Controller
Enzo Berther
Sonnenbergstrasse 127205 ZizersSchweiz
Email: info@sithvault.com
General Information
This policy explains which personal data may be processed when using SithVault, why it is processed, which service providers are used, and which rights users may have. The service is operated from Switzerland and is intended as an unofficial fan tool for Star Wars: Unlimited deckbuilding, card browsing, meta information, account-based deck sync, public profiles, collection tracking, billing-gated AI features, and related community features.
We process personal data in accordance with the Swiss Federal Act on Data Protection (FADP). Where the EU/EEA or UK data protection rules apply to a particular user or processing activity, the relevant additional requirements are also considered.
Access Data and Security Logs
When you visit this website, technically necessary access data may be processed, including IP address, access date and time, browser and device information, requested URL, and server log data. This data is required for operation, stability, security, and troubleshooting.
Application logs are kept deliberately limited and may include route, method, status, duration, feature-specific counters, and error codes. They are used to diagnose failures, monitor abuse, and keep the service available.
Accounts, Profiles, Billing, and Access
Authentication, user management, and billing-related access checks are provided through Clerk. If you create an account or sign in, Clerk andSithVault may process identifiers such as your Clerk user ID, email address, username, display name, profile image, account creation date, session information, plan/entitlement status, and similar account data.
Profile bio text is stored in Clerk public metadata and can be shown on public profile pages. Theme preferences are stored in the database together with your Clerk user ID. Internal AI access overrides may store your Clerk user ID, enabled status, expiry date, reason, grantor, and administrative notes.
Paid plans and subscription flows are handled through Clerk and its payment providers. SithVault receives the information needed to decide whether a feature is available, but does not store full payment card numbers.
Decks, Likes, and Community Features
Deckbuilder state is stored in your browser and, for signed-in users, can also be synced to the database. Stored deck data can include deck ID, deck name, format, leader card IDs, base card IDs, main deck card IDs and counts, sideboard card IDs and counts, visibility status, deck snapshot, creation date, update date, and owner Clerk user ID.
Public decks are visible to visitors and may be associated with your public username and profile. Private drafts are intended to be visible only to your signed-in account. Deck likes store the public deck ID, your Clerk user ID, and the like timestamp so that each signed-in user can like a deck only once. Like counts may be shown publicly.
Collection Tracking
If you use the collection feature while signed in, SithVaultstores the cards you own so it can show your collection and set progress. For each owned card this can include your Clerk user ID, a card identifier, the set code and card number, the variant (for example normal, foil, hyperspace, or showcase), a virtual quantity (from simulated booster openings), a physical quantity (entered by you), and creation and update timestamps. Per-set statistics such as boosters opened and set-completion milestones may also be stored, together with any achievement badges you earn.
Opening boosters while signed out does not store any collection data. Collection data is tied to your account and is not shown on your public profile.
Tournaments, Drafts, and In-Person Play
When you create, host, or join a tournament or draft, SithVaultstores data needed to run it: a tournament or party code, name, format, status, your Clerk user ID (for registered participants), participant display names, seeds, drop status, selected or registered decks, round and match pairings, reported and confirmed results, and any Karabast lobby link entered for a match.
Hosts can add account-less "local" players for in-person play by entering a display name. If you add other people as local players, you are responsible for using a name they are comfortable with and for having their agreement to be listed. Other participants in the same tournament can see participant names, pairings, and results. Idle tournaments are closed automatically after a period of inactivity.
Push Notifications
If you opt in to push notifications, SithVault stores a push subscription so it can notify you about activity such as completed AI tasks. The stored subscription includes your Clerk user ID, a per-browser client identifier, the push service endpoint URL, the subscription encryption keys, and your browser user-agent string.
Notifications are delivered through your browser's push service (for example, the service operated by your browser or operating system vendor). You can withdraw consent at any time by disabling notifications for the site in your browser, which removes the subscription.
Contact Form
When you send a message through the contact form, the name, email address, category, subject, and message you enter are transmitted to the server and delivered by email through Resend so we can read and reply to your request. The form is rate-limited and uses a hidden anti-spam field. Please include only the information needed to handle your request.
Local Storage and Cookies
SithVault uses browser storage and technically necessary cookies to provide app features. It does not use marketing cookies.
- swu.deckbuilder.decks: locally saved decks.
- swu.deckbuilder.activeDeckId: currently selected deck.
- swu.deckbuilder.deck: legacy local deck data used for migration.
- swu.deckbuilder.sealedSessions (and related sealed pool keys): local sealed pack pool and workflow step, kept per deck.
- swu.draft.activeCode / swu.trilogy.current: the draft party or Trilogy session you last had open, used to route you back to it.
