Privacy Policy
Effective date: set at publish — ties to marketing site launch · Last updated: 2026-07-14
Rolls Pending is operated by Alexander Bates-Bianchi trading as Rolls Pending (ABN 92508595221), based in Western Australia ("Rolls Pending", "we", "us"). This policy explains what personal information we collect when you use the Rolls Pending app and website, why we collect it, where it goes, and the choices you have. We've written it in plain English on purpose — if anything is unclear, ask us at support@rollspending.com.
We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you use Rolls Pending from outside Australia, this policy still describes how we treat your information.
1. The short version
- We collect the minimum we need to run the app: your email address, a username, your birth month and year (not your full date of birth), and the content you create.
- Rolls Pending is 16+. We don't accept accounts from anyone under 16, and we use your birth month/year to enforce that and to gate mature content to adults.
- We don't sell your data, we don't run ads, and we don't use third-party advertising or analytics trackers.
- Content you create is private to you and your play group by default. A few things are public by design and clearly labelled as such in the app (community listings, your "About me" block, shared homebrew).
- Marketing email is strictly opt-in (two separate checkboxes, both off by default). Transactional email (confirmations, password resets) is not marketing and arrives regardless.
- Deleting your account is a hard delete: your account and everything belonging to it is permanently removed, including any copy held by our email provider.
2. What we collect
Account information. Your email address, a unique username, and a password (stored only as a secure hash by our authentication provider — we never see it). If you sign in with a third-party provider such as Google, we receive your email address and basic profile identifiers from that provider instead of a password.
Birth month and year. At registration we ask for your birth month and year — deliberately not your full date of birth, to collect as little as possible. We use it for two things only: confirming you meet our minimum age of 16 to hold an account, and deriving whether you are 18 or older, which controls access to content marked as mature (R18) and locks the profanity filter on for users under 18. The month/year is stored in a private, owner-only record; other users can never see it — at most, systems see a derived yes/no adult flag. It is write-once: if you made a genuine mistake entering it, contact support@rollspending.com and we'll correct it for you. If a registration is declined because the person is under 16, we do not keep the information they entered.
Profile information you choose to add. An avatar, and an optional "About me" block (a table line, experience level, playstyle tags, availability). Every field in it is labelled in the app with exactly who will see it. Don't put anything there you don't want other players to read.
Content you create. Characters, campaigns, scenarios, notes, dice roll history within live sessions, compendium entries, and anything you publish to the community areas. Most of this is visible only to you and — where you share it — your Game Master and party. Community listings and published homebrew are visible to other signed-in users, and the app tells you so before you post them.
Marketing preferences. Two independent opt-in flags ("New features" and "Promotions and discounts"), both off by default. We only send marketing email to addresses that have opted in, consistent with the Spam Act 2003 (Cth).
Purchase records (when purchases launch). If you buy a subscription or one-time unlock, the payment is processed by Apple, Google, or our payment provider — we never see or store your card details. We keep a record of your entitlement (what you bought and when) so the app knows what you have access to.
Technical information. Standard server logs (IP address, request timestamps) kept by our infrastructure providers for security and operations. We do not build advertising or tracking profiles from them.
What we deliberately don't collect: your full date of birth, your real name (unless you choose to put it in your username or profile), your address, your phone number, precise location, contacts, or device advertising identifiers.
3. How we use your information
We use your information to: create and secure your account; run the app's features (characters, campaigns, live sessions, the community hub); enforce age-appropriate access to mature-flagged content; send transactional email (account confirmation, password reset, account-deletion codes); send marketing email only where you've opted in; respond to support requests and reports; enforce our Terms of Service and Community Guidelines; and meet legal obligations.
We do not sell personal information, and we do not share it with third parties for their own marketing.
4. Cookies and local storage
The app stores your session token on your device (browser local storage on web; secure app storage on iOS/Android) so you stay signed in. We don't use third-party advertising cookies or cross-site trackers.
5. Who we share information with (service providers)
We use a small number of service providers to run Rolls Pending. They process data on our behalf and are not permitted to use it for their own purposes:
- Supabase — our database, authentication, file storage, and realtime infrastructure. All account data and app content lives here.
