Privacy Policy

Last updated: March 11, 2026

1. Introduction

Liber Pigmenta ("we," "our," or "us") operates the web application at app.liberpigmenta.com and the landing page at liberpigmenta.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address — used for authentication, account recovery, and essential communications
  • Display name — shown within the app as your identity
  • Password — stored as a one-way bcrypt hash; we never store or see your plaintext password

2.2 OAuth Sign-In

If you sign in with Google or Apple, we receive your email address, display name, and profile photo URL from the provider. We do not receive or store your password from these providers.

2.3 Application Data

Data you create while using the Service, including:

  • Miniature collections and painting progress
  • Army lists and roster configurations
  • Paint collection and ownership records
  • Color schemes and painting recipes
  • Painting session history and progress tracking
  • Uploaded images (miniature photos, reference images)
  • User preferences and settings

2.4 Automatically Collected Information

  • IP address — collected during authentication for security and fraud prevention
  • User agent (browser/device info) — collected during authentication for session management
  • UTM parameters — marketing attribution data (source, medium, campaign) captured from URL parameters when you first visit the Service

2.5 Feedback Data

When you submit feedback, bug reports, or feature requests through the in-app feedback system, we collect the message content, feedback type, optional rating, and the page context where the feedback was submitted.

3. How We Use Your Information

We use the collected information for the following purposes:

  • Service operation — to provide, maintain, and improve the Service
  • Authentication — to verify your identity and manage your sessions
  • Communications — to send email verification, password reset emails, and admin responses to your feedback
  • Security — to detect and prevent fraud, unauthorized access, and abuse
  • Error tracking — to identify and fix bugs and improve stability
  • Analytics — to understand usage patterns and improve the Service (aggregated, non-personal)

4. Third-Party Services

We use the following third-party services to operate the Service:

Sentry

Error tracking and application monitoring. Captures application errors and exceptions to help us identify and fix bugs. Data is processed in the EU (Frankfurt).

Resend

Transactional email delivery. Used to send email verification, password reset, and feedback response emails.

Google OAuth

Optional sign-in provider. If you choose to sign in with Google, your authentication is handled by Google's OAuth 2.0 service. We only receive your email, name, and profile photo.

Cloudflare R2

Cloud object storage for user-uploaded images (miniature photos, reference images, faction artwork).

Paddle

Payment processing for optional subscriptions. Paddle acts as Merchant of Record and handles all payment data directly. We do not store credit card numbers or payment details.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral tracking services.

5. Data Storage and Security

  • Your data is stored in a PostgreSQL database with encryption at rest
  • All connections use HTTPS/TLS encryption in transit
  • Passwords are hashed using bcrypt with salt rounds
  • Authentication tokens are hashed (SHA-256) before storage
  • Session tokens expire automatically (access tokens: 15 minutes, refresh tokens: 7 days)
  • We implement rate limiting, CORS policies, and Content Security Policy headers

6. Data Sharing

We do not sell, trade, or rent your personal information to third parties.

We may share your information only in the following circumstances:

  • With your consent — when you explicitly choose to share content (e.g., publishing a color scheme with a share link)
  • Service providers — with the third-party services listed in Section 4, solely to operate the Service
  • Legal requirements — if required by law, regulation, or valid legal process

7. Data Retention

  • Your account data is retained for as long as your account is active
  • If you deactivate your account, we retain your data for a 30-day grace period to allow reactivation
  • After the grace period, your account and all associated data are permanently deleted
  • Expired authentication tokens are cleaned up automatically

8. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — update or correct inaccurate information via your account settings
  • Deletion — delete your account and all associated data through the account settings or by contacting us
  • Portability — request your data in a portable format
  • Objection — object to processing of your personal data
  • Withdraw consent — withdraw consent for optional data processing at any time

To exercise any of these rights, contact us at liber.pigmenta@gmail.com.

9. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • We process your data based on contractual necessity (to provide the Service) and legitimate interest (security, error tracking)
  • For optional processing (marketing emails), we rely on your explicit consent
  • Error tracking data processed by Sentry is hosted in the EU (Frankfurt, Germany)
  • You may lodge a complaint with your local data protection authority

10. Cookies and Local Storage

We use essential cookies and browser local storage only for authentication and application functionality. We do not use tracking cookies, advertising cookies, or any non-essential cookies.

  • Authentication tokens — stored securely (HTTP-only cookies and/or local storage) to maintain your session
  • User preferences — stored in local storage for app personalization
  • Service Worker cache — used for offline functionality and performance

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

liber.pigmenta@gmail.com

© 2026 Liber Pigmenta. All rights reserved.Not affiliated with Games Workshop.