Privacy Policy
1. Data Controller
Philipp Veller
Orpheusstraße 7
78628 Rottweil, Germany
Email: mail@vellip.de
2. Overview
Hexer is a browser-based hex map editor for tabletop role-playing games. We process personal data only to the extent necessary to provide and improve the service. We do not sell your data or use it for advertising.
3. Data We Collect
- Account data: Email address and password (stored as a cryptographic hash) when you register.
- Third-party sign-in data: If you choose to sign in with Google or Discord, we receive from that provider — at your initiation — your email address, name, profile picture, and the provider account identifier, which are used to create and identify your account. We never receive your provider password. You can instead register with an email address and password if you prefer not to use a provider.
- Map data: Maps, terrain, regions, paths, notes, and other content you create within the editor.
- Subscription data: If you subscribe to the Game Master plan, we store your Stripe customer ID and subscription ID. We do not store credit card numbers — all payment details are handled by Stripe.
- Usage data: Anonymous, aggregated page view statistics collected via Rybbit (see Section 6).
- Server logs: IP address, browser type, and access timestamps recorded in server logs for security purposes.
- Bot-protection data: When you submit a public form (sign-up, password reset, or feedback), your IP address and basic browser signals are processed by Cloudflare Turnstile to distinguish humans from automated bots. No cookies are used, and this data is not used for tracking or advertising (see Section 11).
- Communication data: We use your email address (and your display name, if set) to send the service and product emails described in Section 8.
- Shared-view presence: When people view a map via a share link, transient real-time data — mouse-cursor position, freehand drawings, an assigned colour, and an optional name — is broadcast to others viewing the same link. It is held only in memory and never stored (see Section 9).
- Location data: We derive your approximate country from your IP address to display prices in your local currency (see Section 10).
4. Legal Bases for Processing
- Art. 6(1)(b) GDPR — Contract performance: Processing your account and map data to provide the service you signed up for.
- Art. 6(1)(b) GDPR — Contract performance: Processing subscription and payment data to manage your paid plan.
- Art. 6(1)(f) GDPR — Legitimate interest: Server logs to ensure the security and stability of the service.
- Art. 6(1)(f) GDPR — Legitimate interest: Anonymous analytics to understand usage patterns and improve the product.
- Art. 6(1)(f) GDPR — Legitimate interest: Bot and abuse prevention on public forms (sign-up, password reset, feedback) to protect the service from automated sign-ups, spam, and other abuse.
- Art. 6(1)(b) GDPR — Contract performance: Sending service (transactional) emails and managing your subscription.
- Art. 6(1)(f) GDPR — Legitimate interest: Occasional product emails to existing or former users about our own similar service, each with a one-click opt-out, relying on the "soft opt-in" under the ePrivacy rules.
- Art. 6(1)(f) GDPR — Legitimate interest: Real-time presence (cursors and drawings) on maps you choose to share.
- Art. 6(1)(b)/(f) GDPR — Contract / legitimate interest: Estimating your country from your IP address to show local-currency pricing.
5. Cookies
We use only strictly necessary cookies. No tracking or advertising cookies are set.
- sb-access-token — Authentication token (expires after 1 hour). HttpOnly, secure, same-site.
- sb-refresh-token — Session renewal token (expires after 7 days). HttpOnly, secure, same-site.
These cookies are set only for authenticated users and are essential for the service to function. Because they are strictly necessary, no cookie consent banner is required under the ePrivacy Directive.
6. Analytics (Rybbit)
We use Rybbit, a self-hosted, cookie-free analytics tool, to collect anonymous page view statistics.
Rybbit does not store personal data, does not set cookies, and does not create user profiles. Only
aggregated, anonymous data is collected (e.g., page views, referrers). Data is processed on our own server
at
rybbit.vellip.dev and is not shared with third parties.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous usage analysis to improve the service).
7. Error Monitoring (GlitchTip)
We use GlitchTip, a self-hosted error monitoring service, to collect crash reports and error data. When an error occurs, technical context (browser type, error message, stack trace) may be transmitted. No personally identifiable information is collected intentionally. Data is processed on our own infrastructure and is not shared with third parties.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining service stability).
