PRIVACY POLICY

Mini Kraken is a Brazilian platform dedicated to tabletop RPG, offering character sheet creation, campaigns, an edition library (magazines and books), virtual tabletop tools, and social features.

For the purposes of art. 5, VI, of the LGPD, the Controller of personal data — the party responsible for decisions about processing — is the natural person responsible for operating the Mini Kraken (erpg.app) platform:

• Controller: the party responsible for operating the Mini Kraken (erpg.app) platform
• Privacy contact: contato@erpg.app

The Controller's full civil identification may be obtained upon a reasoned request through the contact channel above, for the purposes of exercising data subject rights or responding to a competent authority.

For ease of understanding, we adopt the definitions of the LGPD:

• Personal data: information relating to an identified or identifiable natural person.
• Sensitive personal data: data concerning racial or ethnic origin, religious belief, political opinion, health, sexual life, genetic or biometric data. Mini Kraken does not intentionally collect sensitive data.
• Data subject: the natural person to whom the data refers (you).
• Processing: any operation on personal data (collection, storage, use, sharing, deletion, etc.).
• Controller / Operator: the party who decides about the processing and the party who carries it out on behalf of the Controller, respectively.
• Data Protection Officer (DPO): the person designated to act as a communication channel between the Controller, data subjects, and the ANPD.
• ANPD: National Data Protection Authority.

This Policy applies to all individuals who access or use Mini Kraken, whether as registered users, subscribers, content creators, or visitors, including access via integrations (such as Discord) and connected tools.

Third-party services that may be accessible through links or integrations (for example, payment processors and support platforms) have their own policies. We are not responsible for third-party privacy practices, and we recommend reading their respective policies.

We collect only the data necessary to operate the platform, in accordance with the principle of data minimization (art. 6, III, of the LGPD). The categories are:

a) Registration and account data

• Email address and username.
• Display name and avatar image, when provided.
• Account registration number and date.

b) Social login data (third-party authentication)

When signing in with Discord, Google, Patreon, or Catarse, we receive from the provider an identifier, your email, and basic profile data. In the case of Discord, we may receive your server (guild) list to enable integrations that you activate.

c) Profile data

• Biography, pronouns, languages, and RPG experience level.
• Profile visibility preferences, followers, and badges.
• Social relationships (following/followers) and participation in communities/guilds.

d) Content created and submitted by you

• Character sheets, campaigns, sessions, world notes, and editor texts.
• Uploaded files: images, audio, videos, documents (PDF/DOCX), maps, tokens, and 3D models, along with their metadata (original name, size, type).
• This content may contain personal data that you choose to include. See section 9 regarding your responsibilities.

e) Subscription and support data (premium)

When linking a subscription via Patreon or Catarse, we record your identifier with the provider, the support tier, the status, and the benefit validity dates. We do not collect or store credit card or payment method data; financial processing takes place entirely on the providers' platforms.

f) Technical, navigation, and security data

• IP address and application access logs (date, time, and actions), used for security, fraud prevention, and compliance with legal obligations.
• Cookies and session identifiers (see section 6).
• Telemetry and error data, for service diagnostics and stability.
• Usage metrics and anonymized/pseudonymized session recordings for interface improvement.

All processing we carry out has a specific purpose and a legal basis provided for in arts. 7 and 11 of the LGPD, as set out in the table below:

Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

We use cookies and similar technologies to authenticate your access, keep your session secure, and, upon consent, measure platform usage. The main ones are:

Essential cookies are indispensable for operation and cannot be disabled without compromising the service. Analytical cookies require your consent and may be declined without affecting essential features. You may also manage cookies in your browser settings.

We do not sell your personal data. We share data only with operators and partners strictly necessary for platform operation, always limited to the purpose and subject to confidentiality and security obligations:

We may also share data to comply with a legal or regulatory obligation, comply with an order from a competent authority, or regularly exercise our rights.

Some of our operators (such as hosting, CDN, and analytics providers) may store or process data on servers located outside Brazil. In such cases, international transfers comply with arts. 33 to 36 of the LGPD, adopting appropriate contractual and technical safeguards to ensure a level of protection compatible with Brazilian law.

Mini Kraken allows you to create and submit content (character sheets, campaigns, texts, images, audio, videos, documents, and 3D models). With respect to such content, we act as an application/hosting provider: we store and display the material in accordance with the visibility settings you define.

