Back to faction selection

About & Privacy (DSGVO/GDPR)

ForceForger Data Protection Notice

This page explains what personal data may be processed when you use ForceForger.com, why this happens, and your rights under the GDPR (EU) and DSGVO (DE).

It is intended to provide clear information about the current ForceForger setup: local guest use in your browser, optional cloud accounts through Supabase, and optional frontend observability through Grafana Faro.

ForceForger is currently operated as a non-commercial hobby project. If this changes, this notice will be updated accordingly.

Last updated: 2 June 2026

About ForceForger

ForceForger is an independent, non-commercial hobby project focused on tabletop army planning and related tooling.

The project is operated as a hobby project and is not currently monetized through subscriptions, advertising, affiliate programs, or payment processing.

ForceForger is not affiliated with, endorsed by, sponsored by, or associated with Games Workshop Group PLC or any other respective rights holder.

All trademarks, logos, names, and intellectual property remain the property of their respective owners.

1. Controller / Responsible Contact

Controller / Responsible Contact: ForceForger.com

Contact: Enable JavaScript to reveal email

If you have questions regarding privacy, account data, or deletion requests, please contact the address above.

Email Inquiries

  • Purpose: processing and answering inquiries sent to hello@forceforger.com .
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in handling communication) and, where applicable, Art. 6(1)(b) GDPR for pre-contractual requests.
  • Recipients/processors: the email provider used for hello@forceforger.com and technical service providers required for secure mail delivery and mailbox administration, currently STRATO.
  • Retention: email messages are stored only as long as needed to process the request and are then deleted, unless statutory retention duties or legal claims require longer storage.

2. Hosting, Email, Account and Observability Providers

This application is hosted on Netlify. Netlify processes technical connection data (for example IP address, request time, URL, and user agent) to provide the website, route requests, detect abuse, and maintain security and availability.

Netlify privacy information: netlify.com/privacy

Netlify data processing addendum: netlify.com/legal/data-processing-addendum

Email Infrastructure

Authentication and contact emails are delivered through STRATO email services. This includes account authentication messages and communication sent to ForceForger contact addresses.

Provider: STRATO AG. The address auth@forceforger.com is used for account and authentication emails. The address hello@forceforger.com is used for contact inquiries.

  • STRATO may process email metadata and message contents required for mail delivery, spam prevention, mailbox operation, and secure mail handling.
  • Legal basis: Art. 6(1)(b) GDPR for account/authentication emails and Art. 6(1)(f) GDPR for contact inquiries and secure mail operations.

STRATO privacy information: strato.de/datenschutz

If you enable optional observability, this application uses Grafana Cloud Frontend Observability through the Grafana Faro Web SDK to collect frontend telemetry for error diagnosis and performance monitoring. Observability is disabled by default and only activated when observability consent is granted. Consent can be withdrawn at any time through Cookie & Storage Settings.

  • Faro starts only when a collector endpoint is configured and you have enabled observability in the cookies and browser storage settings.
  • Telemetry may include sanitized page views, browser and operating system metadata, frontend errors, web vitals, performance timings, session events, and coarse interaction labels.
  • ForceForger removes user metadata from Faro payloads and sanitizes page URLs before sending telemetry. Query strings and URL fragments are not intentionally sent.
  • ForceForger does not intentionally send army list contents, unit selections, exported list text, email addresses, authentication tokens, passkey secrets, or full URLs with query strings or fragments to Grafana Faro.

Grafana Labs privacy information: grafana.com/legal/privacy-policy

Grafana Labs legal and data processing information: grafana.com/legal

If you use a registered cloud account, this application uses Supabase for authentication, session management, passkey support, account records, preferences, cloud army list storage, and account deletion.

Creating a ForceForger account is optional. Guest mode can be used without creating an account. Cloud synchronization and cloud army list storage require a registered account.

  • Supabase Auth is used for secure email sign-in links, session handling, passkey registration/sign-in metadata, and sign-out.
  • Supabase Postgres is used for account rows, user preferences, the game/faction catalogue, and cloud army lists.
  • Guest mode uses local browser/device storage only. Guest data is not uploaded automatically.
  • Cloud mode stores data in Supabase only after explicit account usage and explicit save, upload, or merge actions.
  • Cloud account data may include your email address, Supabase user ID, authentication metadata, passkey metadata, cloud army lists, account preferences, and technical security metadata.
  • Guest lists and local drafts remain in your browser and are not sent to Supabase unless you choose to upload or merge them while signed in.
  • Registered users can permanently delete their account through the account dashboard. Account deletion removes cloud account data associated with the authenticated user. Guest data stored locally on the device is not automatically removed.
  • ForceForger does not collect passwords, does not currently use social login, and does not expose Supabase service role keys in browser code.

Supabase privacy information: supabase.com/privacy

Supabase legal and data processing information: supabase.com/legal

3. Data Categories and Purposes

Where this notice refers to Cookie & Storage Settings, this includes cookies and browser storage technologies such as local storage and session storage.

  • Technical access data via hosting/log delivery (website operation and security).
  • ff_cookie_consent cookie to store your cookie choice (essential).
  • Optional functional browser storage for guest lists, registered-user local lists, drafts, and UI preferences when you allow functional storage.
  • Account data through Supabase Auth when you use a cloud account, including email address, passkey metadata, session data, and related security metadata.
  • Cloud army list data stored in Supabase when you upload, merge, save, update, or delete cloud lists while signed in.
  • Account preferences and account records stored in Supabase when a cloud account is used.
  • Optional observability telemetry via Grafana Cloud when you allow observability: sanitized page/view metadata, browser and operating system metadata, frontend errors, web vitals, performance measurements, session events, and coarse interaction labels.
  • Email inquiry data (sender address, message content, and communication metadata such as timestamp) when you contact ForceForger via email.
  • Account/authentication email data processed through auth@forceforger.com for Magic Link and account-related emails.
  • No payment processing is used. Observability does not include army list contents, exported text, unit names, point totals, or form input values.

