Dice and Decks Guild Hall

Privacy Policy

Legion Builder

Privacy Policy: Legion Builder

Effective date: July 8, 2026 Last updated: July 8, 2026

Legion Builder ("the App") is a free, unofficial companion application for the Star Wars: Legion miniatures wargame by Atomic Mass Games. It is published by Tinkavu LLC / Extra Turn Games ("we", "us", "our"). This policy explains what data we collect, how we use it, who we share it with, and how you can control or delete your data.

This App is not affiliated with, endorsed by, or sponsored by Atomic Mass Games, Lucasfilm Ltd., or The Walt Disney Company. Trademarks and game content referenced in the App belong to their respective owners.


Data We Collect

Data You Give Us Directly

The App is local-first: rules browsing, army lists, and settings are stored on your device and work fully offline. An account is only needed for cloud features, and sign-in is entirely optional.

If you choose to sign in, we collect:

  • Account information: your email address, used for authentication via Google Sign-In, Discord OAuth, email magic link, or email and password.
  • Display name you choose, which is shared across the company's apps via the D&D Guildhall directory.
  • Army lists you save to the cloud, including unit selections, upgrades, command card choices, list name, faction, format, and timestamps.
  • Player Finder profile (entirely opt-in - requires sign-in and explicit "Findable" toggle):
    • A postal area (ZIP code) you type in manually
    • Country
    • Contact handles you choose to enter and mark visible: Discord, Instagram, Telegram, Facebook, or WhatsApp usernames
    • Whether you have opted in to being discoverable by other players
  • Store favorites you mark within the App.
  • Club data you create or manage, including club name, play location, and recurring event details.

Data Collected Automatically

  • Sign-in metadata (timestamps, authentication provider, refresh tokens) managed by Supabase Auth on our behalf.
  • Approximate location, collected only while you are actively using the Store or Club Finder features and only after you grant the OS permission. We use it on-device to sort nearby stores and clubs by distance. We do not transmit or store your location coordinates on any server. No background location tracking occurs. The only location-adjacent data stored server-side is the postal area (ZIP code) you manually type into your Player Finder profile.

Data We Explicitly Do NOT Collect

  • Precise GPS location (device coordinates are used on-device only and are never transmitted to any server).
  • Contacts, calendar, microphone, camera, biometrics, SMS, or photos.
  • Browsing history outside the App.
  • Advertising identifiers (GAID or IDFA).
  • Analytics, crash-reporting, or advertising SDK data. Legion Builder contains no analytics, crash-reporting, or advertising SDK of any kind.

Processor Data Table

The following table summarizes what each processor receives.

ProcessorPurposeData received
Supabase (Legion app database + auth)Cloud storage of your account, army lists, and auth sessionsAccount info, display name, army lists, sign-in metadata
Supabase (D&D Guildhall directory, EU servers)Cross-game player directory: Player Finder, store favorites, clubsPlayer Finder profile, store favorites, club data
Google (only if you sign in with Google)OAuth authenticationStandard OAuth identity scopes
Discord (only if you sign in with Discord)OAuth authenticationStandard OAuth identity scopes
OpenStreetMap contributors (store location data)Provide store location information in the Store FinderMap data queries only; no account data
api.qrserver.com (QR code generation)Generate a QR code image when you export an army list as a QR codeThe encoded list code string; no account data

How We Use Your Data

We use your data only to provide and improve the App:

  • Authenticate you and keep you signed in across devices.
  • Sync your army lists between your device and the cloud so you can access them on multiple devices.
  • Power the Store Finder and Club Finder using your device location (on-device only) and the Guildhall directory.
  • Display the Player Finder using only the profile information you have explicitly opted in to share.
  • Manage clubs and play-location data you create or participate in.

We do not sell your personal data. We do not use your data for advertising targeting. We do not show ads in the App.


Who We Share Data With

We use the following third-party processors to provide the App. Each processor receives only the minimum data needed for its function and is contractually prohibited from using your data for any other purpose.

ProcessorPrivacy / DPA reference
Supabase, Inc. (both backends)supabase.com/privacy · Art. 28 GDPR DPA signed
Google LLC (Sign-In only if selected)policies.google.com/privacy
Discord, Inc. (Sign-In only if selected)discord.com/privacy
OpenStreetMap Foundation (store data)openstreetmap.org/privacy
goQR.me / api.qrserver.com (QR export only)goqr.me/privacy-policy

We do not sell, rent, or broker your personal data to any other party.


