top of page

Privacy Policy

Current as of: 26 May 2026

Your privacy matters to us at Fireball Games s.r.o., IČO 24615897, with registered office at Příčná 1892/4, Nové Město, 110 00 Praha 1, Czech Republic, registered in the Commercial Register kept by the Municipal Court in Prague under file no. C 444204/MSPH (hereinafter "Fireball", "we", or "us"). This Policy explains how we handle your personal data in line with Regulation (EU) 2016/679 (GDPR), Act No. 110/2019 Coll. on personal data processing, Act No. 480/2004 Coll. on certain information society services, and other applicable laws.

Fireball is the studio behind Dungeon Realms, a mobile play-by-post tabletop role-playing game built on the 5th Edition SRD. The game is available on the Apple App Store and Google Play, and runs alongside our website at fireballrpg.com. Through the app you can create characters, run or join campaigns, chat with your party, roll dice, and gather around the table with fellow role-players from across the world. The website is where you'll find news, the roadmap, our Kickstarter backer rewards, and information about the game.

 

If you have any questions about how we handle your personal data, send a raven to privacy@fireballrpg.com. We are not required to appoint a Data Protection Officer under Article 37 GDPR.

 

Information about cookies and any related processing for analytical or marketing purposes on our website is covered separately in our Cookie Policy.

What personal data we process and why

The personal data we handle depends on how you use Dungeon Realms. Below is an overview, grouped by the part of the platform and the way you interact with it.

Player

A. Account creation and management

You create an account in the Dungeon Realms mobile app by signing in with Google or Apple. We do not offer email-and-password registration. When you sign in, we receive the following from your chosen provider and from you:

  • email address — automatically received from Google or Apple. If you sign in with Apple and choose "Hide My Email", the address we receive is a private relay address generated by Apple; we cannot see your real email, and any messages we send to that address are forwarded by Apple to your private inbox.

  • username — chosen by you at signup and used to identify you in the app.

  • profile photo — optional, uploaded by you and shown next to your username and characters.

  • technical account data — language settings, date the account was created, and date of your last login.

 

We do not collect your real name, surname, date of birth, biography, or any other profile field at signup or later.

 

We process this data to create and run your account. Without it, we cannot give you access to Dungeon Realms.

B. Character data, campaigns, and gameplay content

Dungeon Realms revolves around the characters you create and the adventures you play. When you use the game, we store the content you produce so you can return to your campaigns whenever you want.

We process:

  • character data — nickname, race, class, background, appearance, personality traits, stats, hit points, level, ability scores, skills, items, spells, and other character-sheet entries you fill in;

  • campaign data — campaigns you create or join, scenes set up by the Game Master, party composition, and the world content (locations, NPCs, encounters) that belongs to a campaign;

  • gameplay activity — chat messages exchanged in campaign chat and Out-of-Character (OOC) chat, dice rolls made during play, and other actions you take within a campaign;

  • link to your account — all of the above is internally linked to your Dungeon Realms account so we can show your characters, party members, and campaign history when you next sign in.

 

Some of this content is visible to other players and Game Masters in the same campaign by design. Your username, profile photo, character name, and chat messages can be seen by everyone sitting at the same virtual table. Anything you write in campaign chat or Out-of-Character (OOC) chat should be treated the same way you would treat speaking at a public game table: once said, it has been heard by the party, and we cannot unsend it.

 

If a Game Master chooses to list a campaign publicly so anyone can join, the campaign title, description, and the Game Master's username become visible to all users browsing the public list. Your character only becomes visible to others once you join.

If your Game Master invites you to coordinate on Discord, anything you share there is governed by Discord's own rules and is outside our control.

We process this data to provide the service to you. Without storing your characters, campaigns, and the chat between you and your party, there is no Dungeon Realms.

C. In-app purchases (Firegems and premium content)

Dungeon Realms is free to play, but you can buy Firegems (our in-game currency) and unlock premium content such as adventures, character assets, or backgrounds. All payments are handled by Apple App Store or Google Play, depending on the device you use. We never see your card or bank details and we do not store them. The payment providers process your payment data under their own privacy policies:

 

On our side we keep only what we need to manage your purchases and meet our accounting obligations:

  • purchase and transaction data — transaction ID, date, amount, status, type of purchase, and your purchase history;

  • Firegems balance — how many Firegems you currently hold and how you have spent them in the app;

  • accounting documents — receipts from Apple and Google that we are required to archive under Czech accounting and tax law.

