Privacy Policy

Last updated: May 19, 2026

This Privacy Policy describes how Paul Nitsch operating as OverEngineeredVTT ("we", "our", or "us") collects, uses, and discloses information when you use the services available at oevtt.com (the "Platform"). We are committed to protecting your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

By using the Platform you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Account information: email address, display name, and avatar (via email/password sign-up or OAuth — Google or Discord).
  • Profile information: bio, social links, and any other information you voluntarily add to your profile.
  • Transaction information: purchase history and license keys associated with your account. We do not store full payment card details — all payment processing is handled by Stripe (see Section 4).
  • Creator content: product listings, release files, and images uploaded by creators.
  • Usage data: log data such as IP addresses, browser type, pages visited, and timestamps, collected automatically by our hosting infrastructure (Cloudflare).
  • Communications: messages you send to our support email.

2. How We Use Your Information

  • To create and manage your account.
  • To process purchases and issue license keys.
  • To deliver transactional emails (purchase receipts, password resets, submission notifications).
  • To allow creators to manage products and receive payouts via Stripe Connect.
  • To detect and prevent fraud and abuse.
  • To improve the Platform and diagnose technical issues.
  • To comply with legal obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3. Legal Basis for Processing

We process personal information on the basis of your consent (account registration), the performance of a contract (processing your purchase), and our legitimate interests (platform security, fraud prevention, and service improvement). You may withdraw consent at any time by closing your account (see Section 7).

4. Third-Party Services

We share information with the following trusted third-party processors:

  • Supabase (authentication and database) — stores your email address, hashed password, and account metadata. Supabase Privacy Policy.
  • Stripe (payment processing and creator payouts) — handles all payment card data in full PCI DSS compliance. We receive only a transaction identifier and payment status. Creators who connect a Stripe account are subject to Stripe's own onboarding and identity verification. Stripe Privacy Policy.
  • Cloudflare (hosting, CDN, and object storage) — your files and assets are stored in Cloudflare R2. Cloudflare may process usage logs. Cloudflare Privacy Policy.
  • Resend (transactional email) — receives your email address to deliver service emails. Resend Privacy Policy.
  • Google / Discord OAuth (optional sign-in) — if you choose to sign in with Google or Discord, those providers share your email address and public profile with us per their own privacy policies.

5. Cookies and Tracking

The Platform uses cookies and localStorage only for session management and user preference storage (e.g. theme selection). We do not use advertising or third-party tracking cookies. Our CDN provider (Cloudflare) may set technical cookies necessary for network security.

6. Data Retention

  • Account data is retained while your account is active.
  • Transaction and license records are retained for a minimum of 7 years to meet tax and financial record-keeping requirements.
  • Log data is retained for up to 30 days by our infrastructure providers.

7. Your Rights

Under PIPEDA and applicable provincial law you have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request correction of inaccurate information.
  • Deletion — request deletion of your account and associated personal information, subject to our legal retention obligations.
  • Withdraw consent — stop using the Platform and request account deletion at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Security

We use industry-standard safeguards including HTTPS/TLS in transit, hashed password storage (via Supabase), token-based authentication, and access-controlled infrastructure. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Children's Privacy

The Platform is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it promptly.

10. International Transfers

Our service providers may process data outside Canada (e.g. in the United States). We take reasonable contractual steps to ensure that transferred data is protected to a standard at least equivalent to that required under PIPEDA.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via a notice on the Platform or by email. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Platform after changes constitutes acceptance of the updated policy.

12. Contact

Questions, concerns, or requests regarding this Privacy Policy should be directed to:
Paul Nitsch — OverEngineeredVTT
[email protected]