Privacy Policy
Last updated: June 24rd, 2026
Wombat Factory ("us", "we", or "our") operates nukesdragons.com (the "Site") and is the controller responsible for your personal information. We are based in Finland. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.
Information We Collect
Information You Provide
- Account information. When you create an account, we collect a username, your email address, and a password. Passwords are stored only as a secure cryptographic hash — we never store your plain-text password. We also store account status information, such as whether your email is verified, when you accepted the Terms, connected sign-in methods, session records (including the IP address and browser/device information associated with each active session), and password-reset or email-verification records.
- Profile and user content. Information you add to your profile, and the character builds and related content you create. This includes drafts, published builds, build descriptions, settings, and related metadata.
- Saved actions. We store account actions such as bookmarks, publishing or unpublishing builds, archived/deleted builds, and account deactivation or deletion requests.
- Moderation and administration records. If we need to administer, secure, or moderate the Site, we may keep records such as account role, suspension status, suspension reason, admin actions, audit-log metadata, and related IP addresses.
- Communications. If you email us, we retain your message and contact details so we can respond.
Information From Third-Party Sign-In
If you choose to sign in with Discord, Discord shares a limited set of profile information with us: your Discord account identifier, username or display name, avatar image, and email address (including whether Discord has verified it). We use this information to create or link your account, and we may store OAuth account identifiers and tokens needed to maintain that connection. We do not post to Discord on your behalf. Discord's handling of your data is governed by Discord's own privacy policy.
Information Collected Automatically
- Log and device data. Like most websites, our servers and infrastructure providers record information your browser sends, such as your IP address, browser type and version, the pages you visit, and timestamps.
- Security data. We use your IP address and related signals for rate limiting, abuse prevention, and bot protection (via Cloudflare Turnstile).
- Analytics and event data. We collect usage events such as page visits, builder/database interactions, sign-up and login flow events, share/outbound-link clicks, errors, current URL/path, game or builder context, and generated device/session identifiers stored in your browser's local storage.
- Embedded content and advertising data. Some pages include third-party content or ads, such as a Discord widget and NitroPay advertising. These third parties may collect information about your device and interaction with their content.
- Cookies and similar technologies. See "Cookies and Similar Technologies" below.
How We Use Your Information
We use the information we collect to:
- create and maintain your account and authenticate you;
- provide, operate, and improve the Site and its features;
- store and display the builds, bookmarks, profile information, and content you create;
- send you service messages, such as email verification and password-reset links;
- protect the Site, our users, and the public against fraud, abuse, and security threats;
- understand how the Site is used, debug errors, and improve user flows through analytics;
- administer accounts, enforce our Terms, and maintain audit records;
- display, measure, and support advertising where applicable; and
- comply with legal obligations.
Legal Bases (EEA/UK Users)
Where the GDPR or UK GDPR applies, we process your information on the following bases: performance of our contract with you (to provide your account and the Site); our legitimate interests (to secure, maintain, measure, debug, moderate, and improve the Site, and to protect legal rights); your consent (for example, for non-essential cookies and advertising, where required); and compliance with our legal obligations.
Cookies And Similar Technologies
We use cookies and similar technologies to:
- keep you signed in and maintain your session (these are essential to account features);
- secure the Site through rate limiting, fraud prevention, and bot protection;
- remember your settings and preferences;
- count anonymous aggregate traffic and actions without device or session identifiers;
- measure opted-in traffic and usage through Google Analytics and our own event analytics, including generated device/session identifiers stored in local storage; and
- support advertising through NitroPay and advertising partners, where applicable (see below).
You can disable cookies or clear local storage in your browser settings, but some features — including signing in — may not work properly without them. Where required, we ask for your consent before setting non-essential cookies or similar technologies. Advertising and optional analytics consent are managed through NitroPay's consent tools and privacy links in the Site footer, where available.
Analytics
We count anonymous page views and actions to understand broad usage of the Site. These anonymous event-count payloads do not use cookies, local storage, device identifiers, session identifiers, full URLs, route parameters, referrers, usernames, build names, or free-form error text. They include only coarse information such as event type, broad page context, and selected low-risk dimensions such as button type or action phase.
We also use optional analytics services, such as Google Analytics, and our own event analytics to understand how visitors use the Site in more detail so we can improve it. These optional tools may set cookies or use local storage and collect usage data, such as the pages you visit, interactions with builders and databases, outbound-link clicks, error information, generated device/session identifiers, and your approximate location derived from your IP address. Google Analytics and our own detailed event analytics are enabled only when the consent signal provided through NitroPay permits analytics.
