Privacy Policy

Effective: May 16, 2026 Â· Last updated: May 16, 2026

This policy explains how Dogma Studios LLC collects, uses, stores, and protects information when you visit dogma.game, sign up for our mailing list, or play the demo at play.dogma.game.

Short version. We collect the minimum we need to run a marketing site and a playable demo: anonymous web analytics, the email addresses people give us, and the game-account information players create. We don't sell anything to anyone. We don't track you across other websites. We use industry-standard AWS and Cloudflare infrastructure to host the service.

1. Who we are

Dogma is a browser-native MMORPG built by Dogma Studios LLC, a Delaware limited liability company. In this policy, "we", "us", and "Dogma Studios" refer to that entity. You can reach us at austin@dogma.game for any privacy question, request, or concern.

2. The information we collect

2.1 Marketing site (dogma.game)

When you visit the marketing site, our hosting and content-delivery partners (GitHub Pages, Fastly, Cloudflare) record technical request data â€” IP address, browser type, timestamp, requested URL, referrer â€” as part of normal HTTP server operation. We do not run third-party advertising trackers or social media pixels on this site.

2.2 Mailing list signup

If you give us your email address through the signup form, we store the address, a timestamp, the acquisition source (e.g. website), and a Cloudflare Turnstile verification token used at submission time. We do not store your IP address with the row, and we never log the address itself in our application logs â€” only a one-way hashed prefix for support correlation.

2.3 Game demo (play.dogma.game)

Playing the demo requires creating an account. We collect:

The email and password you provide (the password is stored as a salted Argon2id hash; the plaintext is never stored or logged).
The character data you create â€” name, faction, race, class, and in-game progress (positions, inventory, etc.).
Session data needed to keep you logged in: short-lived access tokens, refresh tokens (hashed at rest), and rate-limit counters.
Server-side gameplay events emitted by your client to the authoritative game server, used for simulation and anti-cheat.

2.4 What we don't collect

We don't ask for, store, or process payment information. There are no paid features yet.
We don't run advertising or third-party tracking pixels.
We don't collect biometrics, location data, contact lists, or any data from outside the services you use directly.
We don't store voice or video â€” the demo doesn't have voice chat.

3. How we use information

To run the services. Authentication, character persistence, sending you transactional email (verification, password reset, security notifications).
To prevent abuse. Rate limiting, account-lockout on repeated failed logins, Cloudflare Turnstile checks against bot signups, anti-cheat in the game.
To improve the product. Aggregated, anonymized metrics about how the demo performs (frame rates, error rates) so we know what to optimise.
To contact you about the build. If you signed up for the mailing list, we may email you milestone announcements, beta invites, and significant product news. You can unsubscribe from any of those emails at any time.

4. How we share information

We don't sell your personal information. We share information only in these cases:

Infrastructure vendors. Our hosting partners (AWS, Cloudflare, GitHub Pages / Fastly) process information on our behalf â€” they can see what they need to deliver the service, nothing more. They are bound by their own contracts and security obligations.
Email delivery. Transactional email (account verification, password reset) is delivered through Resend; marketing email, if and when we send any, will be delivered through Resend or another reputable provider. These providers see the recipient address and message body.
Legal obligations. We may disclose information if we believe in good faith that doing so is required by law or necessary to prevent serious harm.
Corporate transactions. If Dogma Studios is part of a merger, acquisition, or sale, we may transfer the data we hold to the successor entity, subject to this policy.

5. Where information is stored

Dogma's services run primarily in Amazon Web Services' US-East-1 region (Northern Virginia). Database state (accounts, characters, mailing list) lives in Amazon RDS for PostgreSQL with encryption at rest. Session and rate-limit state lives in Amazon ElastiCache for Redis. The marketing site is delivered through Fastly via GitHub Pages, fronted by Cloudflare DNS.

6. How long we keep information

Game accounts: retained while the account is active. If you delete your account through the in-app option, we soft-delete it for a 30-day grace window so an accidental deletion can be undone, then permanently delete or anonymize the row.
Mailing list: we keep your address until you unsubscribe. After unsubscribe, the row is retained as a record of the consent and opt-out â€” your address is not used to send further messages.
Logs and metrics: infrastructure access logs are retained at the storage provider's default for up to 180 days, after which they are aggregated or deleted.

7. Your choices and rights

You can:

Delete your game account from your account settings; the deletion process is described above.
Unsubscribe from the mailing list via the link in any marketing email we send, or by emailing us at austin@dogma.game.
Request a copy of your data by emailing austin@dogma.game. We'll respond within a reasonable time, and within any legally-required deadline where applicable.
Request correction or deletion of specific information by the same channel.

If you reside in a jurisdiction with statutory privacy rights (EEA, UK, California, etc.) those rights apply to you and nothing in this policy waives them. Contact us if you need to exercise a specific statutory right and we'll treat the request as the statute requires.

8. Security

We follow industry-standard practices for protecting the information we hold: TLS 1.2+ in transit, encryption at rest for the database and backups, salted Argon2id password hashing, short-lived access tokens with rotating refresh cookies, family-revoke on suspected refresh-token compromise, and per-IP and per-account rate limiting on authentication endpoints. No system is perfectly secure; we will notify affected users in a reasonable time if a breach materially affecting their information is discovered.

9. Children

The Dogma services are not directed at children under 13. By using the services you confirm that you are at least 13 years old (16 in the EEA where required by local law). If you are a parent or legal guardian and believe your child has provided us with information without your consent, contact us and we will delete the account and any associated data.

10. Changes to this policy

We will update this policy as Dogma's services evolve. The "Last updated" date at the top of this page reflects the most recent change. If we make a change that materially affects how we collect, use, or share information, we will give you reasonable advance notice through the services or by email before the change takes effect.

11. Contact

Questions, requests, or concerns about this policy or your information: austin@dogma.game.