Skip to content
← Back to home

Privacy Policy

Last updated: 18/07/2026 · Effective: 18/07/2026

This Privacy Policy explains how Peter Neale, trading as Scry, an Australian sole trader (ABN 12 605 313 932) (“Scry,” “we,” “us”), collects, uses, shares, and protects personal data when you use Scry's website, application, and Discord bot (the “Service”). It should be read alongside our Terms of Service and AI Policy.

Scry is registered in Australia and serves users worldwide. This policy addresses the Australian Privacy Act 1988, the EU/UK GDPR, and, where applicable, U.S. state privacy laws such as the CCPA — see Section 9 for your rights under each.


1. Information We Collect

Account information. When you sign in via Discord OAuth (through Clerk), we receive your Discord username, Discord user ID, email address, and avatar. We don't receive your Discord password.

Session audio and transcripts. When you record a session, we capture per-user voice audio in the Discord voice channel the bot joins, transcribe it, and derive summaries, entity extractions, and wiki content from it. See Section 4 for how consent works here.

Wiki and campaign content. Entity pages, wiki edits, tags, tasks, campaign settings, and chat messages you send to the Unseen Servant, DM Assistant, or Prep Assistant.

Uploaded files. PDFs and documents you upload for entity/vocabulary extraction. See Section 5.

Payment information. Handled entirely by Stripe. We receive confirmation of payment and subscription status, not your full card number.

Usage and device data. Pages visited, features used, browser/device type, and IP address, collected via PostHog for product analytics, and error/crash data via Sentry.

Communications. Support emails and other messages you send us.


2. How We Use Information

We use the information above to: provide and operate the Service (recording, transcription, wiki generation, AI features); process payments and manage subscriptions; monitor and improve reliability and performance; detect abuse and enforce our Terms; communicate with you about your account, billing, or product updates; and comply with legal obligations.

Full detail on which AI provider processes which data, for which feature, is in our AI Policy. In short: we do not use your content to train third-party foundation models, and we do not sell your personal data.


3. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on:

  • Contract — processing needed to provide the Service you signed up for (account data, wiki content, billing).
  • Consent — session voice recording (see Section 4), and non-essential analytics cookies.
  • Legitimate interests — security, fraud prevention, and product analytics, balanced against your rights.
  • Legal obligation — where we're required to retain or disclose data by law.

You can withdraw consent at any time; this doesn't affect processing already carried out under that consent.


4. Voice Recording and Session Participant Consent

Before the bot begins recording a voice channel, it posts a disclosure message with a 60-second window during which any participant can opt out by reaction. Consent is tracked per-person, per-server (granted or withdrawn), including how it was given, the disclosure version shown, and, where applicable, the IP address at the time consent was granted. A participant can withdraw consent at any time going forward, and can request deletion of their prior audio and transcript data with the /scry delete-my-data command, which permanently deletes their audio segments and transcript rows and is logged in an append-only deletion record.

Recording consent laws differ by jurisdiction — some places require only one participant's consent, others require everyone's. We built this mechanism to give hosts and participants clear notice and an easy way to opt out or withdraw, but the person initiating the recording (typically the DM) is responsible for complying with the law that applies to their session — see Section 7 of the Terms of Service.


5. PDF and Sourcebook Uploads

When you upload a PDF or document, it's processed through an ephemeral pipeline: we extract text, proper nouns, and (where detected) character art and stat blocks into your campaign wiki, then delete the source file from storage — backed by an automatic 24-hour deletion policy regardless of processing outcome. We do not retain your uploaded files long-term, and we do not use their content for anything beyond building your own campaign wiki.

Before you can upload a file, you must confirm you own it or otherwise have the right to use it — this attestation, along with the file hash, timestamp, and account, is logged so we have a record of it. See Section 4.3 of the Terms of Service for the full representation you're making.


6. Third Parties We Share Data With

We share data only as needed to operate the Service. We do not sell your personal data, and we do not share it for third-party advertising purposes.

ProviderPurposeData involved
DiscordBot integration, OAuth loginDiscord ID, username, voice audio
ClerkAuthenticationAccount/session identifiers
VercelApplication hostingAll Service traffic
SupabaseDatabase, vector storage, file storage, temporary PDF staging during processingAccount, wiki, campaign data; uploaded PDF files (held only for the duration of processing)
RailwayDiscord bot hosting, background job processingSession/audio processing data
StripePayment processingBilling/payment data (not full card numbers)
GroqVoice transcription (Whisper)Session audio
DeepSeekAI processing (entity extraction, summarization, wiki chat)Transcripts, wiki content, chat queries
OpenAIText embeddings for searchWiki/entity text
PostHogProduct analyticsUsage/device data
SentryError monitoringTechnical/error data
ResendTransactional emailEmail address

We may also disclose information if required by law, to protect the rights and safety of Scry or others, or in connection with a merger, acquisition, or asset sale (with notice to you).

