Skip to main content

Help » Privacy & Data Handling Policies

Table of Contents

Contact Forms

When visitors fill out contact forms, we collect the data shown in the form, and also the visitor's IP address to help with spam detection.


When you log in, we will set a cookie to save your login information, and occasionally additional cookies to save your screen display choices. Login cookies last for 2 hours. If you select "Remember Me," your login will persist for up to three months, or until your cookies are cleared in some other manner. If you log out of your account, the login cookies will be removed.

Temporary cookies may also be set when...

  • Composing messages to help preserve your information in the event of accidentally navigating away, a power outage, etc. These typically last about two hours.
  • When you choose to bypass a warning on a character or group page, to remember the choice that you made about them. These typically last about 48 hours.


When users access the site, we record their IP address to assist in spam and fraud prevention.

The date and time a user last accessed the site is kept as part of that user's information. Only one such timestamp is recorded; accessing the site removes any previous "last usage" timestamp.

Embedded content from other websites

Pages on this site, including character profile and group profiles, may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Profile information

When members fill in profile data, that data is typically visible publicly on their user profile. Any information we collect about you in this way shall be used in a manner in keeping with the spirit in which the information was provided. For example, if you enter biographical information about yourself on your profile, that information shall be displayed to other users when they visit your profile.

Although to comply with legal requirements we must obtain accurate birthdates from each user at registration, users have full control over whether their birthday and/or age are displayed to non-staff members.

Information added to character and group profiles should be considered public, unless you take action to restrict who can view the profile. In any event, site moderators and staff can still review profiles hosted on the RP Repository, including profiles still in draft mode.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Although we endeavor to remove this information, we cannot always guarantee it. Visitors to the website may be able to download and extract any location data from images on the website.

You are able to delete any images that you upload to the site at your discretion, so long as you maintain the account that was used to upload the images.

Comments, direct messages and forum posts

When visitors leave messages on the site we collect the data shown in the posting form, and also the visitor’s IP address to help with spam detection.

Comments on news articles, comments in character guestbooks, kudos, posts on public forums, and other such posts made to the public areas of the site are displayed publicly, including to site visitors who do not have an account.

Posts made in groups may or may not be shown publicly; however, the group founder and their designated assistants may be able to change the group's level of publicity at any time.

Reasonable effort will be made to prevent non-invited parties from gaining access to your private messages, groups, and other secretive data like ownership of anonymous characters. However, if evidence of rule-breaking, harassment or illegal activity comes to light, the administration may review any site activity as necessary to resolve the issue. In addition, if you request tech support/bug fixes having to do with private content, you are granting permission to the administration to view this content during the course of fixing.

Communications sent via the RPR may be retained indefinitely.


"Accolades" (Achievement badges) may be awarded to members based on their site activity, including submitting useful bug reports, welcoming new members, participation in site events, etc.

These accolades may be visible to the public so long as the user account remains open.


When you enter credit or debit card data for the purposes of activating a subscription, we save ONLY the brand of that card (ie. Visa, Mastercard) and the last four digits of the card. This means we do not store enough information to actually charge the card. We only save enough to help both us and you identify the card that you are using for monthly membership payments (or other occasional purchases.)

Your actual, billable credit card information never touches our server, and is instead stored by our secure billing partner Stripe. Please see "where we send your data" for more information on this.

Other data

Settings, decisions you've made (ex to skip part of a tutorial,) participation and scoring in events, and other as-needed data may be stored in association with your account in order to provide you with a smooth and functional experience.


We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your _ga cookies, reach out to us via our contact form, and/or install the Google Analytics Opt-Out Browser Add-On.

Where we send your data

We make use of the email service Mailgun to send our newsletters, transactional emails and other announcements. If you have opted-in to our newsletter, we may sync some basic information about you to Mailgun to help us address our emails to you. Mailgun may not use or distribute this information for any reason other than delivering the emails from us to you. You may unsubscribe from our newsletter at any time to stop receiving these emails.

Account registrations and some public comments/forum posts may be checked through an automated spam detection service, usually Stop Forum Spam.

