1. Who we are

EtheriaApp (“we”, “our”, “the app”) is an independent fan-made companion site for the mobile game Etheria: Restart. We are not affiliated with, endorsed by, or sponsored by the game’s publisher, developer, or any official party. The official game site is sfetheria.com. The app is operated as an independent personal project (referred to in this document as EtheriaApp, we, or us), funded by reader support via Patreon.

This policy covers the website at this domain, including the membership area, the Creator Hub, community articles, GvG / Arena tools, and any sign-in or submission feature. It does not cover the game itself or any other website you may reach via a link from here.

2. Information we collect

Information you provide directly

• Account: email address and a password when you sign up. Passwords are hashed by Supabase Auth - we never see or store the plaintext.
• Username: a display name you choose at /auth/setup right after sign-up. This is shown on anything you post publicly.
• Optional in-game identity: your in-game name and four-digit tag, stored on your user profile. This is optional and only used so the app can match your Mythic Arena rank from publicly posted battle reports (see section 11) and credit you on your own pre-builds.
• User-submitted content: articles you write, GvG pre-builds you save, questions and answers you post, comments, tier-list votes, follow relationships, feedback submissions, direct messages, and any images you upload.
• Union leadership claims: if you submit a claim to manage a union page, the screenshot proof you attach is stored privately and reviewed by an admin.

Information collected automatically

• IP address - rate limiting: we log the requesting IP for endpoints that need abuse protection (sign-in attempts, article submission, feedback, similar). For example: sign-in is capped at 10 attempts per 5 minutes per IP; article submission is capped at 5 per hour. Entries live in a rate_limits table.
• User-Agent - debugging: when you submit feedback, we log the browser User-Agent string alongside your report so we can reproduce browser-specific bugs.
• Server logs: our host (Vercel) records standard HTTP request metadata (timestamp, path, status code, IP) for operations and security.
• Cookies and local storage: see section 7 for the full list. We do not use analytics cookies, ad cookies, or third-party tracking pixels.

Information from third parties

• Patreon (if you connect): when you link your Patreon account for membership perks, Patreon shares your Patreon user ID, current pledge tier, an access token, a refresh token, and a token-expiry timestamp. We store these so we can keep your tier in sync. Patreon also sends us a webhook when your pledge changes.
• Battle-report OCR: we capture in-game player names, four-digit tags, and Mythic Arena ranks from publicly posted game screenshots (typically shared on Discord or social media) using an automated OCR pipeline. These power the site’s aggregated synergy and counter charts. See section 11 for how to request removal.

3. How we use it

• To create and maintain your account, keep you signed in, and let you recover access.
• To display your username, in-game name, posts, votes, and other public-by-design contributions on the site.
• To sync your personal data (field notes, bookmarks, recent views, garrison templates, draft history) across devices when you’re signed in.
• To grant the Patreon-tier perks you’ve paid for, by reading your current tier from Patreon’s API and webhook.
• To protect the service: rate-limiting, CAPTCHA challenges, and detecting abuse or spam.
• To moderate user-submitted content (admins review articles, union claims, reported content, and similar before they go public or after they’ve been flagged).
• To reply to feedback, support requests, and direct messages you send us.
• To produce aggregated, anonymous statistics about the meta (counter rates, synergy strength) that are shown on community charts.
• To send transactional emails - account verification, password reset, important account or policy changes. We do not send marketing email.

We do not sell your data, share it with data brokers, run advertising, or use it to train external AI systems.

4. Who we share it with

We share the minimum data needed with the small set of service providers that run the app on our behalf. We don’t sell or rent data to anyone.

We may also disclose information when required by law (valid legal process), to protect the safety of users, or in the event the project is transferred to another operator - in which case you’ll receive notice and have a chance to delete your account first.

5. International transfers

Our infrastructure is hosted in the United States. If you access the app from outside the United States, your data will be transferred to, stored in, and processed in the United States. For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards (such as our vendors’ Standard Contractual Clauses with Supabase, Vercel, and Cloudflare) to protect that transfer.

6. Your rights

Regardless of where you live, you can ask us to:

• Confirm whether we hold data about you and get a copy.
• Correct anything that is wrong.
• Delete your account and the personal data associated with it (see the note in section 8 about deletion not yet being self-serve).
• Disconnect Patreon (which deletes the stored Patreon tokens and tier from our database).
• Ask us to remove battle-report rows that reference your in-game name (see section 11).

To exercise any of these rights, email privacy@sfetheria.com. We aim to respond within 30 days. We may need to verify you control the account email before acting on a request.

