Navigation
Community

Legal

Privacy Policy

Effective date: 20 May 2026

This Privacy Policy explains how Nightmist Legacy collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Nightmist Legacy is a browser-based multiplayer game operated as an independent project. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller for personal data collected through this service. If you have any questions or requests regarding your data, contact us via the Support page.

2. What Data We Collect

We collect only the data necessary to operate your account and provide the game service: • Account data: username and a securely hashed password (we never store your password in plain text). • Character data: character names, class, race, level, inventory, and in-game progress associated with your account. • Session data: a session token stored in a secure, HttpOnly cookie used to keep you logged in. • Technical logs: server-side logs may capture your IP address and browser user-agent for security and abuse prevention purposes. These are not linked to marketing profiles and are retained for a maximum of 30 days.

3. Lawful Basis for Processing

Under UK GDPR, we rely on the following lawful bases: • Contractual necessity: processing your account and character data is required to provide the game service you have registered for. • Legitimate interests: retaining technical logs for security monitoring and abuse prevention, where those interests are not overridden by your rights. We do not rely on consent as a lawful basis for core service processing, and we do not process your data for marketing or advertising purposes.

4. How We Use Your Data

Your data is used solely to: • Authenticate your account and maintain your session. • Store and display your in-game characters, progress, and activity. • Prevent abuse, cheating, and unauthorised access. • Respond to support requests you submit. We do not sell, rent, share, or disclose your personal data to third parties, except where required by law (e.g., in response to a valid legal request from a UK authority).

5. Data Storage and Security

Your data is stored on servers located within the European Economic Area (EEA). Passwords are hashed using a strong one-way algorithm before storage. We apply reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. However, no internet transmission is completely secure, and we cannot guarantee absolute security.

6. Data Retention

Account and character data is retained for as long as your account remains active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law. Technical logs are automatically deleted after 30 days. In-game forum posts and public activity may persist as anonymised data after deletion.

7. Your Rights Under UK GDPR

As a UK data subject, you have the following rights: • Right of access: request a copy of the personal data we hold about you. • Right to rectification: request correction of inaccurate data. • Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal retention requirements. • Right to restriction: request that we limit processing of your data in certain circumstances. • Right to data portability: receive your data in a structured, machine-readable format. • Right to object: object to processing based on legitimate interests. To exercise any of these rights, submit a request via our Support page. We will respond within one calendar month. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use a single session cookie to keep you logged in. This cookie is strictly necessary for the service to function and does not track you across other websites. We do not use advertising cookies, analytics cookies, or third-party tracking scripts.

9. Children

This service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has registered an account, please contact us and we will delete the account promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the service after changes are posted constitutes acceptance of the revised policy.

11. Contact

For any data protection queries, requests to exercise your rights, or complaints, contact us via the Support page. We aim to respond to all requests within one calendar month.

Questions? Contact us via the Support page.