 

We do not store your name, billing address, or payment card details.

 

We process purchase and transaction data to deliver what you have bought. We keep accounting documents because we are required to do so by Czech accounting and tax law (in particular Act No. 563/1991 Coll. on Accounting and Act No. 235/2004 Coll. on Value Added Tax).

D. Communication with users

We may contact you about Dungeon Realms in a few different ways. The channel and the reason depend on what we are writing about.

 

Service-related messages. When we need to reach you about your account, your purchases, a security issue, an outage, or a change to our terms, we send the message by email or as a push notification to your device. These are not marketing. They are part of running the service.

 

Updates and news for Dungeon Realms players. As an existing player, you may receive emails from us about new features, content releases, and improvements to the game. You can unsubscribe at any time using the link in the footer of any such email. We send these under the statutory exemption for existing customers in §7(3) of Act No. 480/2004 Coll. on certain information society services. If you are not a registered player but subscribed to our website newsletter instead, see section F below.

 

Push notifications. Beyond service messages, we may send push notifications about gameplay events (for example, "your party is waiting for you to take a turn") or about news in the app. You can turn push notifications off at any time in your device settings or in the app settings. We send these under our legitimate interest in keeping you informed about activity that concerns your characters and campaigns.

 

Customer support. If you contact us by email, through the app, on our website, or via our Discord community, we process the content of your message and your email address (or Discord handle) so we can answer you. We do this under our legitimate interest in providing support to our players.

 

Unsubscribing from marketing emails or turning off push notifications does not affect our ability to send you essential service messages.

E. Reporting inappropriate content

Dungeon Realms is built on the trust between players at the same table. If you come across content in the app that breaks our rules — for example chat messages that are harassing, hateful, sexually explicit, or otherwise in breach of our End User License Agreement — you can report it to us so we can investigate.

 

When you submit a report, we process:

  • the reported content — what was reported (a message, a character, a campaign, a username) and the location where it appeared;

  • your message — anything you add to explain the report;

  • link to your account — the report is tied to your account so we can follow up with you about the outcome and so we can deter abusive reporting.

 

We use this information to review the report, decide what action to take, and where needed enforce the EULA. Depending on the case, we may warn the user, edit or remove the content, suspend the account, or take no action.

We process this data under our legitimate interest in keeping Dungeon Realms a safe and functional place for the community.

F. Website newsletter

On our website at fireballrpg.com you can sign up to receive email announcements about Dungeon Realms — new features, upcoming releases, and other news from the studio. When you subscribe, we process:

  • email address — so we can send you the newsletter;

  • subscription metadata — the date you signed up, the page you signed up from, and your subscription status (active / unsubscribed).

 

You can unsubscribe at any time using the link in the footer of every newsletter email. Once you unsubscribe, we stop sending you the newsletter, and your email is removed from the active list.

 

We process this data on the basis of your consent, which you give by submitting the signup form. You can withdraw your consent at any time as described above.

 

This newsletter is separate from any messages we send to you as a registered player of the Dungeon Realms app. If you sign up to the website newsletter without having a Dungeon Realms account, you only receive the newsletter and nothing else.

Our role under the Digital Services Act

Dungeon Realms is a hosting service under Regulation (EU) 2022/2065 (the Digital Services Act, "DSA").

 

Point of contact (Articles 11 & 12). Reach us at privacy@fireballrpg.com in any official EU language; we respond in English or Czech.

 

Reporting illegal content (Article 16). The Reporting inappropriate content flow above is our notice-and-action mechanism. We acknowledge receipt without undue delay, review reports diligently and objectively, and notify you of our decision and the redress options available.

Statement of reasons (Article 17). If we restrict your content or account (removing a message, hiding a character, suspending an account, demoting a public campaign), we send you a statement of reasons covering: what was restricted, the facts behind it, whether automated means were used, the legal or contractual basis, and how to seek redress. We also submit statements of reasons to the European Commission's DSA Transparency Database as required.

