Privacy Policy


Effective date: March 29, 2026

1. Scope and Responsible Party

This privacy policy applies to the Worldbuilding-Wiki app. The legal basis for data protection is found in the European General Data Protection Regulation (GDPR), supplemented by the German Federal Data Protection Act (BDSG), the Digital Services Act (DDG), and, where applicable, the Telecommunications Digital Services Data Protection Act (TDDDG).

Responsible party under the GDPR:

Dominik Fuhrmann
Brunnenstrasse 18
72116 Moessingen
Germany
Email: [email protected]

All information provided on the website www.Worldbuilding-Wiki.com is for informational and non-commercial purposes.

2. Access Data and Third-Party Services (Hosting & Security)

When you use the app, data is automatically processed by our technical service providers to ensure secure and stable operation. This is done based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR.

Recipients of this data include:

  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (server infrastructure, server location in Germany, data processing according to Art. 28 GDPR)
  • Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (DNS, security services, caching, reverse proxy; possible transfer of data to the USA)

Hetzner processes data on our behalf to provide server infrastructure in Germany. Cloudflare processes data as an upstream security and performance service. With Cloudflare, data transfers to the USA cannot be excluded. Where required, such transfers take place on the basis of appropriate safeguards under Art. 44 et seq. GDPR (in particular EU Standard Contractual Clauses and, where applicable, certifications under the EU-U.S. Data Privacy Framework).

Access data collected may include:

  • IP address of the accessing device
  • Date and time of the request
  • Called API endpoint (URL)
  • HTTP status code
  • Amount of transmitted data
  • User agent (if provided by the client)

3. Collection and Processing of Your Data by Us

We collect and process personal data in order to provide the app functionalities.

3.1. User Account and Identification (Art. 6 para. 1 lit. b GDPR)

For creating and managing your user account, we process:

  • User ID: Internal identifier assigned to your account
  • Username: Identification inside the app and communication with other users (visible to logged-in users)
  • Email address: Login, account-related communication and security notifications (not visible to other users)
  • Password: Stored only in encrypted (hashed) form. We use advanced security methods so passwords are not stored in plain text in case of a data breach
  • Profile picture: Optional visual representation while using the app (visible to logged-in users)
  • Preferred language: App display and email communication in the selected language

3.2. Authentication and Account Management

To ensure account security, we process:

  • Authentication tokens: Time-limited session tokens for login
  • Password reset token: One-time, time-limited token (24-hour validity) for password recovery
  • Email verification token: Temporary storage for email changes (24-hour validity)
  • Username change token: Temporary storage for username changes (24-hour validity)
  • Two-factor authentication (2FA): Optional additional security. When enabled, you receive a verification code by email for each login that must be entered. This protects your account even if your password is compromised
  • Session IDs: Cookie-based session management. Session IDs become invalid 4 hours after last activity
  • Logged-in devices: We store session IDs of logged-in devices in order to log out all devices after a password change

3.3. Device-Related Data

We collect and store device-related data such as device ID, device name and device type to enable service use on different devices and to ensure account security. This data is used solely for account management, login and abuse prevention. It is not shared with third parties.

We do not use cookies for device tracking. Processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, as it is required for secure and convenient service usage.

3.4. Content Data (Content Created by You)

All content data is processed on your behalf according to Art. 6 para. 1 lit. b GDPR and assigned to your user ID:

  • Worlds: title, description and optional images
  • Articles: title, content, categories, metadata
  • Maps: map data, markers and geographic information
  • Timelines: timeline entries, events and time details
  • Books/documents: PDF-exported content and document information
  • Chats: messages and conversation content
  • Media: uploaded images and files

3.5. Support and Feedback

  • Contact form: You can submit questions, bug reports or support requests via our contact form. You provide a subject, a description of your request and optionally your email address. This data is used to process your request.
  • Feedback form: Our feedback form enables anonymous feedback without collecting personal data. Your feedback is evaluated without being linked to your identity.

