MythCaster

Privacy Policy

Last updated: April 2026

MythCaster is operated by WyrdWork Studios LLC (“we”, “us”, “our”). This policy explains what data we collect, how we use it, and your rights regarding your information.

1. Data We Collect

Account Information

When you sign in with Google, we receive your email address, display name, and profile picture URL from Google’s OAuth service. We store these to create and manage your MythCaster account. We do not receive or store your Google password.

Content You Create

Worlds, scenes, entities, wiki articles, and other content you create are stored on our servers to provide the service. This content is under your control — you can edit, delete, or make it public/private at any time.

Purchase Information

Payments are processed by Stripe. We do not store your credit card number or payment method details. We receive your email address, the items purchased, and transaction status from Stripe to fulfill your order and create download grants.

Session Data

We set a session cookie named sid when you sign in. This cookie is:

  • HttpOnly — not accessible to JavaScript
  • SameSite=Lax — not sent on cross-site requests
  • 24-hour expiration — automatically expires after one day

The cookie contains a random session identifier only. Your email and user ID are stored server-side in Cloudflare Workers KV, not in the cookie itself.

Preferences

We store your UI preferences (theme, accent color, font size, reduced effects) and your last-accessed world and scene to restore your session. These are linked to your account, not stored in cookies.

IP Address

Your IP address is recorded in the following cases:

  • Terms of Service acceptance — raw IP stored in an audit log
  • STL file downloads — IP is hashed (SHA-256, truncated) before storage for privacy-preserving abuse detection
  • Bot protection — IP is sent to Cloudflare Turnstile for verification when joining public lobbies as a guest

2. How We Use Your Data

  • Provide and maintain your account and content
  • Process purchases and deliver digital downloads
  • Detect and prevent abuse (rate limiting, download tracking)
  • Improve the platform and fix issues
  • Communicate about your account or purchases when necessary
  • Enforce our Terms of Service

We do not sell your data to third parties. We do not use advertising cookies or external analytics services.

3. Third-Party Services

MythCaster uses the following third-party services that may process your data:

  • Google OAuth — Authentication. Subject to Google’s Privacy Policy.
  • Stripe — Payment processing. Subject to Stripe’s Privacy Policy.
  • Cloudflare — Hosting, CDN, Workers KV (session storage), D1 (database), R2 (file storage), Turnstile (bot protection). Subject to Cloudflare’s Privacy Policy.
  • Cloudflare Workers AI — Powers NPC dialogue generation. Conversation context is processed by Cloudflare’s AI models. No user data is sent to other AI providers.

4. Cookies & Local Storage

We use one session cookie (sid) to keep you signed in. Cloudflare Turnstile may set its own cookies for bot detection when you use the guest play feature. We do not use advertising, tracking, or third-party analytics cookies.

We use browser sessionStorage for temporary navigation state (deep links, pending invites). This data is not transmitted to our servers and is cleared when you close the tab.

5. Data Storage & Security

Your data is stored on Cloudflare’s infrastructure (D1 database, Workers KV, R2 object storage). All data is encrypted in transit via HTTPS. Session identifiers are generated using cryptographically secure random bytes. STL model files are stored in a private R2 bucket and served only to authenticated users with valid download grants.

6. Data Retention

  • Account data — retained while your account is active
  • Content — retained until you delete it or your account
  • Purchase records — retained indefinitely for legal and accounting purposes
  • Session data — automatically expires after 24 hours
  • Download audit logs — retained for abuse prevention

If you delete your account, we will remove your personal data within 30 days. Purchase records may be retained longer as required by law.

7. Your Rights

You may:

  • Request a copy of the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and personal data
  • Make your content private or delete it at any time

To exercise these rights, contact info@mythcaster.app.

8. Children’s Privacy

MythCaster is not intended for children under 13. We do not knowingly collect personal data from children under 13. If we learn we have, we will delete the account and data promptly.

9. Changes

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated via the platform.

Contact

Privacy questions: info@mythcaster.app