Transparency

Your data, your call

kitbashr is just a tool for tracking your painting hobby. Here’s the plain-language version of what we keep, what we’ll never do, and the control you have over it. The full detail lives in our Privacy Policy.

What we keep

Your account — your email, a display name, a hashed password, and (only if you turn it on) an encrypted two-factor secret. We never store your password or 2FA secret in a form anyone can read.

Your hobby data — everything you make in the app, like your paint inventory, models, custom mixes, guides, and army lists.

Security basics — which devices are signed in, a log of account-security events (sign-ins, password and 2FA changes), and login attempts, so we can keep your account safe.

A truncated IP address — only the network portion, never your full address, and only to rate-limit abuse. We can’t pin down your exact device or location from it.

What we'll never do

Never sell your data.

Never rent or trade it.

No advertising trackers, and no cross-site tracking that follows you around the web.

No profiling, and we never use your data to build an ad profile of you.

No marketing or promotional emails — we only ever contact you about your account and its security.

The control you have

Download everything — from Account → Your data, choosing exactly which categories to include.

Fix your details — edit your profile whenever you like.

Delete for good — from Account → Delete account, which permanently removes your account and all associated data.

EU/EEA or UK? You also have the right to lodge a complaint with your local data-protection authority.

Who helps us run it

Hosted in the EU. Your account and hobby data live on servers in the EU (Germany) and don’t leave the EEA.

To operate kitbashr we rely on a small number of service providers: a hosting provider for our servers, and an email provider for account emails (verification and security).

When you choose a password, we check it against the Have I Been Pwned breach list using a privacy-preserving method that never sends your full password.

That’s the whole list — no data brokers, and nobody buying or renting your information.

Cookies & analytics

Only essential cookies — one to keep you signed in and one security token. No advertising cookies, no cross-site tracking.

We keep minimal, first-party usage stats (like which features get used) purely to fix bugs and improve the app. They’re our own — never shared with advertisers, never sold.

This is the friendly summary. The legally binding detail is in our Privacy Policy and Terms of Service.