Privacy Policy
Last updated: March 6, 2026
Who we are
Savecraft is operated by Josh Symonds ("we," "us," "our").
General contact: josh@savecraft.gg
Privacy contact: privacy@savecraft.gg
Savecraft is a gaming companion tool that serves structured game state data to AI assistants (Claude, ChatGPT) via the Model Context Protocol (MCP). How a game's data reaches us depends on the game: reference data needs nothing; account games (such as World of Warcraft or Path of Exile) connect through the game's own read-only OAuth; save-file games are read by a local daemon that runs on the device you play on; some moddable games push state from an in-game mod. It consists of that optional local daemon, a cloud service that stores and serves your data, and a web interface for managing your games and devices.
This policy applies to the hosted service at savecraft.gg and the Savecraft daemon software. If you self-host Savecraft from our open-source repository, your deployment is governed by your own privacy practices, not this policy.
What we collect and why
We collect only what's necessary to provide the service. Here is everything, with nothing omitted:
Account data
When you create an account, we collect your email address and display name through our authentication provider, Clerk. We use this to identify your account and display which account your devices are linked to.
Legal basis (GDPR): Contract performance -- you provide this to create and use your account.
Retention: Until you delete your account.
Device data
When you link a gaming device, the daemon registers with our server and reports its hostname (e.g., "steam-deck"), operating system (e.g., "linux"), and architecture (e.g., "arm64"). A device-specific authentication token is generated; we store only a SHA-256 hash of this token, never the token itself.
Legal basis: Contract performance -- device identification is required for the daemon to push save data.
Retention: Until you unlink the device, plus a 7-day cleanup period.
API keys
You can generate API keys for programmatic access. We store a SHA-256 hash of each key, a short prefix for identification (e.g., "sav_a1b2"), and a label you provide. The full key is shown to you once at creation and is never stored.
Legal basis: Contract performance.
Retention: Until you delete the key or your account.
Game save data
This is the core of the service. When the daemon detects a save file change, it parses the file locally on your device, converts it to structured JSON (character stats, gear, skills, quest progress -- whatever the game plugin extracts), and pushes that JSON to our cloud. We store every snapshot as an immutable record so you can track changes over time.
The daemon reads your save files in read-only mode. It cannot modify your saves. The raw save file never leaves your device -- only the parsed JSON output is transmitted.
Legal basis: Contract performance -- serving your game state to AI assistants is the entire service.
Retention: All snapshots are currently retained for the life of your account. We may introduce time-based thinning in the future (e.g., keeping daily snapshots for a month, then weekly) and will update this policy before doing so.
Notes
You (or an AI assistant acting on your behalf during conversation) can create notes attached to your saves -- build guides, farming goals, session reminders. Notes are user-authored markdown stored alongside your save data.
Legal basis: Contract performance.
Retention: Until you delete them.
Authentication and session data
When you connect an AI assistant via MCP, the OAuth handshake creates client registrations, authorization codes, and access tokens. These are stored in Cloudflare KV with automatic expiration (TTL-managed). A single-column record tracks whether you've connected an MCP client, used to show connection status in the web UI.
Legal basis: Contract performance (MCP authentication is required for the service to function).
Retention: Tokens expire automatically per their TTL. The MCP activity flag persists until your account is deleted.
Third-party game API credentials
Some games (such as World of Warcraft and Path of Exile) connect through the game's own account instead of local save files. For these games, you authorize through the provider's OAuth flow (Battle.net for WoW, your GGG account for Path of Exile -- Savecraft is a GGG-approved application). We store the resulting OAuth access token and refresh token in our database.
These tokens are stored solely to verify your ownership of in-game characters and to refresh character data on demand when you or your AI assistant requests it. We do not use these tokens for any other purpose, and we do not access your game account beyond reading character profile data.
We also store a list of your linked characters (character name, game-specific ID, and metadata such as realm, class, and level) so that we can track which characters you have chosen to monitor. Characters you remove are soft-deleted (marked inactive) rather than hard-deleted, so your save history is preserved.
Legal basis: Contract performance -- connecting your game account is required to fetch character data for API-backed games.
Retention: Until you disconnect your game account. You can revoke access at any time from your game platform's account settings (e.g., Battle.net Authorized Applications), which immediately invalidates the stored tokens.
Device status events
The daemon reports operational status (online/offline, parse success/failure, push status) to power the real-time activity feed in the web UI. We retain the last 100 events per device.
Legal basis: Legitimate interest -- operational monitoring helps you verify your daemon is working and helps us debug issues.
Retention: Rolling window of 100 events per device, pruned on insert.
What we do NOT collect
This matters as much as what we do collect:
- Zero third-party analytics SDKs (no Google Analytics, Posthog, Mixpanel, Hotjar, Segment, or similar).