Where Your Data Lives & Storage Security

The App uses two Supabase backends:

  1. Legion app database - stores your account, auth session, and synced army lists. Hosted in Supabase's default region.
  2. D&D Guildhall directory - stores Player Finder data, store favorites, and clubs. This is a shared cross-game directory used across all Extra Turn Games apps, hosted on Supabase's EU-West (Ireland) region.

Security measures across both backends:

  • Encryption at rest: AES-256.
  • Encryption in transit: TLS 1.2 or higher for all network traffic between the App and our servers and between our servers and processors.
  • Key custody: FIPS 140-2 HSMs managed by Supabase.
  • Access control: Supabase row-level security (RLS) policies ensure that users can only read and write their own data.

Our relationship with Supabase, Inc. as a data processor is governed by a signed Data Processing Addendum (DPA) under GDPR Article 28. Supabase's Transfer Impact Assessment (TIA) is available on request from info@askewmarketing.com.


Security & Breach Notification

In addition to the technical measures described above, we:

  • Limit access to personal data to personnel and automated systems that need it to operate the service.
  • Require all processors to maintain appropriate security measures under contract.
  • Periodically review our security practices.

No security system is perfect. If you believe you have discovered a security vulnerability, please report it to info@askewmarketing.com.

Breach notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where a breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, as required by GDPR Article 34, using the contact information in your account.


Data Retention

We keep your data only as long as necessary.

Data typeRetention
Account information (email, display name)Until you delete your account
Player Finder profile (postal area, country, contact handles, findability status)Until you delete your account or clear the relevant field; turning off "Findable" removes you from search immediately
Army lists (cloud-synced)Until you delete your account
Store favoritesUntil you clear them or delete your account
Club data you created or manageUntil you delete the club or delete your account
Sign-in metadataManaged by Supabase Auth; cleared on account deletion
On-device data (offline army lists, rules browsing, settings)Removed automatically when you uninstall the App

You may request earlier deletion of any data at any time via email to info@askewmarketing.com or through the web form at https://ddguildhall.com/remove-my-information?app=legion.


Your Rights & Choices

In-app controls:

  • Edit your Player Finder profile at any time, including clearing individual contact handles.
  • Toggle "Findable" off to immediately remove yourself from in-app player search everywhere.
  • Clear store favorites from the store detail pages at any time.
  • Leave or delete clubs from the club management screen.
  • Delete army lists individually from the list management screen; they are removed from cloud sync immediately.

Account and data removal:

Withdrawal of consent: Where we process your data on the basis of consent (for example, your opt-in to the Player Finder), you may withdraw that consent at any time by turning off "Findable" or clearing the relevant fields. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

Response timeframe: We will respond to all data-subject rights requests within 30 days of receipt. In cases of complexity or high volume we may extend by an additional 60 days; if so, we will notify you within the initial 30-day period.


GDPR: EEA & UK Users

This section applies if you are located in the European Economic Area (EEA) or the United Kingdom.

Controller

Tinkavu LLC, TINKAVU LLC, 2865 Apaloosa Trl, Deltona, FL 32738, is the data controller for personal data processed through the App. Contact: info@askewmarketing.com.

Lawful Bases (GDPR Article 6)

Processing activityLawful basis
Account creation and authenticationPerformance of a contract (Art. 6(1)(b))
Army list cloud syncPerformance of a contract (Art. 6(1)(b))
Player Finder (postal area, contact handles, findability opt-in)Consent (Art. 6(1)(a))
Store favorites and club data via Guildhall directoryPerformance of a contract (Art. 6(1)(b))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

Your Data Subject Rights

Under the GDPR and UK GDPR you have the right to:

  • Access (Art. 15): request a copy of your personal data.
  • Rectification (Art. 16): correct inaccurate data.
  • Erasure (Art. 17): request deletion of your data.
  • Restriction (Art. 18): ask us to restrict processing in certain circumstances.
  • Data portability (Art. 20): receive your data in a machine-readable format.
  • Object (Art. 21): object to processing based on legitimate interests.
  • Not to be subject to automated decision-making (Art. 22): we do not make automated decisions with legal or similarly significant effects on you.

To exercise any of these rights, contact us at info@askewmarketing.com. We will respond within 30 days (see #rights above).