Complaints. If you disagree with a decision — including a decision not to act on a report — email us within six months. We handle complaints internally; we do not operate an out-of-court dispute body under Article 21, but you retain the right to judicial review.

Misuse. After a prior warning, we may suspend reporting from users who repeatedly submit manifestly unfounded notices, and accounts of users who repeatedly post manifestly illegal content.

Technical operation and security

When you use Dungeon Realms or visit our website, we automatically process technical data needed to run the platform, keep it secure, diagnose problems, and understand how the game is used so we can improve it.

 

Operational and security data:

  • access logs — IP address, time of request, requested URL, and HTTP status code;

  • device information — type of device, operating system, app version, and browser type;

  • crash and error reports — collected through Firebase Crashlytics; include the type of error, the part of the app where it occurred, device and OS information, and a Firebase-generated identifier linked to your account. We use this data to find and fix bugs and to keep the app stable.

  • audit logs — records of security-relevant actions such as signing in, signing out, deleting your account, or making a purchase.

 

Product analytics (Firebase Analytics):

We use Firebase Analytics inside the Dungeon Realms mobile app to understand how players use the game and to guide what we build next. The events we record describe actions taken in the app, not the content of what you write. Specifically:

  • gameplay events — for example, when a character is created, levelled up, or deleted; when a campaign is created, renamed, or closed; when players join, leave, or apply to a campaign; when in-app purchases are made or promo codes are used;

  • screen views — which screens of the app you visit (for example, the campaign list, the character builder, the store);

  • a Firebase-generated user identifier linked to your account so we can distinguish one player's session from another's.

The events carry context parameters — for example, the race and class of a created character, the type of a campaign, or the amount of in-app currency spent on a purchase. They do not include the content of your chat messages, the text of your character's biography, or any free-text you write in the app.

We do not use the iOS Advertising Identifier (IDFA) or the Google Advertising ID in Dungeon Realms, and we do not use this data for advertising, profiling with legal effects, or cross-context behavioural advertising.

On our website, third-party analytics and advertising trackers (including Google Analytics and the Meta Pixel) are loaded only after you give consent through our cookie banner, in line with §89 of Act No. 127/2005 Coll. on electronic communications. Details are covered separately in our Cookie Policy, where you can also withdraw your consent at any time.

We process all of the above under our legitimate interest in running Dungeon Realms securely and reliably and in improving the game based on how it is actually used. You can object to this processing at any time by contacting privacy@fireballrpg.com; if you object to product analytics specifically, we will stop including your account in those events.

Recipients of personal data

To run Dungeon Realms and our website, we use the third-party providers listed below. We have data-processing agreements in place with each of them. We do not sell your data and we do not pass it to anyone for their own purposes.

Google LLC / Google Ireland Ltd. (USA, Ireland)

  • Services: Google Sign-In (authentication), Firebase (backend infrastructure, Firebase Analytics for product analytics, Firebase Crashlytics for crash and error reporting), Google Play (app distribution and payments), Google Analytics (website analytics)

  • Link: Privacy Policy

Apple Inc. (USA, Ireland)

  • Services: Apple Sign-In (authentication), Apple App Store (app distribution and payments)

  • Link: Privacy Policy

Meta Platforms, Inc. / Meta Platforms Ireland Ltd. (USA, Ireland)

  • Services: Facebook Page operation, Meta Pixel (advertising measurement on our website). The Meta Pixel is loaded only after you give consent through our cookie banner; for the data collected through the Pixel, Fireball and Meta act as joint controllers for the collection phase, as clarified by the Court of Justice of the EU in Fashion ID (C-40/17). You can manage or withdraw your consent at any time via our Cookie Policy.

  • Link: Privacy Policy

Wix.com Ltd. (Israel, with EU and US infrastructure)

  • Services: Website hosting and runtime for fireballrpg.com; Wix Contacts (storage of contact records and newsletter subscribers); Wix Inbox (storage of any messages exchanged through the website's contact widget); Wix Email Marketing (storage and sending of email announcements to newsletter subscribers)

  • Link: Privacy Policy

Discord, Inc. (USA)

  • Services: Community platform used by some Game Masters to coordinate with their party. Discord acts as a separate data controller for any data you share there. Use of Discord is voluntary and not required to play Dungeon Realms.

