Privacy Policy

This Privacy Policy explains how [LEGAL_BUSINESS_NAME] ("we") collects, uses, shares, and protects personal data in connection with the WoW Toolbox application, the in-app Shop, our community library, and this website.

1. Who is the data controller

The data controller is [LEGAL_BUSINESS_NAME], registered at [REGISTERED_ADDRESS], Sweden. For privacy enquiries contact [PRIVACY_EMAIL]. As we are established in Sweden — an EU member state — no separate Article 27 EU representative is required. Sweden's supervisory authority is Integritetsskyddsmyndigheten (IMY).

2. What data we collect and why

2.1 Account & purchase data

• Account details — email, display name, hashed password (if you create an account).
• Purchase records — items bought, amounts, currency, timestamp, Stripe transaction ID. We do not receive or store your full card number.
• Billing details — billing country (and where required by tax law, billing address) collected by Stripe and shared with us for invoicing.

Lawful basis (GDPR): performance of the contract you enter when you buy, subscribe, or register.

2.2 App telemetry

• Application version, OS, locale, crash reports, and feature-usage counts (only if telemetry is enabled in app settings).

Lawful basis: [CONSENT_OR_LEGITIMATE_INTEREST] — telemetry is opt-in by default and can be disabled at any time in Settings → Privacy.

2.3 Shop & community submissions

• Content you upload (files, descriptions, screenshots) and the metadata associated with it.
• For paid contributors: payout details handled by Stripe Connect (see Contributor Agreement).

Lawful basis: contract performance and, for tax-form data, legal obligation.

2.4 Support correspondence

• Email content, attachments, and metadata when you contact [SUPPORT_EMAIL].

Lawful basis: legitimate interest in answering enquiries and improving the Service.

2.5 Cookies & this website

This legal site does not set cookies and uses no analytics. The main WoW Toolbox web properties (if any) are documented separately and surface a cookie banner where required.

3. Who we share data with

We share personal data only with processors that help us operate the Service:

• Stripe, Inc. — payments and Connect payouts. See the Stripe Privacy Policy.
• [EMAIL_PROVIDER] — transactional email (receipts, password resets).
• [HOSTING_PROVIDER] — application and database hosting.
• [ANALYTICS_PROVIDER_OR_NONE] — opt-in product telemetry.
• Authorities — when required by law, court order, or to protect the rights, property, or safety of users or the public.

We do not sell personal data and we do not share it for cross-context behavioural advertising.

4. International transfers

Some of our processors are located outside the EU/EEA. Where personal data is transferred to a country without an EU adequacy decision, we rely on the European Commission's Standard Contractual Clauses (or equivalent safeguards) and conduct a transfer impact assessment.

5. How long we keep data

• Account data — until you delete the account, then up to [DELETE_GRACE_DAYS] days of soft-delete for recovery.
• Purchase & tax records — at least [TAX_RETENTION_YEARS] years to meet tax-law obligations.
• Support email — [SUPPORT_RETENTION_YEARS] years.
• Telemetry — [TELEMETRY_RETENTION_DAYS] days, then aggregated.

6. Your rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• correct inaccurate data;
• delete your data ("right to be forgotten");
• restrict or object to certain processing;
• receive your data in a portable format;
• withdraw consent at any time, where processing is based on consent;
• complain to a data-protection authority — in Sweden, IMY; in other EU states, your local DPA; in the UK, the ICO.

To exercise any right, email [PRIVACY_EMAIL]. We respond within 30 days.

7. California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of sale or sharing (we do neither), and to non-discrimination for exercising these rights. Submit requests to [PRIVACY_EMAIL].

8. Children

The Service is not directed to children under 13 (Sweden's age of digital consent under lag 2018:218). We do not knowingly collect personal data from them. If you believe a child has provided us data, contact [PRIVACY_EMAIL] and we will delete it.

9. Security

We use industry-standard technical and organisational measures (encryption in transit, access controls, regular review of vendors). No system is perfectly secure; we will notify affected users and authorities of a breach as required by law.

10. Changes to this Policy

We may update this Policy. Material changes will be announced in-app or by email and the "Last updated" date above will change. Please review periodically.