Skip to content
Hexer Open Editor

Privacy Policy

1. Data Controller

Philipp Veller
Orpheusstraße 7
78628 Rottweil, Germany
Email: mail@vellip.de

2. Overview

Hexer is a browser-based hex map editor for tabletop role-playing games. We process personal data only to the extent necessary to provide and improve the service. We do not sell your data or use it for advertising.

3. Data We Collect

  • Account data: Email address and password (stored as a cryptographic hash) when you register.
  • Map data: Maps, terrain, regions, paths, notes, and other content you create within the editor.
  • Subscription data: If you subscribe to the Game Master plan, we store your Stripe customer ID and subscription ID. We do not store credit card numbers — all payment details are handled by Stripe.
  • Usage data: Anonymous, aggregated page view statistics collected via Rybbit (see Section 6).
  • Server logs: IP address, browser type, and access timestamps recorded in server logs for security purposes.

4. Legal Bases for Processing

  • Art. 6(1)(b) GDPR — Contract performance: Processing your account and map data to provide the service you signed up for.
  • Art. 6(1)(b) GDPR — Contract performance: Processing subscription and payment data to manage your paid plan.
  • Art. 6(1)(f) GDPR — Legitimate interest: Server logs to ensure the security and stability of the service.
  • Art. 6(1)(f) GDPR — Legitimate interest: Anonymous analytics to understand usage patterns and improve the product.

5. Cookies

We use only strictly necessary cookies. No tracking or advertising cookies are set.

  • sb-access-token — Authentication token (expires after 1 hour). HttpOnly, secure, same-site.
  • sb-refresh-token — Session renewal token (expires after 7 days). HttpOnly, secure, same-site.

These cookies are set only for authenticated users and are essential for the service to function. Because they are strictly necessary, no cookie consent banner is required under the ePrivacy Directive.

6. Analytics (Rybbit)

We use Rybbit, a self-hosted, cookie-free analytics tool, to collect anonymous page view statistics. Rybbit does not store personal data, does not set cookies, and does not create user profiles. Only aggregated, anonymous data is collected (e.g., page views, referrers). Data is processed on our own server at rybbit.vellip.dev and is not shared with third parties.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous usage analysis to improve the service).

7. Error Monitoring (GlitchTip)

We use GlitchTip, a self-hosted error monitoring service, to collect crash reports and error data. When an error occurs, technical context (browser type, error message, stack trace) may be transmitted. No personally identifiable information is collected intentionally. Data is processed on our own infrastructure and is not shared with third parties.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining service stability).

8. Third-Party Services

Supabase (Backend & Authentication)

We use Supabase Inc. (USA) as our backend for authentication and data storage. Supabase processes your data on our behalf under a Data Processing Agreement (DPA) and in compliance with the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

More information: supabase.com/privacy

Stripe (Payment Processing)

We use Stripe Inc. (USA) to process subscription payments. When you subscribe to the Game Master plan, Stripe receives your email address, payment details, and billing address for tax calculation. Stripe processes this data as an independent data controller for payment-related purposes. We store only your Stripe customer ID and subscription ID in our database — never your credit card details.

More information: stripe.com/privacy

9. Data Retention and Deletion

Your account data and map data are stored for as long as your account exists. If you delete your account, all associated data (maps, regions, paths, notes) is permanently and irreversibly deleted.

Server logs are automatically deleted after 30 days.

Subscription records may be retained for up to 10 years after the end of the subscription to comply with German tax record-keeping obligations (Section 147 AO).

10. International Data Transfers

Some of our service providers (Supabase, Stripe) are based in the United States. Transfers to the US are safeguarded by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

11. Your Rights

Under the GDPR, you have the right to:

  • Access (Art. 15) — request a copy of your stored data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request deletion of your data.
  • Restriction (Art. 18) — restrict processing of your data.
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format. You can export all your map data via the Export feature in the editor.
  • Objection (Art. 21) — object to processing based on legitimate interest.

To exercise any of these rights, contact us at: mail@vellip.de

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

Last updated: March 2026

Hexer is not affiliated with, endorsed by, or sponsored by Wizards of the Coast LLC. "Dungeons & Dragons" and "D&D" are trademarks of Wizards of the Coast LLC.