CritSheetSign In

Legal

Privacy Policy

Effective date: April 24, 2026  ·  Last updated: April 24, 2026

This Privacy Policy explains what data CritSheet collects, how we use it, who we share it with, and what rights you have. We've written it to be readable — not just legal boilerplate.

1. What We Collect

Account information

Your email address when you register. Passwords are hashed by Supabase Auth — we never see or store your plaintext password.

Campaign and session data

Campaign names, player names, character names, class selections, and session statistics you enter manually or that are extracted from audio.

Audio recordings

Audio files you upload for transcription, stored in private cloud storage accessible only to your account. Audio processing may create voice-derived features (such as speaker identification data) as part of the transcription process. See Section 4 for full details.

Transcripts and extracted data

Text transcriptions of your sessions and AI-extracted statistics, stored to power box scores, play-by-play recaps, and pre-session briefs.

Payment information

Subscription plan and billing status. Payment card details are processed and stored by Stripe — we do not store your full card number.

Usage and error data

Standard server logs and error reports used to diagnose bugs and keep the service running. Collected via Sentry.

2. How We Use Your Data

We use the data we collect to:

  • Provide the core functionality of CritSheet — session tracking, box scores, leaderboards, player profiles
  • Transcribe audio and extract statistics using third-party AI services
  • Generate AI-powered pre-session briefs and campaign recaps
  • Process payments and manage your subscription
  • Authenticate your account and keep it secure
  • Monitor for errors and performance issues
  • Send important service-related communications (e.g. billing receipts, material policy changes)

We do not sell your data. We do not use your session content, audio, or transcripts to train AI models. We do not use your data for advertising.

3. Third-Party Services

CritSheet relies on the following third-party services to operate. Each receives only the data necessary to perform their function:

Supabase — privacy policy

Database, authentication, and file storage. Your account data, campaign data, and audio files are stored on Supabase infrastructure.

AssemblyAI — privacy policy

Audio transcription with speaker diarization. Audio files are sent to AssemblyAI for processing. AssemblyAI does not use your audio to train their models under their standard API terms.

Anthropic (Claude) — privacy policy

AI analysis for stat extraction, session summaries, pre-session briefs, and NPC dossier updates. Session transcripts are sent to Anthropic for processing. Anthropic does not use API inputs to train their models under their standard API terms.

Stripe — privacy policy

Payment processing. Your card details are handled directly by Stripe. CritSheet does not store your full card number.

Vercel — privacy policy

Hosting and edge infrastructure. Standard web server logs may be retained by Vercel.

Sentry — privacy policy

Error monitoring. Error reports may include non-personally-identifiable diagnostic information such as browser type, URL, and stack traces.

4. Audio Recordings and Biometric Data

Audio processing may create voice-derived data. This section explains how we handle it.

When you upload a session recording, the audio is transmitted to AssemblyAI for transcription. This process may generate voice-derived features such as speaker identification signatures as part of speaker diarization. These features are used solely to label speaker turns in your transcript and are not retained beyond the transcription job.

Audio files are stored in private Supabase Storage, accessible only to your account. Transcription jobs that do not result in a saved session are automatically purged after 7 days. Saved session transcripts are retained for as long as your account is active.

Consent. By uploading audio, you represent that you have obtained the informed consent of all individuals whose voices are captured in the recording. You are responsible for compliance with any applicable recording consent or biometric data laws in your jurisdiction.

5. Public Data

Box scores, player profiles (character names and stats only — never real player names), and campaign leaderboards are publicly accessible by design. Sharing is a core feature of CritSheet. Any data you save to a session may be viewable by anyone with the link. Real player names are only visible to the account owner when logged in. Do not include sensitive personal information in fields intended for public display.

6. Cookies and Authentication

CritSheet uses cookies solely to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is shown because we only use strictly necessary cookies required for the service to function.

7. Data Retention

Your account data is retained for as long as your account is active. When you close your account, your data is retained for up to 30 days to allow for any final exports, after which it is permanently deleted.

Orphaned transcription jobs (no linked saved session) are automatically deleted after 7 days. Audio files for completed sessions are retained with the session unless you request deletion.

8. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correct — request correction of inaccurate personal data
  • Delete — request deletion of your account and associated data
  • Export — request an export of your campaign and session data before closing your account
  • Opt out of data sale — we do not sell your data, but you may contact us to confirm this at any time

To exercise any of these rights, contact us at hello@critsheet.io. We will respond within 45 days.

9. Iowa Residents (Iowa CDPA)

If you are an Iowa resident, you have additional rights under the Iowa Consumer Data Protection Act (Iowa Code ch. 715D), effective January 1, 2025:

  • The right to confirm whether CritSheet is processing your personal data
  • The right to access the personal data we have collected about you
  • The right to delete personal data you have provided to us
  • The right to obtain a portable, readily usable copy of personal data you have provided
  • The right to opt out of the sale of your personal data

CritSheet does not sell your personal data. To submit a request under the Iowa CDPA, contact us at hello@critsheet.io. We will respond within 45 days as required by law.

9a. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • The right to know what personal information we collect, use, disclose, and sell
  • The right to delete personal information we have collected from you
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of your personal information
  • The right to non-discrimination for exercising your privacy rights

CritSheet does not sell or share your personal information with third parties for their own marketing or advertising purposes. To submit a CCPA request, contact us at hello@critsheet.io.

10. Children's Privacy

CritSheet is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with their information, please contact us at hello@critsheet.io and we will remove it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date above. For material changes, we will make reasonable efforts to notify you by email or through the Service before the change takes effect. Continued use of CritSheet after the effective date constitutes acceptance of the revised policy.

12. Contact

Questions or concerns about this Privacy Policy or how your data is handled? Contact us at hello@critsheet.io.