We use Stripe as our credit and debit card processor. Stripe offers safe, secure storage of credit card data. We may also share your name and email address with Stripe for the sole purpose of identifying payments made by you, to make it possible for us to look up charges to your account, double-check their accuracy, and refund them if requested. You may occasionally receive subscription receipts or notices about charges failing or your credit card expiration approaching. See Stripe's privacy policy here.

We also use Stripe as our age verification service provider. We may share the ID number associated with your account if you request this process to take place, so that we can match a successful verification with your account.

What third parties we receive data from

We receive anonymized data from Google Analytics regarding where people are accessing the site from, what browsers and devices are used when accessing the site, what portions of the site see the most traffic, and durations of sessions. This information is not personally identifiable to you and instead gives us an "in general" data view about how the site is used over time.

If you request that an age verification be performed for your account, you will interface with our identity verification provider Stripe. Their API is capable of providing us with some of the identifying information shown on your provided documents; however, we do not read, process or save any information that their API provides other than the date of birth and whether the document was successfully verified or not. As soon as the verification process has been completed, successful or not, we direct Stripe to purge all of your identifying information.

Your contact information

On rare occasions, we may use your provided contact information (email) to contact you off-site. This includes "transactional" messages (such as receipts,) notifications that you have requested (such as alerts about new posts in forum topics you have subscribed to,) and questions or notices regarding your account.

If you've entered links to social media sites on your public profile, site visitors may be able to find and contact you on those sites. Please use your best judgement about whether or not you wish to publicly share contact information.

How we protect your data

Securing a website requires many different types of threats to be minimized and prepared for. This includes securing the website code, the server that the website is hosted on, and the transfer of data between the user's access device and our service. It also includes having appropriate data-handling policies in place and a culture of security for staff that must handle user data. We've made efforts to address all of these areas, and continue to educate ourselves on evolving best-practices and update our procedures or code accordingly.

All connections to the site are done via https:// with a valid third party SSL certificate to prevent attackers from "listening in" or changing data as it is sent between your computer and our server, and vice versa.

All passwords are stored using one-way encryption; not even the staff here at RP Repository can't see your password. In addition, access to even the encrypted passwords is restricted to a very small number (1) of staff members whose jobs absolutely require interacting with the database.

Our customer service procedures are written to require that when someone contacts us about an account, we may only discuss account information or provide password resets or other assistance with the email address associated with the account. If for some reason this is not possible, then other methods of identification must be provided. Simply telling us you no longer have access to your email account is insufficient, as anyone could tell us this. If a member is requesting assistance changing the email associated with their account, we will email the old email address first, in addition to asking for other methods of identification.

We keep our underlying software updated with all necessary security patches.

We have worked with the hosting company that owns the server that RP Repository is hosted on to ensure that our hosting server has been properly hardened against attackers, and have received assurances that if a security breach occurs on their end we will be immediately notified.

In addition to our continued efforts to keep the site safe and secure, we urge our users to make use of good password hygiene practices, including not re-using passwords between different sites or accounts. This is one of the most important steps an individual can take to avoid losing control of more sensitive accounts, such as email and banking.

What data breach procedures we have in place

If we discover or suspect that a data breach has taken place, we will notify all potentially affected users as soon as possible, and no later than 24 hours after becoming aware of the data breach. This will allow potentially affected users to take immediate action to protect themselves such as by changing their passwords on any other site where they re-used their RP Repository password.

We will thoroughly investigate the breach or potential breach, and provide further updates to affected members should any new information of relevance come to light. We will also take corrective action to prevent a similar breach from re-occurring. However, these remedies will not delay our initial alert to members.

If we have a reason to suspect that an individual account has been compromised on the user's end (ex. having your laptop that was logged into our service stolen, having your password known or guessed by a jealous ex) we may initiate a password reset and contact the account owner.

What automated decision making and/or profiling we do with user data

Your registered age (under/over 18) impacts what content and sections of the site may be available to you.

If suspicious activity is detected in your usage patterns (ex. behaviors commonly associated with spam bots) our system may alert the moderators to perform a review of said activity to make sure it is in keeping with our community guidelines.

Your participation in and success at "game based" events may impact the frequency or type of random events that occur to you, for example finding items through random browsing during Epic Week occurs more frequently to those who have been more heavily involved in Epic Week.

Related Articles