Privacy Policy

kitbashr is a tool for tracking your miniature-painting hobby. We store the account details you give us and the hobby data you create — nothing more. We don’t sell your data, we don’t run advertising trackers, and we don’t share your data with third parties except the few service providers needed to run the app (below).

kitbashr is an independent project, currently in open beta. It isn’t yet a registered company, so we’ve kept formal company details off this page for now and will add them here as the project formalises. For anything about your data — including any of the rights below — email support@kitbashr.app.

Account: your email address, display name, an encrypted (hashed) password, and — if you enable two-factor authentication — an encrypted 2FA secret. We never store your password or 2FA secret in readable form.

Security & sessions: the devices signed in to your account (browser and operating system, last-seen time), and a log of account-security events (sign-ins, password changes, 2FA changes). To protect against abuse we record login attempts.

Your hobby data: everything you create in the app — your paint inventory, model collection, custom mixes, and army lists.

IP addresses: we only ever store a truncated IP address (the network portion, not your full address), and only to rate-limit abuse. We cannot identify your exact device or location from it.

We keep cookies to the bare minimum. We only use essential cookies — there are no advertising cookies and no third-party or cross-site tracking, so there is nothing extra to opt in or out of.

• Sign-in cookie: a secure, http-only cookie that keeps you signed in. The site cannot work without it.
• Security cookie: a token that protects your requests against cross-site request forgery (CSRF).
• In your browser only: small preferences stored on your device and never used to track you — your light/dark theme, notices you’ve dismissed, and an offline cache of the public paint/model catalogue so the app loads faster.

We also keep first-party usage statistics (for example, which features get used) purely to fix problems and improve the app. These are our own, are never shared with advertisers, and are never sold.

Cookieless visit stats: on our public pages we count visits in aggregate to see how people find kitbashr. This uses no cookies and stores no IP address — only the page visited, the website that referred you (the site name only, e.g. instagram.com), and any campaign tags in the link. If you then create an account, we record which of these sources it came from so we can measure what’s working. None of this identifies you personally or follows you across other sites.

To run your account, keep it secure, and provide the features you use. We rely on the legal bases of contract (providing the service you signed up for) and our legitimate interest in keeping the service secure and free of abuse. We do not process your data for marketing or profiling.

Your account and hobby data are kept until you delete them or close your account. Some security data is purged automatically on a schedule:

• Login-attempt records: deleted after about 90 days.
• Account-activity (audit) log: kept for about 12 months.
• Expired sessions and one-time security links: removed once they expire.

We use a small number of service providers strictly to operate kitbashr: a hosting provider for our servers, and an email provider to send account emails (verification and security messages). When you register, we check your chosen password against the Have I Been Pwned breach database using a privacy-preserving method that never sends your full password. We do not sell or rent your data to anyone.

Your kitbashr account and hobby data are stored and processed on servers in the EU (Germany), and the provider we use to send account emails is also in the EU. We do not transfer your account or hobby data outside the European Economic Area (EEA).

If you contact us by email, your message is handled through our mailbox provider, which may process it outside the EEA. Where that happens it is covered by appropriate safeguards, such as the EU Standard Contractual Clauses. The breach-database check we run on new passwords sends only a short, irreversible fragment of a hash — never your password or any other personal data.

You can access and download all your data at any time from Account → Your data, choosing exactly which categories to include. You can correct your profile details, and you can permanently delete your account and all associated data from Account → Delete account. If you’re in the EU/EEA or UK, you also have the right to lodge a complaint with your local data-protection authority.

Questions about your data, this policy, or want to exercise any of your rights (access, correction, deletion, or a copy of your data)? Email us at support@kitbashr.app or use our contact form — we’ll help.