Privacy Policy

Lich Souls Gaming ("we", "us", or "our") operates lichsouls.com (the "Site"). This Privacy Policy explains what personal information we collect, how we use it, who can access it, how long we keep it, and your rights regarding it.

By using the Site, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Site.

Authentication data (Discord OAuth): When you sign in via Discord, we receive your Discord user ID, username, and avatar URL. We store these to create and maintain your profile on the Site. We do not receive your Discord password or payment information.

Authentication data (Twitch OAuth, optional): If you choose to link your Twitch account, we receive your Twitch user ID and username. Twitch linking is optional and can be unlinked at any time from your profile settings.

Profile information you provide: Display name, bio, pronouns, timezone, in-game usernames (RuneScape, Minecraft, and others), social links, accent color, favorite games, and a "looking for group" tag. All of this is voluntary. You choose what to share and whether your profile is public or private.

Profile media: Profile pictures and banner images you upload are stored in Cloudflare R2 object storage (lichsoulsfiles bucket). We retain up to 6 previous avatars and 3 previous banners per user to support the history gallery feature. Images you delete from the gallery are permanently removed from storage.

Direct messages: Message content, image attachments, timestamps, and conversation metadata. Message text is encrypted at rest using AES-256-GCM (see Section 5 — Warden Encryption). Image attachments are stored in a private Cloudflare R2 bucket (lichsouls-private) and are not publicly accessible.

Wall posts and comments: Content you post on profile walls, including any images attached to reports.

Friend relationships: Records of who you are friends with, pending requests, and any blocks.

Usage metadata: Last login timestamp and last active timestamp. We do not collect IP addresses, browser fingerprints, or analytics beyond what Cloudflare's infrastructure logs at the network level (see Section 7).

Reports: If you submit a report about another user, we retain the report content, reason, and any evidence images for moderation purposes.

• To authenticate you and maintain your session on the Site
• To display your profile to other users, subject to your privacy settings
• To deliver direct messages and other communication features
• To enforce our Terms of Service and Community Rules
• To respond to reports of prohibited content or conduct
• To comply with applicable law and legal process
• To improve Site functionality and debug issues

We do not sell, rent, or trade your personal information to third parties. We do not use your information for advertising or marketing to you.

You have granular control over who can see parts of your profile. From your profile settings, you can independently control visibility of: your friends list, your wall, who can post on your wall, who can message you, and your online status. Setting your profile to private removes it from public member listings.

These settings control what other Site users can see. They do not affect staff access for moderation purposes or our obligations under law.

Direct message text content is encrypted at rest on our servers using AES-256-GCM encryption, a system we call Warden. This means that even if our database were exposed, message content would not be readable as plain text.

Important limitations — please read carefully:

• Warden is server-side encryption, NOT end-to-end encryption. The encryption key is held by Lich Souls Gaming, not by you.
• Lich Souls Gaming staff can decrypt message content when required for moderation, legal compliance, or in response to a valid legal process.
• Messages sent before Warden was deployed remain stored as plain text (legacy messages are marked as unencrypted).
• Image attachments in DMs are stored in a private bucket and access-controlled, but are not encrypted at the file level.

Warden protects your messages from database-level exposure and unauthorized third-party access. It does not protect them from authorized staff review or from lawful disclosure requirements.

Profile data: Retained for as long as your account exists. If you request deletion, profile data is removed within a reasonable period except where retention is required for legal or abuse-prevention purposes.

Direct messages: Retained indefinitely unless deleted by you. Individual messages can be deleted and will show as "This message was deleted" to both parties. Deleting a message does not retroactively affect any moderation records already created from that message.

Profile media: Retained until you delete it from your gallery or until your account is deleted. Uploads beyond the per-user limit (6 avatars, 3 banners) are automatically pruned oldest-first.

Reports: Retained for the duration of the investigation and for a reasonable period thereafter for record-keeping.

Banned/terminated accounts: Core account identifiers may be retained after termination to enforce bans and prevent re-registration circumvention.

Cloudflare: The Site is hosted on Cloudflare Workers and Pages. Data is stored in Cloudflare D1 (database) and R2 (object storage). Cloudflare may log network-level data (IP addresses, request metadata) per their own privacy policy. We do not have direct access to Cloudflare's network logs.

Discord: Authentication is provided by Discord. When you sign in, Discord shares limited profile data with us per Discord's OAuth scope. Discord has its own privacy policy and we encourage you to review it.

Twitch: Optional account linking uses Twitch OAuth. Twitch has its own privacy policy.

RuneScape Hiscores API (Jagex): Some features display public RuneScape hiscores data. No personal data is transmitted to Jagex; we only query public endpoints.

No advertising networks, analytics platforms, or data brokers have access to user data from this Site.

We will disclose user information to law enforcement or other governmental authorities when we are legally required to do so, including in response to a valid court order, subpoena, or other legal process. We may also disclose information when we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Lich Souls Gaming, our users, or the public.

As noted in our Terms of Service, we are required by U.S. federal law to report apparent child sexual exploitation material to the NCMEC CyberTipline. Such reports may include associated account data.

We will make reasonable efforts to notify affected users of legal demands for their data where permitted by law and where doing so would not obstruct an investigation.

The Site is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If we discover that a user is under 13, we will delete their account and associated data. If you believe a child under 13 has registered on the Site, please contact us immediately.

We implement industry-standard technical measures to protect your data, including: HTTPS/TLS for all data in transit, AES-256-GCM encryption for DM content at rest (Warden), private access-controlled R2 buckets for media not intended to be publicly accessible, and session tokens protected by CSRF safeguards.

No security system is impenetrable. We cannot guarantee that data will never be accessed, disclosed, or altered by a breach of our physical, technical, or administrative safeguards. If a breach occurs that affects your data, we will notify you in a timely manner through our Discord server.

• Access: You can view most of the data we hold about you through your profile page and settings.
• Correction: You can update your profile information at any time through your profile's Edit drawer.
• Deletion: You may request deletion of your account and associated data by contacting staff. Some data may be retained as described in Section 6.
• Unlinking Twitch: You can unlink your Twitch account from your profile settings at any time.
• Profile visibility: You can set your profile to private to remove it from public listings.

To make a data request, contact a staff member in our Discord server.

We use session cookies solely to maintain authentication state. We do not use advertising, analytics, or tracking cookies. See our Cookie Policy for the full list of cookies we set.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify users through our Discord server. Your continued use of the Site after any change constitutes your acceptance of the updated policy.

Questions, concerns, or data requests? Contact staff in our Discord server.