SiegeMarch is operated by DigiReply Ltd. This policy explains what personal data we collect when you play, why we collect it, how we protect it, and your rights over it. We keep this short and plain because we believe you deserve to understand it.
Contents
1. Data We Collect
Account Data
When you create an account you provide:
- Username — displayed to other players in-game (choose carefully; do not use your real name)
- Email address — used only for account recovery and critical service notices; never shown publicly
- Password — stored as a salted bcrypt hash; we cannot read it
Automatically Collected Data
When you connect to our servers we automatically record:
- IP address — recorded at signup and each login for security and abuse prevention
- Login timestamps — when you last signed in
- Authentication event logs — successful and failed login attempts, used to detect brute-force or credential-stuffing attacks
Gameplay Data
All in-game actions — village state, buildings, armies, resources, trade, combat, and explored map tiles — are stored in our database to maintain your persistent game world. Chat messages sent in-game are stored for moderation purposes.
Device & Technical Data
When you use the web or mobile app, standard HTTP request metadata is processed (browser type, operating system, referrer). We do not run third-party analytics SDKs and we do not track you across other websites.
2. Why We Collect It
We collect data only for specific, legitimate purposes:
- Providing the service — running your persistent game world, authenticating your session, delivering real-time gameplay via WebSocket
- Security — detecting and blocking account abuse, credential stuffing, and bot registrations (including Cloudflare Turnstile verification on login/signup)
- Account recovery — your email allows us to help you regain access if you forget your password
- Service communications — critical notices about the game service (downtime, season resets, security alerts); we do not send marketing emails
- Legal compliance — retaining records as required by applicable law
We do not sell your data, share it for advertising purposes, or use it for profiling.
3. How It Is Stored
Data is stored on servers hosted within the European Union (EU). Specifically:
- PostgreSQL database — account records, gameplay state, login logs
- Redis — active session tokens; these expire automatically after 7 days of inactivity
- Server access logs — standard nginx logs retained for up to 30 days, then deleted
Backups are encrypted at rest. We do not store payment information — SiegeMarch currently has no paid features.
4. Third Parties
We use a minimal set of third-party services:
- Cloudflare Turnstile — a privacy-respecting bot-detection widget shown on the login and registration form. Cloudflare receives your IP address and the challenge result to verify you are human. Cloudflare's own Privacy Policy applies to this data.
- Google Fonts — the landing page loads fonts from Google's CDN. Google may receive your IP address as part of this request. You can avoid this by using the game directly at /game.html which does not use Google Fonts.
We do not use Facebook Pixel, Google Analytics, or any other behavioural tracking services.
6. Security
We take reasonable technical measures to protect your data:
- All connections are encrypted with TLS (HTTPS/WSS)
- Passwords are hashed with bcrypt (cost factor 10) — we cannot recover your plaintext password
- API endpoints are rate-limited (5 auth requests per minute per IP) to resist brute-force attacks
- Bot detection via Cloudflare Turnstile on all auth endpoints
- Login failures are logged and can trigger automated IP blocking
No method of transmission over the internet is 100% secure. If you discover a security vulnerability please contact us at security@digireply.com before disclosing it publicly.
7. Data Retention
- Account data — retained for as long as your account exists plus 90 days after deletion to allow recovery from accidental deletions
- Login logs — retained for 12 months, then automatically purged
- Gameplay data — game worlds reset at the end of each season; historical season summaries (username, rank, score) may be retained indefinitely for leaderboard purposes
- Server access logs — 30 days
You may request deletion of your account and associated personal data at any time (see Your Rights below).
8. Your Rights
Depending on where you live, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data (e.g. your email address)
- Erasure — request deletion of your account and personal data
- Restriction — ask us to limit how we use your data while a dispute is resolved
- Portability — receive your account data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email privacy@digireply.com from the address registered to your account. We will respond within 30 days.
If you are in the EU/EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority.
9. Children
SiegeMarch is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at privacy@digireply.com and we will delete the account promptly.
10. Changes to This Policy
We may update this policy as the service evolves. When we make material changes we will update the effective date at the top of this page and, where appropriate, notify registered players by email. Your continued use of SiegeMarch after any change constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or requests:
- Email: privacy@digireply.com
- General: contact@digireply.com
DigiReply Ltd — Operator of SiegeMarch