Data Usage Overview

Data category Used for Stored/processed by Legal basis Retention/cleanup
Technical access data Website delivery, security, abuse prevention, diagnostics. Netlify and required infrastructure providers. Art. 6(1)(f) GDPR. According to host log and security retention policies.
ff_cookie_consent Stores your consent choices for essential, functional, and observability storage. Your browser. Art. 6(1)(f) GDPR for necessary consent documentation; consent choices under applicable cookie/storage rules. Up to 12 months or until changed/cleared.
Functional local storage Saves guest lists, registered-user local lists, drafts, and local UI preferences on this device. Your browser. Art. 6(1)(a) GDPR and your optional functional storage consent. Until deleted by you, cleared by the browser, consent is revoked, or account-scoped local data is cleared after account deletion.
Supabase Auth session storage Keeps you signed in, refreshes sessions, and handles secure callback/login state. Supabase and your browser. Art. 6(1)(b) GDPR for account functionality. Until sign-out, browser/session cleanup, token expiry, or account deletion.
Supabase account data and cloud army lists Registered account login, cloud list sync, preferences, guest-list merge/upload, and account deletion. Supabase. Art. 6(1)(b) GDPR for requested account/cloud features; Art. 6(1)(f) GDPR for security and abuse prevention. Until deleted by you or no longer needed, subject to security/legal retention requirements.
Account and contact email data Magic Link and account emails, mailbox operation, contact inquiries, delivery, and spam/security handling. STRATO and required mail infrastructure. Art. 6(1)(b) GDPR for account/authentication emails; Art. 6(1)(f) GDPR for contact inquiries and secure mail operations. Email inquiries are retained only as long as needed, unless legal obligations or claims require longer storage.
com.grafana.faro.session and Faro telemetry Frontend error diagnosis, performance monitoring, and quality improvements. Your browser and Grafana Cloud. Art. 6(1)(a) GDPR and optional observability consent. Faro session storage is cleared when observability consent is disabled. Cloud retention follows the configured Grafana Cloud account.

4. Legal Bases (Art. 6 GDPR)

  • Art. 6(1)(f) GDPR for technically necessary processing, secure delivery, and abuse prevention.
  • Art. 6(1)(a) GDPR for optional functional storage based on your consent, which can be changed any time via the cookies and browser storage settings.
  • Art. 6(1)(a) GDPR for optional observability telemetry based on your consent, which can be changed any time via the cookies and browser storage settings.
  • Art. 6(1)(b) GDPR for account sign-in, session management, cloud army list storage, preferences, account deletion, and related user-requested account functionality.
  • Art. 6(1)(b) GDPR for authentication and account emails, such as Magic Link messages sent from auth@forceforger.com .
  • Art. 6(1)(f) GDPR for security, abuse prevention, operational diagnostics, and technically necessary provider processing.
  • Art. 6(1)(f) GDPR for contact inquiries and secure mail operations.

5. Storage Duration

  • ff_cookie_consent : up to 12 months.
  • ff_client_prefs : up to 12 months, only if functional storage is enabled.
  • Workspace data in browser local storage remains on your device until deleted by you or until consent is revoked.
  • Registered-user local storage remains on your device but is scoped to the signed-in user. It is cleared locally when that account is deleted through the dashboard.
  • Guest lists remain local until you delete them locally, clear browser storage, or explicitly upload/merge them into a cloud account.
  • Supabase Auth account and session data is retained according to the configured Supabase project settings and deleted when the account is deleted, subject to security and legal retention requirements.
  • Supabase cloud army lists, account records, and user preferences are deleted when the account is deleted through the dashboard, subject to security and legal retention requirements.
  • com.grafana.faro.session : browser session storage used by Grafana Faro while observability is enabled. It is cleared when observability consent is disabled.
  • Host-level log retention is controlled by Netlify according to their policies.
  • Grafana Cloud telemetry retention is controlled by the configured Grafana Cloud account and related Grafana Labs terms.
  • Email inquiries are retained only as long as operationally needed, unless legal retention obligations require a longer period.
  • Account and authentication email delivery data is retained by the email provider only as needed for delivery, mailbox operation, abuse prevention, and applicable provider/legal requirements.

6. International Transfers

As a global hosting provider, Netlify may process data outside the EU/EEA. Where required, this is covered through contractual safeguards provided by Netlify (including data processing terms).

If observability is enabled, Grafana Labs may process telemetry outside the EU/EEA. Where required, this is covered through the safeguards and data processing terms made available by Grafana Labs.

If account sign-in is used, Supabase may process authentication and cloud account data outside the EU/EEA depending on the configured project region and Supabase service terms. Where required, this should be covered by Supabase data processing terms and transfer safeguards.

7. Your Rights Under GDPR/DSGVO

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

8. User Controls

  • The footer control labelled Cookie & Storage Settings opens the cookies and browser storage settings. It can be used to reject optional storage or change optional functional storage and observability consent at any time.
  • Disabling observability stops Grafana Faro and clears Faro session storage in the browser.
  • Local guest lists stay on your device unless you delete them, clear browser storage, or explicitly upload/merge them into a cloud account.
  • The account dashboard can delete the registered cloud account. This removes the cloud account data linked to the authenticated user and clears registered-user local state on that browser.
  • Signing out does not delete guest lists. Guest mode remains available without a Supabase account.