  • Link: Privacy Policy

Kickstarter, PBC (USA)

  • Services: Backer email list and messaging system used to deliver promo codes and updates to people who supported our 2020 Kickstarter campaign. We use Kickstarter only for communicating with our existing backers; we do not add new people to it.

  • Link: Privacy Policy

If a legal obligation or a binding decision of a public authority requires it, recipients may also include those authorities.

Transfers outside the EU/EEA

Some of the providers we use are based in the United States or operate global infrastructure that may store your data outside the European Union. These transfers happen in compliance with GDPR, on the following legal grounds:

  • EU-US Data Privacy Framework — applies to transfers to Google and Meta, both of which are certified under this adequacy decision issued by the European Commission. You can verify their current certification status on the official Data Privacy Framework List.

  • Standard Contractual Clauses (SCCs) — applies to transfers to Apple, Wix, Discord, and Kickstarter, and to any transfer not otherwise covered by an adequacy decision. SCCs are the model contracts approved by the European Commission for international data transfers.

Alongside the legal basis, we apply reasonable technical and organisational measures (in particular encryption in transit and access controls) to protect your data during any such transfer.

How long we keep your data

We keep your personal data only for as long as we need it for the purpose for which we collected it, to meet your needs, or to comply with our legal obligations.

 

Retention periods:

  • Account and gameplay content (covering sections A and B above — email, username, profile photo, characters, campaigns, chat messages, dice rolls, and other gameplay activity) — for as long as your account exists. After you delete your account, we erase your personal data within 30 days.

  • In-app purchases (section C) — purchase and transaction data for as long as your account exists. Accounting documents are kept separately for 10 years from the end of the accounting period in which the transaction took place, as required by Act No. 563/1991 Coll. on Accounting and Act No. 235/2004 Coll. on Value Added Tax.

  • Communication with users (section D) — push notification settings for as long as your account exists; customer support correspondence for the duration of the conversation and up to 12 months from the last message.

  • Reports of inappropriate content (section E) — 90 days from submission, longer if the report leads to enforcement action that we need to document.

  • Website newsletter (section F) — until you unsubscribe, after which your email is removed from the active list without undue delay.

  • Technical and operational logs (section 3) — 90 days from creation, except where a longer period is needed to investigate a specific security incident.

  • Kickstarter backer email list — until all 2020 Kickstarter reward tiers are fulfilled, and in any case no later than 31 December 2027. After that date the list is closed and contacts erased.

 

We may exceptionally keep data longer where required by law, by a binding decision of a public authority, or where it is necessary to defend ourselves in a legal dispute. Once that reason falls away, we erase the data without undue delay.

Your rights

We want you to stay in command of your own story. Under GDPR you have the following rights:

  • Access — you can ask what data we hold about you and get a copy.

  • Rectification — you can ask us to correct inaccurate data or complete incomplete data. You can also edit most of your account data directly in the app.

  • Erasure — you can ask us to delete your data when there is no longer a reason to keep it. We cannot erase data we need to keep for legal obligations (such as accounting records) or to defend legal claims.

  • Restriction — you can ask us to temporarily stop using your data, for example while we verify its accuracy.

  • Portability — you can ask for an export of the data you gave us, in a machine-readable format.

  • Objection — you can object to processing we base on legitimate interest. When you object, we re-assess that processing.

  • Withdraw consent — where we process your data on the basis of consent (for example, the website newsletter), you can withdraw consent at any time, with no effect on the lawfulness of processing before withdrawal.

  • Not to be subject to automated decision-making — we do not use automated decision-making or profiling that would have legal effects on you or similarly significantly affect you.

 

To exercise any of these rights, send your request from the email address the data relates to, to privacy@fireballrpg.com. We will reply without undue delay and at the latest within 30 days; for more complex requests we may extend that period by up to two months and will tell you if we do. Exercising your rights is free of charge — only for manifestly unfounded or excessive requests may we charge a reasonable fee or refuse the request.