8. Email Communications
We send two kinds of email:
- Service (transactional) emails — e.g. account confirmation and password reset, your Pro plan starting, payment receipts, failed-payment and renewal notices, and trial-ending reminders. These are necessary to provide the Service and manage your subscription, so they are not optional.
- Occasional product emails — e.g. a getting-started nudge after sign-up, or a reminder if your subscription has lapsed. We send these only to people who already have (or had) an account, about our own similar service, and every such email contains a one-click unsubscribe link. Opting out never affects your service emails.
You can opt out of product emails at any time via the unsubscribe link in any such message or by emailing mail@vellip.de. We also process bounce and spam-complaint notifications from our email provider so we can stop sending to addresses that are undeliverable or have complained. Email is delivered through Resend (see Section 11).
9. Shared Maps and Real-Time Collaboration
When you create a share link for a map, anyone with that link can view the map — no account is required, and the link stays valid until you delete the share.
The shared view supports live collaboration: while several people view the same link at once, each participant's mouse-cursor position, any freehand drawings they make, an assigned colour, and an optional display name are broadcast in real time to the others. This presence data is held only in memory for the duration of the session, is never written to our database, and disappears shortly after a participant stops moving or leaves the page. As with any visit, a visitor's IP address appears in our server logs (Section 3).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing live collaboration on maps you choose to share).
10. Location-Based Pricing
To show subscription prices in your local currency, we estimate your country from your IP address using a local copy of the MaxMind GeoLite2 database. This lookup runs on our own server; your IP address is not sent to MaxMind or any other third party for this purpose.
Legal basis: Art. 6(1)(b)/(f) GDPR (contract performance / legitimate interest).
11. Third-Party Services
Supabase (Backend & Authentication)
We use Supabase Inc. (USA) as our backend for authentication and data storage. Supabase processes your data on our behalf under a Data Processing Agreement (DPA) and in compliance with the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
More information: supabase.com/privacy
Stripe (Payment Processing)
We use Stripe Inc. (USA) to process subscription payments. When you subscribe to the Game Master plan, Stripe receives your email address, payment details, and billing address for tax calculation. Stripe processes this data as an independent data controller for payment-related purposes. We store only your Stripe customer ID and subscription ID in our database — never your credit card details.
More information: stripe.com/privacy
Resend (Email Delivery)
We use Resend (Plus Five Five, Inc., USA) to send the emails described in Section 8. Resend receives your email address and the message content (which may include your name) as our processor under a Data Processing Agreement (DPA), with transfers to the US safeguarded by the EU Standard Contractual Clauses (SCCs). Resend delivers mail via Amazon SES servers located in the EU (Ireland).
More information: resend.com/legal/privacy-policy
Cloudflare Turnstile (Bot Protection)
To protect our public forms (sign-up, password reset, and feedback) from automated abuse, we use Cloudflare Turnstile, a privacy-focused CAPTCHA alternative provided by Cloudflare, Inc. (USA). When you submit one of these forms, Turnstile processes your IP address and basic browser/device signals to verify that you are a human. Turnstile does not set tracking cookies, does not create user profiles, and does not use the data for advertising. Cloudflare acts as our processor under a Data Processing Agreement (DPA), with transfers to the US safeguarded by the EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing bot abuse and spam).
More information: cloudflare.com/turnstile-privacy-policy
12. Data Retention and Deletion
Your account data and map data are stored for as long as your account exists. If you delete your account, all associated data (maps, regions, paths, notes) is permanently and irreversibly deleted.
Server logs are automatically deleted after 30 days.
Subscription records may be retained for up to 10 years after the end of the subscription to comply with German tax record-keeping obligations (Section 147 AO).
13. International Data Transfers
Some of our service providers (Supabase, Stripe, Cloudflare, Resend) are based in the United States. Transfers to the US are safeguarded by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
14. Your Rights
Under the GDPR, you have the right to:
- Access (Art. 15) — request a copy of your stored data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — request deletion of your data.
- Restriction (Art. 18) — restrict processing of your data.
- Data portability (Art. 20) — receive your data in a structured, machine-readable format. You can export all your map data via the Export feature in the editor.
- Objection (Art. 21) — object to processing based on legitimate interest.
To exercise any of these rights, contact us at: mail@vellip.de
15. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de
Last updated: 27 June 2026