Privacy Policy

Effective date: March 17, 2026

Tavern Bag ("Tavern Bag", "we", "us") is a browser extension that adds inventory management, timeline tracking, and compendium search tools to Roll20 tabletop sessions. This policy explains what data the extension collects, why, and how it is handled.

1. Data We Collect

Data	Purpose	Storage
Email address	Account authentication (one-time code sign-in)	Supabase Auth
Session tokens	Keep you signed in between sessions	chrome.storage.local (on your device)
Roll20 campaign ID	Scope compendium searches to your campaign	chrome.storage.local
Character & inventory data	Sync your items between Roll20 and Tavern Bag	Supabase database (your account only)
Subscription / billing status	Determine which features are available	Stripe (via tavernbag.com API)

2. Data We Do Not Collect

We do not collect browsing history, keystrokes, or any data outside of Roll20 pages.
We do not run analytics, tracking pixels, or advertising SDKs.
We do not sell, rent, or share your data with third parties for marketing.
We do not collect personally identifiable information beyond your email address.

3. How Data Is Used

All collected data is used exclusively to provide Tavern Bag functionality:

Authentication: Your email is sent to Supabase Auth to generate a one-time sign-in code. No password is stored.
Session persistence: Encrypted session tokens are kept in your browser's local extension storage so you stay signed in.
Inventory sync: Character and item data you create is stored in a Supabase database tied to your authenticated account.
Compendium search: Search queries are sent to Roll20's compendium API using your existing Roll20 session cookies (the extension does not access or store those cookies).
Billing: Subscription status is checked via our server (tavernbag.com). Payment processing is handled entirely by Stripe; we never see or store credit card numbers.

4. Third-Party Services

Supabase — authentication and database hosting (Supabase Privacy Policy)
Stripe — payment processing (Stripe Privacy Policy)
Roll20 — compendium API searches are performed on Roll20's servers using your existing session

These services receive only the minimum data required to perform their function.

5. Permissions Explained

Permission	Why It Is Needed
`storage`	Store your session tokens and preferences locally on your device.
`host: app.roll20.net`	Run the extension UI and content scripts on Roll20 game pages.
`host: files.d20.io`	Load item and character images hosted by Roll20.
`host: tavernbag.com`	Communicate with the Tavern Bag API for authentication, billing, and AI features.
`host: vivvocgiabalwvlaziuf.supabase.co`	Read and write your inventory data in the Supabase database.

6. Data Retention & Deletion

Your data is retained only while your account is active. You may delete your account and all associated data at any time through our support page. Local extension data can be cleared by uninstalling the extension or clearing the extension's storage from your browser settings.

7. Security

All network communication uses HTTPS. Session tokens are stored locally in your browser's extension storage, which is sandboxed and not accessible to websites. Server-side data is stored in Supabase with row-level security policies that restrict access to authenticated account owners only.

8. Children's Privacy

Tavern Bag is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the extension or our website. Continued use of Tavern Bag after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this policy? Visit our support page.