Advertising
Some parts of the Site may be supported by third-party advertising, including NitroPay and advertising partners such as Google. Advertising partners may use cookies and similar technologies to collect information about your visits to this and other websites in order to show ads, measure ads, prevent fraud, and provide ad-reporting tools. To learn about your choices, including opting out of interest-based advertising, visit the Network Advertising Initiative opt-out page or Your Online Choices. Where required, we ask for your consent before setting advertising cookies.
Embedded Third-Party Content
The Site may embed third-party content, such as a Discord server widget, or link to third-party services such as Discord, Bluesky, X/Twitter, Instagram, Reddit, and other social platforms. When you view embedded content or click an external link, those third parties may receive information such as your IP address, browser information, the page you visited, and your interaction with their service. Their handling of your data is governed by their own privacy policies.
How We Share Information
We do not sell the personal information you provide to create your account (such as your email address). We share information only as described below:
- Service providers. We rely on trusted providers to run the Site, including Cloudflare (hosting, database, and bot protection), Resend (transactional email, such as verification and password-reset messages), Discord (optional sign-in and embedded widget), NitroPay (advertising), Google (analytics and advertising), and the other analytics and advertising partners described above. They may process your information only to provide services to us or as described in their own privacy terms.
- Public content. Builds you mark as public, your username, and your public profile are visible to anyone and may be indexed by search engines.
- Legal and safety. We may disclose information to comply with the law, enforce our Terms, or protect the rights, property, or safety of our users or the public.
- Business transfers. If the Site is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.
Data Retention
We keep your account information for as long as your account is active. If you deactivate your account, we hide your public profile until you sign back in, but we keep your account and builds so the account can be reactivated. If you permanently delete your account, we delete your account, builds, bookmarks, sessions, and connected sign-in records within a reasonable period, except where we must retain certain data to comply with legal obligations, resolve disputes, maintain security, or enforce our agreements. Admin audit logs, security logs, email-delivery records, and backups may be retained for longer where needed for those purposes. Backups are purged on a rolling basis.
Your Rights And Choices
Depending on where you live, you may have the right to access, correct, delete, or export your personal information; to object to or restrict certain processing; and to withdraw consent. You can:
- update or delete your account from your account settings; and
- contact us at nukesdragons@gmail.com to exercise any of these rights.
We will respond within the time required by applicable law. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the Office of the Data Protection Ombudsman of Finland (Tietosuojavaltuutetun toimisto).
California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, may give you specific rights regarding your personal information. Even where the CCPA/CPRA does not apply to us, we try to honor reasonable privacy requests where we can.
Categories we collect. In the past twelve months, we have collected the following categories of personal information:
| Category | Collected |
|---|---|
| Identifiers (e.g. username, email, IP address) | YES |
| Customer records (Cal. Civ. Code § 1798.80(e)) | YES |
| Internet or other network activity | YES |
| Geolocation data (approximate, derived from IP) | YES |
| Inferences | YES |
| Sensitive personal information (account login credentials) | YES |
Your rights. You have the right to know what personal information we collect and how we use it; to request access to, deletion of, or correction of your personal information; and to opt out of the "sale" or "sharing" of personal information. We will not discriminate against you for exercising these rights.
Sale/sharing for advertising. We do not sell the account information you give us. However, advertising and analytics cookies may involve the "sale" or "sharing" of identifiers and internet-activity information as those terms are defined under California law. You can opt out using the "Do Not Sell or Share My Personal Information" link or NitroPay privacy/consent controls in the Site footer, where available, or contact us.
Exercising your rights. Submit a request by emailing nukesdragons@gmail.com. We will verify your request as required by law. You may use an authorized agent to act on your behalf.
Children's Privacy
The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.
Security
We take reasonable measures to protect your information — for example, passwords are stored only as salted hashes, and traffic is encrypted in transit. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
International Users And Data Transfers
We are based in Finland and process information within the European Economic Area (EEA). Some of our service providers — for example, Cloudflare, Resend, and Google — may process information in the United States or other countries outside the EEA. Where we transfer personal information outside the EEA, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or an adequacy decision (for example, the EU–U.S. Data Privacy Framework). By using the Site, you understand that your information may be transferred to and processed in these countries.
Changes To This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. If we make material changes, we may provide additional notice through the Site.
Contact Us
If you have any questions about this Privacy Policy, please contact us.