Legal

Privacy policy

Last updated 10 July 2026

RaidPlan.io is a free tool for creating and sharing raid encounter plans. We collect as little personal data as possible: you can use every feature of the site, including creating an account, without ever telling us who you are. This policy explains what we do collect, why, and what your rights are under the EU General Data Protection Regulation (GDPR) and similar laws.

What we collect and why

Account data (only if you sign up)

An account requires only a username and a password. The password is stored as a salted hash, so we never store or see it in plain text. Providing an email address is optional; if you provide one, we use it solely to let you recover your account (password reset) and for essential messages about your account. We do not send marketing emails.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Linked accounts (optional)

You can choose to link external accounts from supported third-party platforms such as WarcraftLogs, FFLogs and Patreon. If you do, we store the identifier of the linked account so we can recognise the connection. You can remove a connection at any time from your account settings.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Content you create

Plans, drawings, and notes you create are stored so we can provide the service. Plans are accessible to anyone who has the plan link; don't put personal information in a plan you intend to share.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Technical and security data

When you use the site, our servers and our security provider process technical information about the request, including your IP address, browser user-agent, and request metadata. We use this exclusively to protect the service against abuse, fraud, and attacks. This data may be stored temporarily on our servers and is shared with Cloudflare, which sits in front of our infrastructure for this purpose. It is deleted once it is no longer needed for security.

Legal basis: legitimate interest in keeping the service secure and available (Art. 6(1)(f) GDPR).

Usage analytics

We use a privacy-focused analytics tool to understand aggregate site usage (page views, referrers, browser types). It sets no cookies, does not track you across other websites, does not build profiles, and does not store your IP address. The data we see is aggregate and anonymous.

Legal basis: legitimate interest in understanding and improving the service (Art. 6(1)(f) GDPR).

Cookies

We do not use cookies for tracking or advertising. The only cookie we set is a session cookie created when you sign in, which keeps you signed in. This is a strictly necessary cookie that requires no consent. If you never sign in, we set no cookies at all.

Who we share data with

We never sell your data. We share data only with service providers (processors) that help us run the site, and only to the extent needed:

  • Cloudflare: security, content delivery, and abuse prevention. Traffic to the site (including your IP address) passes through Cloudflare's network.
  • An email delivery provider: delivers transactional email (password resets), only if you provided an email address.
  • Cloud hosting providers: our application, database, and analytics run on their infrastructure.
  • Connected platforms: only if you choose to link an external account; the connection is initiated by you on that platform under its own privacy policy.

International transfers

Some of our providers (including Cloudflare) are based in the United States. Where personal data is transferred outside the European Economic Area, we rely on safeguards recognised under the GDPR, such as the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses.

How long we keep data

  • Account data and your content: kept for as long as your account exists. Request deletion at any time (see below).
  • Security and technical logs: kept temporarily and deleted once no longer needed for abuse prevention and troubleshooting.
  • Analytics: stored only in aggregate, anonymous form.

Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten"), including your whole account;
  • receive your data in a portable format;
  • restrict or object to processing based on our legitimate interests;
  • lodge a complaint with your local data protection supervisory authority if you believe we handle your data unlawfully.

To exercise any of these rights, including deleting your account and all associated data, email us at [email protected]. Since an account may hold no identifying information beyond a username, we may ask you to prove control of the account (for example by signing in) before acting on a request.

Children

RaidPlan.io is not directed at children under 16 and we do not knowingly collect personal data from them. Since no personal information is required to use the site, we hold no more data about younger users than about anyone else; if you believe a child has provided us an email address, contact us and we will delete it.

Security

All traffic to RaidPlan.io is encrypted with TLS. Passwords are stored only as salted hashes. Access to production systems is restricted, and we rely on Cloudflare to filter malicious traffic before it reaches our servers.

Changes to this policy

We may update this policy as the service evolves. The "last updated" date at the top reflects the current version; material changes will be announced on the site.

Questions? Contact [email protected]