- No behavioral tracking of any kind: no heatmaps, no session recordings, no funnel analytics.
- We never see your conversations with the AI. The audit log captures which MCP tool the AI called on your behalf; the AI's responses to you stay between you and the AI provider.
- No device fingerprinting. The only browser-side signal we keep is a short label identifying the AI client that made the request (e.g. "chatgpt", "claude-desktop").
- Raw save-file bytes stay on your device. The daemon parses them locally and pushes only the structured JSON output.
- No advertising networks, no data brokers, no marketing or social-media trackers.
How data flows through MCP
This is worth explaining clearly because it's a new kind of data flow that most privacy policies don't address.
When you connect an AI assistant to Savecraft, the assistant can use our MCP tools to
request your game data. A typical interaction looks like this: you ask the AI a question
about your character, the AI calls our get_section tool with your save ID, we return
the requested JSON data (e.g., your equipped gear), and the AI uses that data to answer your question.
We serve data to the AI assistant on your behalf and under your authorization. We do not control what the AI provider does with the data after receiving it -- that is governed by your agreement with the AI provider (Anthropic, OpenAI, etc.). We do not cache requests from AI providers.
We retain a per-call audit log for 90 days (debugging, abuse prevention, and answering questions like "why did this tool error?"). The log captures: tool name, params (truncated to 4 KB), response size in bytes, duration in milliseconds, error flag, AI-client label (derived from User-Agent), user UUID, timestamp. The AI's response to you. The content returned by the tool (only its size).
Cookies
Savecraft uses a single cookie:
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
__client_uat | Clerk | Authentication session management | Session |
This cookie is strictly necessary for the service to function (it keeps you logged in) and is exempt from consent requirements under the ePrivacy Directive. We do not use any analytics, advertising, or tracking cookies. No cookie consent banner is needed or shown because there are no optional cookies to consent to.
Where your data lives, in detail
Cloudflare's infrastructure backs everything. Within it, data is distributed across four layers:
- D1: save sections (parsed JSON snapshots); account and device metadata; notes; search index (FTS5); API keys (SHA-256 hashed); device auth tokens (SHA-256 hashed); linked characters; adapter OAuth tokens (game_credentials); MCP tool-call audit log (90-day retention); reference data.
- R2: WASM plugin binaries; plugin manifests and signatures.
- KV: short-lived OAuth handshake state (TTL-managed).
- Durable Objects: SourceHub and UserHub WebSocket state; device status ring buffer (rolling per-device window).
Who has access to your data
We name every third party, what they receive, and why.
Cloudflare
Role: Infrastructure provider (data processor under GDPR).
What they receive: All application data: save snapshots, account metadata, notes, authentication tokens, device events. Cloudflare Workers execute your API requests; D1 stores save snapshots and metadata; R2 stores plugin binaries; KV stores OAuth handshake state.
Data location: Global edge network, including the United States
Transfer safeguards: Cloudflare is certified under the EU-U.S. Data Privacy Framework and incorporates EU Standard Contractual Clauses in its Data Processing Addendum, which applies automatically to all customers.
Their privacy policy: www.cloudflare.com/privacypolicy/
Clerk
Role: Authentication provider (data processor for authentication services; independent data controller for its own account management).
What they receive: Your email address, display name, and authentication credentials (hashed). Clerk also processes session data and device metadata as part of authentication.
Data location: United States (Google Cloud Platform)
Transfer safeguards: Clerk is certified under the EU-U.S. Data Privacy Framework and offers a DPA with Standard Contractual Clauses: clerk.com/legal/dpa
Their privacy policy: clerk.com/legal/privacy
Blizzard Entertainment (Battle.net)
Role: Game data provider (when you connect a Battle.net account for World of Warcraft).
What they receive: API requests for your character profile data (gear, stats, talents, raid progression). These requests are authenticated with your OAuth token and Savecraft's application credentials.
What we receive from them: Character profile data (name, realm, class, level, equipped gear, talents, Mythic+ runs, raid progression, professions). This data becomes part of your game save state within Savecraft.
Data location: United States
Their privacy policy: www.blizzard.com/en-us/legal/a4380ee5-5c8d-4e3b-83b7-ea4d874e7f22/blizzard-entertainment-online-privacy-policy
Raider.io
Role: Enrichment data provider for World of Warcraft (no authentication required).
What they receive: Your character name, realm, and region in API requests. No OAuth tokens or personal data are shared.
What we receive from them: Mythic+ scores, rankings, and raid progression summaries. This enriches your character's game state but is not required; if Raider.io is unavailable, your save data is still complete from Blizzard's API alone.
Data location: United States
Their privacy policy: raider.io/privacy
Grinding Gear Games (pathofexile.com)
Role: Path of Exile character data provider. Savecraft is a GGG-approved application.