3.6. User Behavior and Content Review

  • Creation of elements: We store which user created which worlds and elements. This information may be used for public user statistics.
  • Last editing: We store which user last edited an element and when, to make changes traceable.
  • Content review: To ensure compliance with legal requirements and to prevent copyright infringements or inappropriate content, we reserve the right to review user-generated content at any time, especially in case of reported violations. Affected content is reviewed by administrators.

4. Cookies and Local Storage

Our web app uses technically required browser storage mechanisms (e.g., localStorage, sessionStorage) and PHP session cookies to manage sessions. Session cookies become invalid 4 hours after the last interaction. No marketing or tracking cookies are used. Processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR.

5. Automated Decision-Making and Profiling

We do not use your data for automated decision-making or profiling.

6. Data Security

We implement technical and organizational security measures to protect your data. Communication with our services is protected via SSL/TLS encryption. Passwords are hashed according to current standards.

7. Sharing Data with Third Parties

Personal data is not shared, except with the technical service providers listed in section 2. Data is only shared when:

  • explicit consent has been granted (Art. 6 para. 1 lit. a GDPR),
  • it is required for contract performance (Art. 6 para. 1 lit. b GDPR),
  • a legal obligation exists (Art. 6 para. 1 lit. c GDPR).

Personal data is not sold.

8. Email Communication

When you contact us by email, your data is stored for handling your request. Security-related notifications are sent on the basis of Art. 6 para. 1 lit. b GDPR.

9. Your Rights as a User

You have the right at any time to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

You also have the right to lodge a complaint with a competent supervisory authority.
To exercise your rights, please contact us at: [email protected]. Deletion of account-related data is generally possible using the "Delete account" function in the app settings.

10. Data Retention Period

We store personal data only as long as necessary for each purpose, or as required by legal retention obligations. The following periods apply to key data categories:

  • User account (email, username, password hash, profile picture, language): Until account deletion
  • Registration data for incomplete registration: Deletion after 24 hours
  • Password reset tokens, email change tokens, username change tokens: Deletion after successful completion or after 24 hours if not completed
  • Session IDs / authentication cookies: Expire after 4 hours of inactivity
  • Content created by you (worlds, articles, maps, timelines, documents, chats, media): Until deleted by you or until account deletion
  • Contact requests by email: Until final completion, generally no later than 12 months, unless legal retention obligations apply
  • Access data at technical service providers (Hetzner, Cloudflare): Retained according to operational requirements; then deleted or anonymized

11. Account Deletion and Inactivity Rules

You can delete your account at any time yourself. Account deletion can occur in the following cases:

11.1 Manual Deletion by You

You can permanently delete your account in the app settings under "Delete account". After confirmation, your account and all associated data are deleted immediately.

11.2 Automatic Deletion Due to Inactivity

  • Marked as inactive: If your last login was 365 days (12 months) ago, your account is marked inactive and you are informed.
  • "To be deleted" date: The account remains accessible, but a "to be deleted" date is set to 1,095 days (3 years) after the last login.
  • Automatic deletion: If the account is not used again after 18 months of inactivity (and the "to be deleted" date is reached), it is deleted automatically.
  • Activity restoration: If you log in again or use the account, inactivity is reset and the "to be deleted" date is removed.

11.3 Deletion for Legal Reasons

We may delete your account if required by applicable law or by regulatory orders.

11.4 Deleted Data

Upon account deletion, all your data is generally removed, including:

  • Account information (username, email address, hashed password)
  • All created worlds and articles
  • All maps, timelines and related data
  • All books, documents and export data
  • All chat messages and communication data
  • All uploaded media and files
  • All remaining data linked to your account

12. Protection of Minors

Our service is generally intended for adults. Personal data of minors is not knowingly processed.

13. Changes to This Privacy Policy

We reserve the right to update this privacy policy at any time. The currently valid version applies.

14. External Links

Our website may include links to other websites not operated by us. If you click an external link, you are redirected to the respective third-party site. We have no control over content and practices of these websites and therefore accept no responsibility or liability for their privacy policies. We recommend reading the privacy policies of every website you visit, especially when entering personal data.