A note on DeepSeek specifically. We use DeepSeek's AI technology to power entity extraction, summarization, and chat features — the Unseen Servant, DM Assistant, and Prep Assistant. That processing currently happens on infrastructure in mainland China, and unlike our other providers, DeepSeek doesn't yet offer a GDPR data processing agreement, Standard Contractual Clauses, or an EU adequacy decision covering this. If you're in the EU, EEA, or UK, that's worth knowing before you use those specific features. Session recording, transcription, and the core wiki don't touch DeepSeek and aren't affected.

If you're a business customer entering into our Data Processing Addendum, that document governs sub-processor terms in more detail, including your right to object to new sub-processors.


7. International Data Transfers

We're registered in Australia, and our infrastructure providers may process and store data outside your home country. Where we transfer personal data of individuals in the EU/EEA or UK internationally, the safeguard depends on the provider: most rely on Standard Contractual Clauses, the EU-US Data Privacy Framework, or (in Supabase's case, since our infrastructure is hosted in Japan) an existing EU adequacy decision. DeepSeek is the one exception, described above — no transfer safeguard currently applies to that specific provider.


8. Data Retention

  • Session audio: deleted per plan-level retention limits (see your account settings for current limits); never stored beyond 72 hours regardless of plan.
  • Transcripts and wiki content: retained for as long as your account and campaign are active.
  • Uploaded PDFs: deleted after processing, with a 24-hour hard backstop.
  • Vector embeddings: deleted when the entity they're linked to is deleted.
  • Deletion requests (/scry delete-my-data, account deletion): audio and transcript rows are hard-deleted; an append-only deletion log records that a deletion occurred, without retaining the underlying personal data.
  • Post-cancellation: if you cancel your subscription, your data is retained per the terms on our AI Policy page (including your window to export via Obsidian export) before deletion.

9. Your Privacy Rights

If you're in the EU, EEA, or UK (GDPR)

You have the right to access, correct, delete, or export your personal data; restrict or object to processing; and withdraw consent at any time. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you're in Australia (Privacy Act 1988)

As a sole trader with turnover under AUD $3 million, Scry currently falls within the Privacy Act's small business exemption, meaning the Australian Privacy Principles (APPs) don't strictly apply yet. We're extending equivalent rights anyway — access, correction, deletion, and a complaints path — both because that exemption is under active legislative review and because it's the right baseline regardless of what's strictly required. You can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at any time.

If you're in California or another U.S. state with a consumer privacy law

We extend the same core rights to all users regardless of location: the right to know what personal data we hold about you, the right to request deletion, the right to correct inaccurate data, and the right to non-discrimination for exercising these rights. We do not sell or share personal data as those terms are defined under the CCPA.

How to exercise your rights

Email us at peter@getscrying.com, or use in-app tools where available (account settings, Obsidian export, /scry delete-my-data). We'll respond within the timeframe required by applicable law.


10. Children's Privacy

Scry is not directed at children under 13, and account registration requires you to be 18 or older (see Section 1 of the Terms of Service). We recognize that TTRPG sessions sometimes include minors as players, invited by a DM who is not us. If you are a DM inviting minors into a session, you are responsible for any parental consent or notice their participation requires under your local law; our voice-consent mechanism (Section 4) applies to everyone in the channel regardless of age, but does not substitute for that responsibility.


11. Cookies and Analytics

We use essential cookies to operate the Service (authentication, session state) and analytics cookies (PostHog) to understand product usage. Where required by law, we'll ask for your consent to non-essential cookies via a cookie banner, and you can withdraw that consent at any time.


12. Security

We use industry-standard safeguards, including encryption in transit, row-level security on all database tables, and service-role-only access from backend workers and the Discord bot (frontend clients never hold elevated database credentials). No system is perfectly secure, and we can't guarantee absolute security of information transmitted to the Service.


13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or an in-app notice before they take effect.


14. Contact Us

Questions about this Privacy Policy or your data: peter@getscrying.com

Never break the spell again.

Your world, remembered. Your sessions, summarised. Your players, seen.

Start for free

No card required