- sithvault:collection:pending-pulls:v1:booster pulls opened this session that are queued locally until they are saved to your virtual collection, so a refresh or closed tab doesn't lose them.
- swu.client-id: a random per-browser identifier used to route push notifications to the device that started a task.
- swu.push-prompt.*:remembers whether the notification prompt is pending or was dismissed so it isn't shown repeatedly.
- swu.cookie-consent.v1: stores whether you accepted or declined analytics, so we can honor your choice and not ask again.
Clerk sets authentication cookies when you sign in or sign up. These cookies are required for account sessions and cannot be disabled without preventing login. The service worker may cache static app files and the offline page so the app can load more reliably.
You can delete local data and cached files through your browser settings.
Analytics
Vercel Analytics is used to understand aggregate usage such as page views, referrers, device/browser information, and rough region-level usage. It is cookieless and does not use third-party marketing cookies. Do not include personal data in URLs or search parameters.
Analytics only loads after you accept it in the privacy banner. If you decline, or before you make a choice, no analytics is collected. You can change your decision later by clearing this site's local storage in your browser, which makes the banner appear again. Where consent applies, the legal basis for analytics is your consent, which you can withdraw at any time with effect for the future.
AI Features and RAG Search
The Judge rules assistant is available free of charge to all signed-in users. AI-assisted deck generation and deck improvement require a paid plan or an internal access grant. When any of these features or RAG search are used, selected card IDs, decklists, format, leader/base choices, goals, feedback, rules questions and conversation history, detected card names, search queries, relevant card/rule/meta context, technical metadata, and generated responses may be processed by the server and sent to OpenAI as the configured AI service provider.
AI requests are rate-limited by Clerk user ID. OpenAI API requests are configured with response storage disabled where supported by the API, but OpenAI may still process and retain API data or abuse-monitoring logs according to its platform policies.
Imports, Images, and External Content
When importing a public SWUDB decklist, the SWUDB URL or deck ID you enter is sent to the server. The server retrieves the public decklist from SWUDB and converts it into the local deck format.
Card images and game information may be loaded from or refer to third party sources, including the official Star Wars: Unlimited CDN and public tournament/decklist sources. Public meta data may include player names, rankings, archetype names, tournament names, public decklists, and related event information from public sources.
Service Providers and Recipients
We use service providers only as needed to operate the app. Depending on the feature used, recipients can include Vercel for hosting, analytics, logs, and deployment infrastructure; Neon for PostgreSQL database hosting; Clerk for authentication, user management, billing, session cookies, profile data, and access checks; OpenAI for AI and embedding requests; Resend for delivering contact-form emails; browser and operating-system push services for delivering notifications; SWUDB for imported public decklists; Hostpoint for domain or related infrastructure services; and public content/CDN providers for card images and game data.
These providers may process data in Switzerland, the EEA, the United Kingdom, the United States, or other countries. If personal data is transferred abroad, we rely on the provider contracts, applicable adequacy decisions, standard contractual clauses, data processing agreements, or other recognized safeguards where required.
Purposes and Legal Basis
Data is processed to provide the website and account features, sync and publish decks, show public profiles, process likes, provide AI and RAG features, check paid or internal feature access, import public deck lists, improve reliability, measure aggregate usage, prevent misuse, protect security, respond to requests, and comply with legal obligations.
Depending on the use case, processing may be based on contract performance or pre-contractual steps, legitimate interests in operating and securing the service, consent, compliance with legal obligations, or the user's decision to publish information publicly.
Retention
Locally stored data remains in your browser until you delete it. Account data is kept while your account exists or as needed for legal, security, billing, or support purposes. Private and public deck data remains stored until it is deleted, unpublished, your account deletion request is handled, or it is no longer needed for the service. Likes remain stored until removed, the deck is deleted, the account deletion request is handled, or retention is otherwise no longer necessary.
Server logs, analytics data, and provider logs are retained only as long as necessary for operation, security, troubleshooting, analytics, legal obligations, or according to the provider's own retention rules.
No Automated Individual Decisions
SithVault does not make solely automated individual decisions with legal or similarly significant effects on users. AI outputs are generated suggestions, not binding decisions about users.
Your Rights
Depending on applicable data protection law, you may have rights to access, data portability, rectification, erasure, restriction of processing, objection, and withdrawal of consent. Requests can be sent to the contact address above.
Requests should identify the account or data concerned. We may need to verify your identity before acting on a request. If you believe that data processing is unlawful, you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) or another competent supervisory authority.
Changes to This Policy
This privacy policy may be updated if features, technical processes, or legal requirements change. The version published on this website applies.