Your responsibilities

• You are solely responsible for the content you create, submit, or make public, and you represent that you hold the necessary rights to do so.
• You must not submit unlawful or offensive content, content that infringes third-party rights (including copyright and image rights), or content containing third-party personal data without an adequate legal basis.
• When entering third-party personal data into your content (for example, in character sheets or notes), you act as the controller of such data and assume the corresponding legal responsibilities.
• Content marked as public may be viewed by other users and may eventually be indexed by search engines.

Removal and moderation

We may remove, suspend, or restrict content that violates this Policy, the Terms of Use, or applicable law, as well as comply with removal notifications and court orders. Pursuant to art. 19 of the Marco Civil da Internet, Platform liability for content generated by third parties generally depends on a specific court removal order, except in cases provided by law. To request the removal of content that infringes your rights, use the channels in section 15.

To the fullest extent permitted by law, you agree to hold harmless and indemnify Mini Kraken against third-party claims arising from content you have submitted in violation of this Policy or applicable law.

We retain your data only for as long as necessary for the purposes for which it was collected, or as required by legal obligation:

• Account data and content: while your account is active.
• Application access logs (IP, date/time): for a minimum period of 6 (six) months, in compliance with art. 15 of the Marco Civil da Internet, which may be extended by legal or judicial order.
• Subscription/support data: during the term of the benefit and for a reasonable additional period for fiscal and evidentiary purposes.
• Data necessary for exercising rights in proceedings: until the applicable statute of limitations expires.

After account deletion, personal data will be deleted or anonymized, except where retention is authorized or required by law (art. 16 of the LGPD). Content shared in communities or with other users may remain visible where its removal depends on action by third parties.

Pursuant to art. 18 of the LGPD, you may, at any time, request:

• Confirmation of whether your data is being processed.
• Access to your personal data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
• Portability of your data to another provider, upon request.
• Deletion of data processed on the basis of consent.
• Information about the entities with which we share your data.
• Information about the possibility of not providing consent and its consequences.
• Withdrawal of consent.

To exercise your rights, contact us by email at contato@erpg.app. We may request additional information to confirm your identity and protect your data. We will respond as promptly as possible, within legal limits. You also have the right to file a complaint with the ANPD.

We adopt technical and administrative measures to protect personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, or disclosure (arts. 46 to 49 of the LGPD), including:

• Password and traffic encryption (HTTPS/TLS).
• Access controls, authentication, and CSRF protection.
• Rate limiting and anti-fraud mechanisms.
• Error monitoring and security logging.
• Restriction of data access to strictly necessary personnel.

No system is entirely immune to risk. If you identify any vulnerability, please notify us through the channels in section 15.

Mini Kraken may be used by children and adolescents. The processing of their data complies with art. 14 of the LGPD, the Statute of Children and Adolescents, and the principle of the best interests of the child, which shall always prevail.

• Children (under 12 years of age): processing their data requires specific and highlighted consent given by at least one parent or legal guardian.
• Adolescents (12 to 18 years of age): processing complies with the best interests principle and is appropriate to their level of understanding, with guardian supervision where applicable.
• We collect the minimum data necessary (enhanced minimization) and do not condition participation in games and activities on the provision of data beyond what is indispensable.
• We do not process data of children and adolescents for targeted advertising.

Parents and guardians may, at any time, request access to, correction of, or deletion of data, and may withdraw consent, through the channels in section 15. If we identify that a child's data has been collected without adequate consent, we will take measures to delete such data as quickly as possible.

In the event of a security incident that may pose a relevant risk or harm to data subjects, we will notify the ANPD and the affected data subjects within a reasonable period, pursuant to art. 48 of the LGPD and applicable regulations, providing information about the nature of the incident, the data involved, and the measures taken.

To exercise your rights, clarify questions about this Policy, or submit requests relating to personal data, contact our Data Protection Officer:

• Data Protection Officer (DPO): the officer designated by the Controller, reachable at the email address below
• Contact email: contato@erpg.app

This Policy is governed by the laws of the Federative Republic of Brazil, in particular the LGPD, the Marco Civil da Internet, the Consumer Protection Code, and the ECA. The court of the consumer's domicile is elected to resolve any disputes, without prejudice to the legal competences of the ANPD.

We may update this Policy periodically to reflect legal, technical, or business changes. The date of the last update will always appear at the top of the document. Relevant changes may be communicated through the platform's channels. Continued use after publication of an updated version indicates your awareness of the new conditions.