◆   Privacy Policy   ◆

Privacy Policy

Last updated: 17 April 2026

Duskvow exists to help you turn a goal into a path you can walk. To do that we have to store a few things — your account, your goals, the steps you've completed. This page explains exactly what we collect, why, who else sees it, and how you can get it out or delete it.

1. What we collect

  • Account: email address. If you sign in with Google we also receive your Google display name, which becomes your initial display_name until you set a hero name.
  • Hero identity: the hero name you choose.
  • Goals: the text you type when creating a vow, and the follow-up answers you pick.
  • Progression: which nodes you've completed, XP, level, streaks, daily activity dates, embers, dungeon runs, inventory, achievements.
  • Technical: authentication tokens, approximate geographic region derived from your IP (standard server logs).
  • Analytics (only if you accept): anonymised page visits and performance metrics via Vercel Analytics and Speed Insights. If you decline the banner we do not run these.

2. Why we collect it

  • Authenticate you and keep your account safe.
  • Generate your talent tree from your goal.
  • Track your progress and display it back to you.
  • Debug errors and improve performance.
  • Nothing else. We do not sell data. We do not run ads.

3. Third parties who process your data

Duskvow is a thin shell over a few service providers. Each of them has their own terms and privacy policies.

  • Supabase — authentication + database. Stores everything in section 1.
  • Google Gemini — when you create a vow, the text of your goal and your follow-up answers are sent to Google's Gemini API to generate the tree. Google states that prompts sent to the Gemini API (paid tier) are not used to train their models. Duskvow does not send any other personal information to Gemini.
  • Vercel — frontend hosting. Analytics and Speed Insights only run if you accept the consent banner.
  • Railway — backend hosting. Processes API requests; does not retain the content of those requests beyond standard access logs.

4. How long we keep it

  • Account & progression: for as long as your account exists.
  • Deleted trees: soft-deleted (marked hidden) for up to 90 days, then hard-deleted.
  • Server access logs: typical Railway/Vercel retention (30–90 days).
  • Analytics: per Vercel's retention policy.

5. Your rights

You have the right to see, export, correct, and delete your data. All four are one click each from your profile page:

  • See: the Profile page shows everything we store about your progression.
  • Export: "Export My Data" downloads a JSON file with your profile, trees, embers, achievements, inventory, and dungeon history.
  • Delete: "Unbind Your Vow" removes your account and everything connected to it. This is irreversible.
  • Correct: hero name can be changed from the profile; other fields are derived from your activity.

If the in-app controls don't work for you, email us (below) and we'll do it by hand.

6. Cookies & similar storage

We use first-party cookies for two things:

  • Authentication session (Supabase). Needed for sign-in to work.
  • Consent state — a tiny cookie remembering whether you accepted or declined analytics.

If you accept the consent banner, Vercel Analytics and Speed Insights set their own identifiers. Declining suppresses both.

7. Security

All traffic is over HTTPS. Writes to the database go through a service-role backend that verifies ownership on every request. The browser cannot write to tables directly. We apply best-effort security practices but cannot promise any system is unbreakable.

8. Changes to this policy

When this policy changes we update the date at the top. Material changes will also surface as a banner the next time you sign in.

Tempered by ambition. Tended by hand.