policy at vercel.com/legal/privacy-policy.
  • Anthropic — AI processing for character import and session log features. Anthropic does not use API inputs or outputs to train its models. Privacy policy at anthropic.com/privacy.
  • Resend — Transactional email delivery (account verification, password reset, and service notifications). Your email address is shared with Resend solely for the purpose of delivering these communications. Privacy policy at resend.com/legal/privacy-policy.
  • Cloudflare — DNS and network security services. Cloudflare may process connection-level data such as IP addresses as part of routing and DDoS protection. Privacy policy at cloudflare.com/privacypolicy.

We do not share your information with any other third parties except as required by law or with your explicit consent.

6. Australian Privacy Principles

Grim Story complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). In particular:

  • APP 1 — Open and Transparent Management: We maintain this Privacy Policy and make it freely available.
  • APP 3 — Collection of Solicited Personal Information: We collect only the information reasonably necessary to provide our services.
  • APP 5 — Notice of Collection: We notify you at the point of collection what information is being collected and why.
  • APP 6 — Use or Disclosure of Personal Information: We only use or disclose your information for the primary purpose for which it was collected, or for directly related secondary purposes you would reasonably expect.
  • APP 7 — Direct Marketing: We do not use your personal information for direct marketing without your consent.
  • APP 8 — Cross-border Disclosure: Your personal data is stored in the United States via Supabase, and is also processed overseas by Anthropic (United States), Vercel, Resend, and Cloudflare. We take reasonable steps to ensure these overseas recipients handle your information in a manner consistent with the APPs. By using Grim Story, you consent to this cross-border transfer of your personal information.
  • APP 11 — Security of Personal Information: We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access.
  • APP 12 — Access to Personal Information: You have the right to request access to the personal information we hold about you.
  • APP 13 — Correction of Personal Information: You have the right to request correction of any personal information we hold that is inaccurate, out-of-date, incomplete, or misleading.

7. Additional Rights for EEA and UK Users (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR and UK GDPR. Our legal basis for processing your personal data is as follows:

  • Contract performance — processing necessary to provide the Grim Story service you have signed up for
  • Legitimate interests — processing necessary for the security and improvement of the service
  • Legal obligation — where required by applicable law

In addition to the rights described elsewhere in this policy, you also have the right to:

  • Data portability — receive a copy of your data in a structured, machine-readable format
  • Restriction of processing — request that we limit how we use your data in certain circumstances
  • Object to processing — object to certain types of processing based on legitimate interests
  • Lodge a complaint with a supervisory authority — including the ICO (UK) or your local EEA data protection authority

Please note that Grim Story is operated from Australia, but your personal data is stored in the United States (via Supabase) and may also be processed by other overseas providers listed in Section 5. If you are an EEA or UK user, this means your data is transferred to countries that may not have equivalent data protection laws. We rely on service providers who have implemented appropriate safeguards such as Standard Contractual Clauses (SCCs) where applicable. By using Grim Story, you acknowledge these transfers.

8. Your Rights and Choices

Regardless of where you are located, you have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete information
  • Deletion: Request deletion of your account and associated personal data
  • Portability: Request your character and campaign data in a common format (e.g. JSON)
  • Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at the email address listed in Section 11. We will respond to your request within 30 days. In some cases, we may need to verify your identity before actioning your request.

You can also manage most of your data directly within your Grim Story account settings, including updating your profile information and deleting individual characters or campaigns.

9. Children's Privacy

Grim Story is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us and we will delete it.

By creating an account, you confirm that you are 18 years of age or older.

10. Cookies and Tracking

Grim Story uses minimal cookies and similar technologies, primarily to:

  • Maintain your authenticated session
  • Remember your preferences
  • Collect anonymised usage analytics to improve the service

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site advertising networks.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of Grim Story, including your ability to stay logged in.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: privacy@grim-story.com
Location: New South Wales, Australia

If you are not satisfied with our response to your privacy complaint, you have the right to escalate your concern to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) or by a prominent notice within the Grim Story application, and update the “Last Updated” date at the top of this policy.

Your continued use of Grim Story after any changes take effect constitutes your acceptance of the revised Privacy Policy. We encourage you to review this policy periodically.