ROK Steward

Kingdom performance, properly measured.

Sign inCreate account

← Back to the app

Privacy Policy

Last updated: April 19, 2026

ROK Steward (“we”, “us”, or “the service”) is a web application that turns Rise of Kingdoms stat exports into formatted reports. We collect as little data as possible and are transparent about what we do with it.

1. Information we collect

We collect only the information needed to operate the service:

  • Account information: your email address and a password (cryptographically hashed; we never see the plaintext). If you sign in with Discord or another OAuth provider, we receive your provider user ID, email, and basic profile info.
  • Subscription & billing state: your plan (Monthly / Annual / Credit Pack), subscription status, current period end, credit balance, and your Stripe customer/subscription IDs. We do not store your credit-card details — those are handled entirely by Stripe.
  • Uploaded Rise of Kingdoms stat files:used to generate the report you requested. We may also retain some or all of the in-game data in your uploads (governor IDs, kingdom numbers, power, kill counts, dead troop counts, and similar game metrics) to improve the service, build aggregated features such as community leaderboards and benchmarks, and develop future products — see Terms of Service section 6 for the full license. In-game stats are stored separately from your account email and payment information and are not publicly attributed to your real-world identity without your consent.
  • Generated reports (Excel / PDF):once your download is built we store a copy in private, access-controlled storage so you can redownload it from the “Your reports” page without regenerating. Reports are automatically deleted after 30 days, or immediately when you click Delete. Only you can access your own reports; we never share them.
  • Usage logs: standard web-server logs (timestamps, IP address, URL paths, status codes, user-agent). Retained for up to 30 days for security and debugging, then deleted.

2. How we use information

  • To authenticate you and keep your account session active.
  • To provide and bill for subscriptions or credit packs.
  • To send transactional email (account confirmation, password reset, receipts).
  • To investigate abuse, fraud, or technical issues. We do not sell data, and we do not run advertising trackers.

3. Third parties we share data with

We share the minimum data needed with these processors:

  • Supabase— authentication + database. Holds your email and hashed password.
  • Stripe— payments. Holds your card details and billing history. Their privacy policy: stripe.com/privacy.
  • Resend(or equivalent) — outbound transactional email. Receives your email address to deliver account messages.
  • Vercel— hosting. Handles HTTP requests, logs, and caches.
  • Cloudflare— DDoS protection + DNS. Sits in front of traffic to your browser.

Each of these operates under its own contract and privacy policy. We never sell your data to a third party.

4. Cookies

We use cookies for:

  • Authentication session— set by Supabase. HttpOnly, Secure, SameSite=Lax. Required; you cannot sign in without it.
  • CSRF protection— set on state-changing requests. No tracking.

We do not use advertising or third-party analytics cookies.

5. Data retention

  • Account data: kept as long as your account is active. When you delete your account, your profile, subscription records, and credits are removed within 30 days, except records we must keep for legal or tax reasons (e.g., invoice history retained for 7 years).
  • Uploaded stat files: may be retained indefinitely for product improvement and future features as described in Terms of Service section 6. Individual records may be anonymized or aggregated over time. You can request deletion of your stored stats at any time — see "Your rights" below.
  • Generated reports:30 days, then automatically deleted. You can delete individual reports at any time from the “Your reports” page.
  • Server logs: 30 days.

6. Your rights

You can:

  • Access the data we hold about you — email us (below) and we’ll send a copy within 30 days.
  • Correct inaccurate data — via your account settings or by contacting us.
  • Delete your account and associated personal data — email us.
  • Export your data in a machine-readable format.

If you’re in the EU, UK, or California, you also have rights under GDPR, UK GDPR, and CCPA respectively. Email us to exercise them; we respond within the legally required timeframe.

7. Security

We enforce HTTPS everywhere, use HttpOnly secure cookies for sessions, hash passwords with Argon2id (via Supabase), enforce row-level security on our database, verify all Stripe webhooks cryptographically, and apply a strict Content Security Policy. No system is perfectly secure; we treat any suspected breach as an emergency and will notify affected users within 72 hours of discovery.

8. Children

ROK Steward is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from users under that age. If you believe a child has registered, email us and we’ll delete the account.

9. International users

The service is operated from United States of America. By using it, you consent to your data being processed in the countries where our processors (Supabase, Stripe, Vercel, Cloudflare, Resend) operate, which may include the United States and the European Union.

10. Changes to this policy

We may update this policy to reflect changes in our practices or in the law. Material changes will be announced via email to your account address at least 14 days before they take effect.

11. Contact

Questions, data requests, or complaints: privacy@roksteward.com.

See also: Terms of Service · Back to the app