7. Cookies & local storage

We use the minimum cookies needed to run the site. No analytics, no advertising, no third-party tracking. You can clear cookies in your browser at any time; doing so will sign you out and reset your preferences.

Cookies

Local storage

Local storage lives in your browser - it’s not sent to our servers automatically. We use it for UI preferences and as the default home for personal lists (field notes, bookmarks, recent views). When you’re signed in, those personal lists are also synced to your account via /api/user/client-state so they follow you to other devices.

8. Data retention

We keep personal data only as long as we need it to provide the service or comply with legal obligations. Specifics by category:

• Account & profile data: kept for the life of your account. Deleted on request (see section 6).
• Rate-limit logs (IP + endpoint counters): rows are removed automatically within 24 hours of their last update; they are only used to throttle abusive traffic in real time and have no value to us afterward.
• User-submitted content (articles, GvG pre-builds, questions, answers, votes, follows, direct messages, feedback): kept indefinitely while your account is active. If you delete your account, the database is configured with cascading foreign keys so your user_profiles row, messages, articles, feedback, and similar are removed automatically.
• Direct messages: kept indefinitely on both sides of the conversation. Deleting your account removes your half; the recipient’s copy remains unless they also delete.
• Battle reports: kept indefinitely so the community charts (synergy / counter / tier rates) stay useful over time. Removal on request - see section 11.
• Patreon tokens: stored until you disconnect Patreon or delete your account, whichever comes first. We treat the access and refresh tokens as secrets handled per industry-standard practices.
• Storage buckets: uploaded images live in their bucket until you delete the post they’re attached to or delete your account.
• Policy acceptance log: when you create an account or accept an updated Terms / Privacy Policy, we record the document, version, timestamp, and the IP / User-Agent of the device that accepted. Kept for the life of your account so we can prove which version you agreed to if a dispute arises.
• Server logs: our host’s standard short-term retention (typically days to a few weeks).

Account deletion is not yet self-serve. To delete your account today, email privacy@sfetheria.com from the address on the account. We’ll confirm and process the deletion within 30 days.

9. Security

• All traffic between your browser and the app is encrypted in transit with HTTPS / TLS.
• Passwords are hashed by Supabase Auth using industry- standard algorithms. We never see the plaintext.
• The database is protected by row-level security policies (RLS) so that, for example, your private field notes and direct messages are only readable by you (and, where applicable, the recipient).
• Service-role API keys (which bypass RLS) are held only on the server side, are never exposed to the browser, and are rotated when staff or scope changes.
• User uploads to admin-only buckets (e.g. union-claim-proofs) are not publicly readable; storage policies enforce that only the uploader and admins can read those files.
• Storage buckets used to host public images (article images, character portraits, GvG battle screenshots) are publicly readable by design because the images are intended for public display on the site.

No service can promise perfect security. If you discover a vulnerability, please report it to privacy@sfetheria.com and give us a reasonable window to fix it before public disclosure.

10. Children’s privacy

EtheriaApp is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13 (the threshold under the U.S. Children’s Online Privacy Protection Act, or “COPPA”). If you live in a jurisdiction with a higher minimum age for online consent, you must meet that age to create an account here.

If you believe a child under 13 has provided us with personal information, please contact privacy@sfetheria.com and we will delete the account and associated data promptly.

11. Battle-report removal

The site’s community synergy and counter charts are built from battle reports - in-game player names, four-digit tags, Mythic Arena ranks, and the team compositions used - captured from screenshots that players have publicly posted (typically on Discord or social media) and run through an automated OCR pipeline. No in-game accounts, emails, or private data are collected this way; only what is visible on the public screenshot.

We currently do not offer a self-serve opt-out flow for this. If you don’t want your in-game name to appear in our public charts, email privacy@sfetheria.com with your in-game name and tag and we’ll remove the matching rows. We aim to action removal requests within 30 days. Removed rows are excluded from future aggregate charts.

12. Third-party links

Pages on EtheriaApp may link to third-party sites - the official game site, Patreon, Discord, YouTube videos, and community resources. Those sites have their own privacy policies and terms; we don’t control them and aren’t responsible for their content or data practices. Please check a destination site’s policy before submitting information to it.

13. Changes to this policy

We may update this policy as the app changes. When we make a material change - meaning a change that meaningfully affects what data we collect, how we use it, or who we share it with - we will post the updated policy here and give at least 30 days’ notice before the change takes effect, either through a banner on the site or by emailing the address on your account. Non-material edits (typo fixes, clarifications, vendor link updates) take effect when posted; the “Last updated” date at the top of this page always reflects the most recent revision.

14. Contact

EtheriaApp is a fan-made companion app and is not affiliated with the publisher or developer of Etheria: Restart.