Privacy Policy

This is a machine translation pending professional legal review. The Italian version is the legally binding source of record.

Last updated: June 2026

This notice is issued pursuant to Art. 13 of Regulation (EU) 2016/679 ("GDPR") and Legislative Decree 196/2003 ("Privacy Code") as amended by Legislative Decree 101/2018.

Data Controller

Mana Forge is a non-commercial hobbyist project operated by a private Italian citizen. The data controller can be identified and contacted at info@manaforge.it; full identity details (name, surname, residence) will be provided upon formal request by the data subject or the supervisory authority.

Data Minimization

Mana Forge collects only the data strictly necessary to provide the service. We do not collect real names, phone numbers, physical addresses, or payment data. We collect an email address at registration for password recovery and essential service communications.

Data We Process

  • Username: a pseudonym of your choice. Not linked to your real identity.
  • Email: used exclusively for authentication (password reset), optional address verification, and service communications. Not shared with third parties; never used for advertising purposes.
  • Display name: optional. We recommend not using your real name.
  • Password: stored exclusively as a non-reversible hash (bcrypt). We cannot read your password.
  • Game data: deck lists, primers, game logs, salt votes. These are game data, not personal data.
  • Friend relationships: list of users with whom you have an accepted friendship, and request timestamps. Processed to enable social features (see dedicated section).
  • Credits and transactions: credit balance, purchase history, spending, and monthly bonuses. Required to deliver AI features.
  • AI usage logs: token count and cost per request, to monitor service integrity and detect abuse. Associated with your user ID; never contain the content of your messages.

Social Features and Deck Sharing

Mana Forge allows you to add other users as friends. When you accept a friend request, the other person automatically gains access to all your decks not marked as private (name, commander, full deck list, primer). This is a direct consequence of acceptance: no separate consent is requested for each individual deck.

You can control the visibility of each deck individually:

  • Private (only me): not even friends can see it. Toggle from the deck menu.
  • Friends-visible (default): your accepted friends can open it from the "Friends" page or use it in an AI Matchup.
  • Public: visible to anyone in the "Explore" section (even without registration) and accessible via a sharing link to anyone with the URL. This is not the default.

You can remove a friend at any time from "Friends"; the removal is instant and revokes all access to your decks from that moment.

AI Matchup and Third-Party Data

The AI Matchup feature allows you to analyze the likely outcome of a game by comparing 2–4 decks. When you start an analysis, the complete deck lists (including those of friends selected at the table) are transmitted to Anthropic Inc. (Claude AI) for processing. Your friends have implicitly authorized this processing by accepting the friend request and keeping their decks non-private; you can protect a specific deck by marking it "Private".

Notifications

We send you in-app notifications (and via email when you have verified your address) for: received friend requests, accepted friendships, price alerts, low credit thresholds, and the weekly Forge Briefdigest. You can disable the digest at any time from Settings or via the link in the email itself.

Legal Basis (Art. 6 GDPR)

The legal basis for processing isperformance of a contract to which you are a party (Art. 6.1.b GDPR): we process your data to provide you the service you registered for. Consent is not required for strictly necessary processing. For analytics cookies (Hotjar/Contentsquare) the legal basis is instead your consent (Art. 6.1.a GDPR), which you can withdraw at any time from the Cookie Policy.

Data Retention

Data is retained for the lifetime of your account. Upon account deletion, all data (username, deck lists, game logs, votes) is removed from active systems within 24 hours; any residual copies in technical backups are deleted within 30 days.

Sub-processors and Third-Party Services

  • Anthropic (Claude AI): deck-building conversations and deck lists used for AI Matchup / Coach AI are processed by the Anthropic API. They are not retained by Mana Forge after the session ends, except as needed for caching user-requested analyses. See Anthropic Privacy Policy.
  • Resend: transactional email delivery service (account verification, password reset, price alerts, weekly digest). Receives your email address and message content. See Resend Privacy Policy.
  • Lemon Squeezy: payment processor for credit purchases, acting as merchant of record. Receives email, payment data (via Stripe under the hood), and billing address. See Lemon Squeezy Privacy Policy.
  • Scryfall: card images are loaded directly from Scryfall's CDN; your browser makes requests to Scryfall's servers. See Scryfall Privacy Policy.
  • Qdrant: vector database used to compute synergies via embeddings. Receives only card identifiers, never personal data.
  • Sentry: error monitoring (crash reporting). Only in the event of an application error does it receive diagnostic technical data (error type, stack trace, page URL, browser and operating system). Configured exclusively for errors: no performance tracing, no session recording, no profiling. Data hosted on EU servers (Germany). See Sentry Privacy Policy.
  • Hotjar / Contentsquare: behavioral analytics (session recordings, heatmaps) to improve usability. Activated only upon your explicit consent via the banner: if you decline, the script is not loaded and no cookie is set. Hotjar masks typed field data by default. You can withdraw consent at any time from the Cookie Policy. See Hotjar Privacy Policy.
  • DigitalOcean: service hosting, EU data center.

We do not sell, transfer, or share your data with other third parties for marketing purposes, and we do not use advertising or profiling for marketing. For behavioral analytics (usability) we use Hotjar/Contentsquare only upon your explicit consent (see banner and Cookie Policy); for error monitoring we use Sentry. Both are described above among the sub-processors.

Cookies

Mana Forge uses a single technical preference cookie, NEXT_LOCALE, to remember the interface language (a session cookie exempt from consent); authentication instead relies on a Bearer token stored in the browser's localStorage. We use analytics cookies (Hotjar/Contentsquare) exclusively upon your explicit consent: without consent no cookie is set. See Cookie Policy.

Minimum Age

The service is reserved for users aged 14 or older, in accordance with Art. 8 GDPR and the threshold set by Italian law (Art. 2-quinquies Legislative Decree 196/2003).

Your Rights (Arts. 15–22 GDPR)

  • Access: view your data in the app (decks, games, account info).
  • Rectification: update your display name or email from the Settings page.
  • Erasure: delete your account from the Settings page. Data is permanently removed.
  • Portability: download a complete JSON export of your data from Settings → "Download my data".
  • Restriction: you may request that we restrict processing by contacting us.
  • Objection: you may object to processing on grounds relating to your situation.
  • Session control: revoke all active sessions from Settings if you suspect a compromise.
  • Complaint: you may lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

Contact

For privacy inquiries: info@manaforge.it