International Data Transfers

The D&D Guildhall backend is hosted in the EU-West (Ireland) region. The Legion app backend and some Supabase sub-processors may be located in the United States. Those transfers are governed by:

  • Standard Contractual Clauses (Module Two, controller to processor) incorporated into the Supabase DPA.
  • The EU-U.S. Data Privacy Framework adequacy decision (10 July 2023), where Supabase or its sub-processors are certified participants.

Google and Discord (authentication only, if you select those providers) are also based in the United States. Transfers to these processors are governed by Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

Article 27 EU Representative

Tinkavu LLC is established in the United States. We rely on the small-scale-processing exemption in GDPR Article 27(2)(a): the App does not process special-category data (Art. 9), does not process criminal-offence data (Art. 10), involves no large-scale systematic monitoring, and currently serves a limited number of EU users on an occasional basis. On this basis we have not designated a formal EU representative. We will designate a representative under Art. 27 if any of the triggers in Art. 27(2) are no longer satisfied (for example, if EU user volume grows substantially or if we add any special-category processing).

DPO

We are not required to designate a Data Protection Officer under Art. 37 GDPR given our processing activities. Privacy queries should be directed to info@askewmarketing.com.

Supervisory Authority

If you are in the EEA, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en. UK users may contact the ICO at ico.org.uk.


CCPA / CPRA: California Residents

This section applies to residents of California and supplements the rest of this policy. It is provided under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

In the preceding 12 months we have collected the following CCPA categories of personal information:

CategoryExamples collected by the AppCollected?
IdentifiersEmail address, user ID, display nameYes (when signed in)
Personal information (Cal. Civ. Code §1798.80)Email addressYes (when signed in)
Geolocation dataDevice location (used on-device only; never transmitted to any server)On-device only
Internet or other electronic network activitySign-in timestamps, session metadataYes (when signed in)
InferencesNone; we draw no inferences or profiles about youNo
Sensitive personal informationPrecise geolocation, racial/ethnic origin, health, financial, or biometric dataNo
Commercial informationNoneNo
Audio, electronic, visual, or similar informationNoneNo

Do Not Sell or Share My Personal Information

We do not sell your personal information as defined under CCPA. We do not share your personal information for cross-context behavioral advertising. You therefore do not need to opt out of a sale or share; however, you may contact us at info@askewmarketing.com if you have questions.

Your California Rights

California residents have the right to:

  1. Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared.
  2. Delete: request deletion of personal information we have collected, subject to limited exceptions (for example, completing a transaction, detecting security incidents, or complying with legal obligations).
  3. Correct: request correction of inaccurate personal information.
  4. Limit Use of Sensitive Personal Information: we do not process sensitive personal information for purposes beyond those permitted without this right, so no opt-out is required.
  5. Non-Discrimination: we will not discriminate against you for exercising any of these rights. We will not deny you the App, charge different prices, or provide a different level of service because you exercised a CCPA right.

Authorized Agent

You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide written proof of authorization signed by you, and we may verify your identity directly with you as permitted by law.

How to Submit a Request

Email info@askewmarketing.com with the subject line "California Privacy Request." We will respond within 45 days (extendable by a further 45 days with notice if reasonably necessary).


LGPD: Brazilian Users

This section applies to residents of Brazil and supplements the rest of this policy. It is provided under Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law 13,709/2018).

Legal Bases (LGPD Article 7)

We process your personal data under the following LGPD legal bases:

  • Performance of a contract (Art. 7, VII): to provide the App's core cloud functions (account, army list sync, store and club directory).
  • Consent (Art. 7, I): Player Finder opt-in features.
  • Compliance with a legal obligation (Art. 7, II): where required by law.

Your LGPD Rights

Under the LGPD you have the right to: confirm the existence of processing; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary data; request portability; request information about third parties with whom we share data; object to processing; and withdraw consent at any time.

To exercise these rights, contact info@askewmarketing.com. We will respond within 15 business days.

Encarregado (DPO)

We have not formally designated an Encarregado under the LGPD given the small scale and nature of our processing. Privacy requests should be directed to info@askewmarketing.com.

Supervisory Authority

You may also file a complaint with Brazil's Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.


PIPEDA: Canadian Users

This section applies to residents of Canada and supplements the rest of this policy. It is provided under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Accountability

Tinkavu LLC is responsible for personal information under its control. Privacy questions and rights requests should be directed to info@askewmarketing.com.

We collect, use, and disclose your personal information only with your knowledge and consent (express for sensitive data; implied for routine service data), except where otherwise permitted or required by law. You may withdraw consent at any time by contacting us or using the web deletion form, subject to legal and contractual restrictions and reasonable notice.