- Brevo — our email provider. Sends transactional email (confirmations, resets, deletion codes) and, where you've opted in, marketing email. Where our marketing system syncs your contact details to Brevo, your email address and preference flags are stored there; deleting your Rolls Pending account also deletes the Brevo contact.
- Cloudflare — hosts our website and manages our domain.
- Apple App Store / Google Play / RevenueCat — process in-app purchases when purchases launch (RevenueCat manages subscription/entitlement state across both stores on our behalf). Web checkout provider — pending decision, add once finalised. They handle payment details under their own privacy policies; we receive only the entitlement outcome.
We may also disclose information where required by law, or where reasonably necessary to investigate abuse, enforce our terms, or protect the safety of users.
6. Where your information is stored (overseas disclosure)
Our database is hosted by Supabase. Current state: hosted in Australia (Sydney). Planned for launch: hosted in the United States (US East) — update this section when the production migration lands. Our email provider (Brevo) and website host (Cloudflare) also process data on servers that may be located outside Australia, including in the United States and the European Union.
This means your personal information may be stored or processed overseas. We choose providers with strong security practices, but overseas providers are subject to the laws of the countries they operate in.
7. How long we keep it
We keep your information for as long as your account exists. Content you delete in-app is removed from the live database. When you delete your account (see Section 8), everything belonging to it is permanently deleted. Our infrastructure providers retain short-lived backups and server logs for a limited period as part of normal operations, after which deleted data ages out of those too.
8. Deleting your account
You can delete your account at any time from your Profile. Deletion is guarded by an email verification code and a clear warning, because it is a hard delete:
- Your account, characters, campaigns, compendium entries, profile, avatars, and all other content belonging to you are permanently deleted.
- Your contact record at our email provider is deleted with it.
- Other players in your campaigns are not notified — your content simply becomes unavailable to them. The app warns you about this before you confirm.
- Homebrew that other users have already installed from the community hub is a copy they own — it stays with them (your public listing is removed). See our Content & IP Position for how sharing works.
Deletion is irreversible. We can't recover a deleted account.
9. Access, correction, and your rights
You can view and update most of your information directly in the app (username, email, profile, marketing preferences, content). For anything you can't change yourself — including correcting a genuinely mistaken birth month/year — contact support@rollspending.com and we'll help.
Under the Privacy Act you may request access to the personal information we hold about you and ask us to correct it. If you're in a jurisdiction with additional rights (such as the GDPR's rights of access, rectification, erasure, and portability), we'll honour equivalent requests. We'll respond within a reasonable time and won't charge for reasonable requests.
If you're unhappy with how we've handled your information, contact us first at support@rollspending.com — we take complaints seriously. If you're not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
10. Children and minimum age
Rolls Pending is for people aged 16 and over. We do not accept accounts from anyone under 16 — a deliberate child-safety decision that goes further than the law requires of a service like ours. Age is confirmed at registration via your birth month and year, and registrations below the minimum are declined (and their entered details are not kept). If we become aware that an account holder is under 16, we will close the account and delete its data in line with Section 8.
For account holders aged 16–17, mature-flagged (R18) content is hidden entirely and the profanity filter is locked on. Users whose age we don't know are treated as under 18 for these purposes. We do not knowingly collect any personal information from children under 16.
11. Security
We take reasonable steps to protect your information: encrypted connections throughout, row-level security on every database table (each user can only reach their own data and what's explicitly shared with them), passwords handled exclusively by our authentication provider as secure hashes, and private storage with signed, expiring links for non-public files. No system is perfectly secure, but minimising what we collect in the first place is our primary safeguard: we can't lose what we never had.
If a data breach occurs that is likely to result in serious harm, we will notify affected users and the OAIC in accordance with the Notifiable Data Breaches scheme.
12. Changes to this policy
We'll update this policy as the app evolves (for example, when purchases launch or when our production hosting region changes). Material changes will be announced in the app or by email, and the "Last updated" date above always reflects the current version.
13. Contact
Alexander Bates-Bianchi trading as Rolls Pending (ABN 92508595221) Email: support@rollspending.com Website: rollspending.com