What they receive: API requests for your character profile, authenticated with your GGG OAuth token and Savecraft's application credentials.
What we receive from them: Character profile data (name, league, class, level, equipment, passive tree, items). This becomes part of your game save state within Savecraft.
Data location: International (GGG operates globally)
Their privacy policy: www.pathofexile.com/privacy-policy
Google Fonts
Role: Web font delivery, loaded by your browser via CSS.
What they receive: Your browser's IP address, User-Agent, and referer when it fetches font files from fonts.googleapis.com. No Savecraft application data is sent to Google.
Data location: Google global edge network
Their privacy policy: policies.google.com/privacy
Stripe (future)
Role: Payments processor (planned; not yet integrated).
What they receive: Nothing yet; payments aren't enabled.
Data location: United States
Their privacy policy: stripe.com/privacy
When we add paid subscriptions, Stripe will process payments. Stripe will receive your payment card details, billing address, and transaction data directly; we will not store payment information ourselves. Stripe acts as both a data processor (handling transactions on our behalf) and an independent data controller (for fraud prevention and regulatory compliance). We will update this policy before adding Stripe.
No other third parties have access to your data. We do not use advertising networks, data brokers, marketing platforms, or social media integrations.
International data transfers
If you are in the EU/EEA or UK, your data is transferred to and processed in the United States and potentially other countries where Cloudflare operates edge infrastructure. These transfers are protected by:
- The EU-U.S. Data Privacy Framework adequacy decision (European Commission, July 10, 2023), under which both Cloudflare and Clerk are certified.
- EU Standard Contractual Clauses (Commission Decision 2021/914) incorporated into both Cloudflare's and Clerk's data processing agreements, as a fallback mechanism.
- The UK International Data Transfer Addendum for UK-originating data.
Your rights
Everyone
You can request a copy of all data we hold about you, ask us to correct inaccurate data, or delete your account and all associated data by emailing privacy@savecraft.gg. You can also delete individual saves, notes, and devices directly through the web UI or MCP tools at any time.
EU/EEA and UK residents
Under GDPR, you have the right to:
- Access your personal data and receive a copy in a portable format
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Data portability -- receive your data in a structured, machine-readable format (your game state is already structured JSON)
- Lodge a complaint with your local data protection supervisory authority
We respond to all data rights requests within one month. If a request is complex, we may extend this by up to two additional months with notice. Requests are free of charge.
We do not have a Data Protection Officer, as our processing activities do not involve large-scale systematic monitoring or special category data. For any privacy concerns, contact us directly at privacy@savecraft.gg.
California residents
We do not currently meet the applicability thresholds of the California Consumer Privacy Act (CCPA/CPRA). Regardless, we voluntarily state: we do not sell or share your personal information as defined under California law, and we have never done so. If the CCPA becomes applicable to us, we will update this policy with the required disclosures.
Children's privacy
Savecraft is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use Savecraft or provide any information to us. If we learn that we have collected personal information from a child under 13, we will delete that data promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@savecraft.gg.
In EU member states where the age of digital consent is higher than 13, users below that age require parental or guardian consent to use the service.
Data security
Save data and notes are stored in Cloudflare's infrastructure, which provides encryption at rest and in transit. The specifics of how each credential type is protected:
- Device auth tokens: SHA-256 hashed before storage; the plaintext token is never stored server-side.
- API keys: SHA-256 hashed; a short prefix (e.g. "sav_a1b2") is shown once at creation for identification.
- MCP OAuth tokens: Opaque random strings, stored in Cloudflare KV with automatic TTL-based expiration.
- Game-platform OAuth tokens: Stored in D1 game_credentials, used by the worker to fetch your character data on demand from the game provider (Battle.net, GGG). Protected by Cloudflare's platform-level encryption at rest; revoke at any time from your game-provider's account settings.
- Passwords: Handled by Clerk per their security practices. Savecraft never sees or stores your password.
- Daemon filesystem access: Read-only via Go's os.ReadFile (internal/osfs/osfs.go). The daemon cannot modify or delete your save files.
- WASM plugin sandbox: WASM plugins run under wazero with only stdin / stdout / stderr wired up. No filesystem, no network, no environment access (internal/runner/wazero.go).
Our source code is publicly available. You can inspect exactly what data the daemon collects, how plugins parse saves, and how the server handles requests.
Changes to this policy
We will update this policy when our data practices change. For material changes -- new data collection, new third-party services, changes to retention periods -- we will notify you via email and/or a prominent notice on savecraft.gg at least 30 days before the changes take effect. For minor clarifications or formatting changes, we will update the "Last updated" date at the top.
Previous versions of this policy will be available in our public Git repository.
Contact
For any privacy-related questions, concerns, or data rights requests:
Email: privacy@savecraft.gg
We aim to respond to all inquiries within 5 business days and to all formal data rights requests within one month.