Your Rights

You have the right to: access your personal information held by us; challenge the accuracy and completeness of your information and request correction; and withdraw consent to certain uses or disclosures.

To exercise these rights, contact info@askewmarketing.com. We will respond within 30 days.

Supervisory Authority

You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.


APPI: Japanese Users

This section applies to residents of Japan and supplements the rest of this policy. It is provided under Japan's Act on the Protection of Personal Information (APPI), as amended effective April 2022.

Third-Party Provision and Cross-Border Transfers

Where we transfer your personal information to processors located outside Japan (for example, Supabase in Ireland/EU, or Google and Discord in the United States), we take the following measures in accordance with APPI Article 24:

  • We enter into contracts with each overseas processor that require them to implement personal information protection measures equivalent to those required by APPI.
  • The relevant receiving countries include Ireland (EU, subject to GDPR), and the United States (governed by Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework).

Your APPI Rights

You have the right to request disclosure of retained personal information, correction, addition, or deletion where the data is inaccurate, and suspension of use or third-party provision in certain circumstances. To exercise these rights, contact info@askewmarketing.com.

Supervisory Authority

You may direct inquiries to Japan's Personal Information Protection Commission (PPC) at ppc.go.jp.


Australia: Australian Users

This section applies to residents of Australia and supplements the rest of this policy. It is provided under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Tinkavu LLC is subject to the Privacy Act to the extent its acts or practices have an Australian link. Given our current scale, we may qualify for the small-business operator exemption (annual turnover below AUD 3 million); however, we voluntarily apply the Australian Privacy Principles as good practice.

We collect, hold, use, and disclose personal information only for the purposes described in this policy. We take reasonable steps to secure personal information against misuse, interference, loss, and unauthorized access.

You have the right to access your personal information and to request correction of inaccurate information. To exercise these rights, contact info@askewmarketing.com. We will respond within 30 days.

If you believe we have breached the APPs, you may first contact us to resolve the matter. If unresolved, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.


Children

The App is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13. The App is not directed at children under 13, and we do not target content or advertising at children.

If you believe a child under 13 has provided us with personal information, please contact us at info@askewmarketing.com and we will promptly delete that information from our systems.

For users between 13 and the age of majority in their jurisdiction, we encourage parental or guardian involvement in their use of the App.

This App is not designed to comply with the Children's Online Privacy Protection Act (COPPA) requirements for child-directed services, because it is not child-directed.


Cookies, Identifiers & Advertising

No advertising: The App contains no advertisements. We do not use advertising networks or sell advertising space.

No advertising identifiers: We do not collect or process Google Advertising IDs (GAID), Apple Advertising Identifiers (IDFA), or any other advertising identifier.

App Tracking Transparency (ATT): Because we do not use advertising identifiers or cross-app tracking, we do not present an ATT prompt on iOS.

Session tokens: Supabase Auth uses standard session tokens stored in device secure storage to keep you signed in. These are not advertising cookies and are not shared with third parties.

Legion Builder does not integrate any third-party analytics or crash-reporting SDK. If this ever changes, this section will be updated to disclose the SDK, the data it collects, and how to opt out.


Changes to This Policy

We may update this policy from time to time. If we make a material change (one that meaningfully expands the data we collect, the purposes for which we use it, or the parties we share it with), we will:

  1. Update the "Last updated" date at the top of this policy.
  2. Post a notice within the App on the first launch after the change takes effect.
  3. Where required by applicable law, obtain fresh consent before processing your data under the new terms.

Continued use of the App after a material change is not your only means of acceptance; we will give you adequate notice and opportunity to review changes before they take effect where required by law.


Contact

For privacy questions, data rights requests, data export requests not covered by the self-service web form, or to report a security issue:

Publisher: Tinkavu LLC / Extra Turn Games Email: info@askewmarketing.com Mailing address: TINKAVU LLC, 2865 Apaloosa Trl, Deltona, FL 32738 Data deletion web form: https://ddguildhall.com/remove-my-information?app=legion

Effective date: July 8, 2026 Last updated: July 8, 2026


Star Wars: Legion is a trademark of Atomic Mass Games. Star Wars is a trademark of Lucasfilm Ltd. and The Walt Disney Company. This App is unofficial and is not affiliated with, endorsed by, or sponsored by Atomic Mass Games, Lucasfilm Ltd., or The Walt Disney Company.