Privacy Policy

Swordsfall Studios LLC (“Swordsfall,” “we,” “us”) operates swordsfall.com as the commercial home of the Swordsfall universe. This Privacy Policy explains what information we collect when you visit the site, make a purchase, create an account, or link a Patreon pledge — and how we use and protect that information.

If you have questions about this policy or want to exercise any of the rights listed below, contact us at swordsfall.com/support or email support@swordsfall.com.

Information We Collect

Information you give us directly

• Account information. When you register, we store your email address, a password hash (never the plaintext password), your display name, and the date you created the account.
• Order information. When you check out, we collect your email, shipping address (for physical merchandise), and the list of items purchased. Payment card details are handled directly by Stripe and are never seen or stored by our servers.
• Support requests. When you contact support through /support/ or by emailing us, we store your message and the conversation history so we can help you and keep a record.
• Newsletter subscriptions. If you subscribe to the newsletter, we store your email address and your subscription preferences.
• Patreon link (optional). If you choose to link a Patreon pledge to your Swordsfall account, we store your Patreon user ID, your current tier, and an encrypted copy of the OAuth refresh token Patreon issues us. We use this only to verify your pledge tier and deliver patron perks. You can unlink at any time from your dashboard.

Information collected automatically

• Pageview logs. When you visit a page, we record the URL, the referring page, your user agent (browser and OS), a country-level location from your IP, and a SHA-256 hash of your IP (never the raw address). These logs power our internal analytics and let us see which content is working.
• UTM attribution. If you arrive with UTM parameters in the URL (utm_source, utm_medium, utm_campaign), we store them in a 30-minute cookie so we can credit the source if you complete a purchase.
• Cart state. If you add something to your cart before signing in, we create a random cart session ID in a cookie so we can restore your cart on your next visit. The current default cart retention window is 30 days after last touch.

Cookies We Set

The new Swordsfall site sets a small number of first-party cookies. We do not use third-party advertising cookies, Google Ads, Facebook Pixel, or any tracking networks. The cookies we do set:

• _iv — a random visitor ID used for first-party analytics. Expires after one year. Marked HttpOnly.
• _iv_utm — a 30-minute cookie storing the UTM source/medium/campaign you arrived with so the purchase can be attributed.
• _iv_admin — set only for site admins, to exclude admin browsing from analytics. One year.
• _cart — your cart session ID if you add an item before signing in. The current default is 30 days.
• _patreon_state — short-lived (10 minutes) security token used during Patreon OAuth linking.
• Session cookie (issued by our authentication system) — keeps you signed in after login. Expires when you sign out or after the session timeout.

Cookies are set with HttpOnly, Secure (in production), and SameSite flags where appropriate. You can clear them at any time through your browser.

How We Use Your Information

• To fulfill orders. Digital downloads are delivered via signed, short-lived URLs. Physical merchandise (shirts, posters, etc.) is fulfilled through Printful, which we pass your shipping address to so they can print and ship the item.
• To process payments. All card transactions are handled by Stripe. We receive confirmation of a successful charge and the payment intent ID, but we never see your full card number.
• To send transactional email. Order confirmations, download links, shipping notifications, and support replies. We use our own SMTP server (hosted by Hostinger Business Email) — we do not use Mailchimp, ConvertKit, or any other third-party marketing platform.
• To operate the site. Pageview logs help us understand which content is working and diagnose issues. We never sell this data and we never share it with third parties.
• To comply with the law. We will respond to valid legal process and requests from authorities when required.

Third Parties We Rely On

The site integrates with the following third parties, each with their own privacy policy:

• Stripe — payment processing. See stripe.com/privacy.
• Printful — print-on-demand fulfillment. See printful.com/policies/privacy.
• Patreon — optional OAuth linking for patron perks. See privacy.patreon.com.
• Hostinger — web hosting, database, and SMTP/IMAP email. See hostinger.com/privacy-policy.

Data Retention

• Order records are kept indefinitely, as required for tax, accounting, and customer support purposes.
• Support ticket history is kept for at least two years after the last message.
• Anonymous carts (no signed-in user) use the cart retention window set in the site admin panel. The current default is 30 days after last touch.
• Download tokens use the token lifetime set in the site admin panel. The current default is 15 minutes; the audit record is kept 30 days.
• Pageview logs are kept for 12 months for trend analysis, then summarized and the raw rows are deleted.

Your Rights

If you are a resident of the European Economic Area (EEA), the United Kingdom, California, or any other jurisdiction with data protection laws, you have the following rights with respect to your personal information:

• The right to access a copy of the data we hold about you.
• The right to correct inaccurate or incomplete data.
• The right to have your data deleted (subject to our legal obligation to retain order records).
• The right to restrict or object to the processing of your data.
• The right to data portability.
• The right to withdraw consent for any processing we do based on consent.

To exercise any of these rights, email support@swordsfall.com. We will respond within 30 days.

Security

We take reasonable and industry-standard measures to protect your information. Passwords are hashed using a modern KDF. OAuth refresh tokens (Patreon) are encrypted at rest with AES-256-GCM. All traffic to the site is served over HTTPS. Payment information is handled exclusively by Stripe and never touches our servers. No system is perfectly secure, but we work to keep yours safe.

Children's Information

Swordsfall does not knowingly collect personal information from children under the age of 13. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time as the site evolves. Material changes will be announced on the site and the “last updated” date at the top of this page will be revised.

Contact

Questions, concerns, or data requests: support@swordsfall.com or through the support page.