 

If you believe we are processing your data in breach of the law, you have the right to lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Praha 7, +420 234 514 111, posta@uoou.czwww.uoou.cz). You can also lodge a complaint with the supervisory authority in another EU member state — the list is on the European Data Protection Board website. We would, however, appreciate the chance to address your concerns first.

California residents (CCPA / CPRA)

If you are a resident of California, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (together "CCPA/CPRA") gives you specific rights regarding your personal information. This section explains those rights and how to exercise them.

Categories of personal information we collect

In the past 12 months, we have collected the following categories of personal information about California residents, as defined by CCPA/CPRA:

  • Identifiers — email address, username, account identifier, IP address, device identifiers

  • Commercial information — purchase history of Firegems and premium content

  • Internet or other electronic network activity — usage data, gameplay activity, crash and diagnostic data

  • Geolocation data — approximate location derived from IP address only (we do not collect precise GPS location)

  • Audio, electronic, visual, or similar information — profile photo, if you upload one

  • Inferences — limited inferences drawn from your usage data for product analytics

 

We collect this information for the purposes described elsewhere in this Policy: to provide the service, manage your account, process purchases, communicate with you, secure the platform, and comply with our legal obligations.

Sensitive personal information

We do not collect "sensitive personal information" as defined by CPRA (such as social security numbers, precise geolocation, racial or ethnic origin, religious beliefs, health information, sexual orientation, or genetic data).

 

Sale and sharing of personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA. We do not exchange your data with third parties for money or other valuable consideration.

The third parties we use (listed in the Recipients of personal data section above) act as service providers under CCPA/CPRA and are contractually restricted from using your data for their own purposes beyond providing services to us.

Your rights under CCPA/CPRA

As a California resident, you have the right to:

  • Know — request the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we have shared it;

  • Delete — request that we delete personal information we have collected from you, subject to certain exceptions (for example, where we need the data to complete a transaction or comply with a legal obligation);

  • Correct — request that we correct inaccurate personal information we hold about you;

  • Opt out of sale or sharing — although we do not sell or share your personal information, you have a standing right to opt out;

  • Limit use of sensitive personal information — although we do not collect sensitive personal information as defined by CPRA, you have a standing right to limit such use;

  • Non-discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights, for example by denying service, charging different prices, or providing a different level of quality.

 

How to exercise your rights

To exercise any of your CCPA/CPRA rights, send your request to privacy@fireballrpg.com from the email address associated with your account. We may need to verify your identity before responding; this usually involves confirming details we already hold about you.

You may also designate an authorized agent to make a request on your behalf. We will require proof of the agent's authorization and may still ask you to verify your identity directly.

We will respond to verifiable requests within 45 days. If we need more time, we may extend that period by an additional 45 days and will tell you why.

 

"Shine the Light" (California Civil Code §1798.83)

California residents may also request information about disclosures of personal information to third parties for the third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes, so we have nothing to report under this provision.

 

Do Not Track signals

Our website does not respond to "Do Not Track" browser signals at this time, because there is no industry-wide standard for how to do so. You can control cookies and tracking through our Cookie Policy and your browser settings.

Final provisions

We may update this Policy from time to time, particularly when the law, the way Dungeon Realms works, or our processing practices change. We will publish material changes here in advance, with a new "Current as of" date at the top. If a change is required by law or by a decision of a public authority, the new Policy may take effect immediately.

Dungeon Realms is intended for users aged 16 or over if you live in the EEA, UK, or Switzerland, and 13 or over if you live anywhere else. We do not allow younger users, even with the consent of a parent or legal guardian. If we discover that an account has been created by someone younger, we will close the account and erase the related data. Parents or legal guardians who believe their child has signed up below the minimum age can contact us at privacy@fireballrpg.com.

If any provision of this Policy turns out to be invalid or ineffective, the remaining provisions stay in force. This Policy is governed by the laws of the Czech Republic.

If you have any questions about how we handle your personal data, send a raven to privacy@fireballrpg.com. We will get back to you as soon as we can.

May your saving throws be ever in your favor. 🎲

bottom of page