Last updated: May 14, 2026

1. Introduction

Surrealdente ("we," "us," or "our") is committed to protecting the privacy of users of RPGLMS, our gamified learning management system. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile applications, web application, and related services (collectively, the "Service").

By using RPGLMS, you consent to the data practices described in this policy. If you do not agree with our policies, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name or display name
  • Email address
  • Profile picture (optional)
  • Authentication credentials (stored securely via third-party providers)
  • Account type (student, teacher, administrator)

2.2 Educational Data

To provide our educational services, we collect:

  • Campaign and course content you create
  • Quiz responses and assessment results
  • Progress tracking data (Shards/XP, Renown, Gemhearts, completion rates)
  • Party and House membership information
  • AI prompts you submit and the AI-generated content returned to you
  • Media files you upload to investigations or reports (images and documents selected through the in-app file picker)

2.3 Diagnostic Data

We automatically collect limited diagnostic information for service operation:

  • Error and exception logs (timestamp, error message, stack trace, basic device/OS context) sent to Google Cloud Logging
  • Server request metadata (timestamp, endpoint, response status) used for operational monitoring
  • IP address — used for request routing, abuse prevention, and the country/region level only; not used for behavioral profiling

We do not collect product-usage analytics (feature adoption, session length, page views, funnels) and we do not operate behavioral telemetry, advertising identifiers, or cross-site tracking. There is no Firebase Analytics, Crashlytics, Sentry, PostHog, Mixpanel, or Amplitude SDK in the app.

2.4 Payment Information

We do not directly store payment card information. Subscription payments are processed by:

  • Apple App Store — for iOS in-app purchases
  • Google Play Store — for Android in-app purchases
  • Stripe — for web-based subscription payments
  • RevenueCat — for cross-platform subscription management across Apple, Google, and Stripe

These providers handle payment processing according to their own privacy policies. We receive only subscription status and transaction identifiers — we never see your full card number or banking credentials.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Process your account registration and manage subscriptions
  • Enable educational features (campaigns, quizzes, progress tracking)
  • Facilitate classroom collaboration and party management
  • Generate AI-powered content based on your prompts
  • Send important service notifications and updates
  • Provide customer support
  • Analyze usage to improve our Service
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Third-Party Services

We share information with the following third-party service providers:

4.1 Authentication Providers

  • Google Sign-In: For account authentication
  • Apple Sign-In: For account authentication on iOS

4.2 Payment and Subscription

  • Apple App Store: iOS in-app purchase processing
  • Google Play Store: Android in-app purchase processing
  • Stripe: Web-based subscription payments
  • RevenueCat: Cross-platform subscription management and analytics

4.3 AI Services

Our AI-powered content features (Generate, Revise & Refine, Curricular Guidance) are powered by Google Cloud Vertex AI. When you use the AI Wizard, your prompts — including any campaign content, investigation text, or report excerpts you provide as context — are sent to Vertex AI for processing and returned as generated text. We do not pass account-identifying information (name, email) to Vertex AI beyond what may incidentally appear in user-authored prompt content. Generated outputs are stored within your account and are not used by Google to train foundation models, in accordance with the Vertex AI generative-AI data governance terms.

4.4 Infrastructure and Hosting

  • Google Cloud Platform: Application hosting, database storage, and file storage. Data is encrypted at rest and in transit.
  • Google Cloud Logging: Receives error and exception logs from the app and server for debugging and operational monitoring. No product-usage analytics, no behavioral advertising, no cross-site tracking pipelines.

5. Children's Privacy (COPPA Compliance)

RPGLMS is designed for educational use and may be used by children under 13 in supervised classroom settings. We take children's privacy seriously:

5.1 Educational Context

  • Students under 13 may only use RPGLMS under the supervision of a teacher, parent, or guardian who creates and manages their account.
  • Teachers and school administrators act as the authorized agent for obtaining parental consent in educational settings, in accordance with COPPA's school consent exception.
  • We collect only information necessary to provide the educational service.

5.2 Parental Rights

Parents and guardians have the right to:

  • Review their child's personal information
  • Request deletion of their child's data
  • Refuse further collection of their child's information
  • Contact us at support@rpglms.com regarding their child's account

5.3 Data Minimization for Children

For student accounts, we collect minimal personal information necessary for the educational service. We do not serve targeted advertising to any users, including children.

6. Data Retention and Deletion

  • Active Accounts: We retain your data while your account is active and as needed to provide services.
  • Cancelled Subscriptions: After cancellation, we retain data for 90 days to allow account reactivation, then delete non-essential data.
  • Deleted Accounts: Account deletion is initiated from inside the app and takes effect immediately upon confirmation — your sign-in credentials are unlinked, your player profile is anonymized to "Deleted User," and you are signed out. Residual personal data in operational systems and backups is purged within 30 days, except where retention is required by law. See How to delete your account for the in-app steps and a full description of what is deleted vs. anonymized vs. retained.
  • Educational Records: Aggregate, anonymized educational data may be retained for research and improvement purposes.

7. Data Security

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of sensitive data at rest
  • Secure authentication through established providers
  • Regular security assessments and updates
  • Access controls and authentication for our systems
  • Employee training on data protection

While we strive to protect your information, no method of transmission or storage is 100% secure. Please use strong passwords and protect your account credentials.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information (subject to legal retention requirements). The fastest way to delete your account is the in-app flow described on our Account Deletion page.
  • Data Portability: Request your data in a portable format.
  • Withdraw Consent: Withdraw consent for optional data processing activities.
  • Object: Object to certain types of data processing.

To exercise these rights, contact us at support@rpglms.com. We will respond to requests within 30 days.

9. Cookies and Tracking

Our web application uses cookies and similar technologies only for essential functionality:

  • Essential Cookies: Required for authentication, session management, and basic site operation.

We do not use analytics cookies, advertising cookies, or behavioral-tracking cookies. There are no third-party tracking pixels or cross-site tracking pipelines on our marketing site or web application. You can manage cookie preferences through your browser settings.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Updating the "Last Updated" date at the top of this page
  • Sending email notification for significant changes

Your continued use of the Service after changes indicates acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

  • Email: support@rpglms.com
  • Company: Surrealdente

For privacy-specific inquiries, please include "Privacy" in your email subject line.

Gamemaster Gus takes your privacy seriously on every quest!