Shadow Walkers — Privacy Policy

Last updated: 12 April 2026 Effective date: 12 April 2026

Dwarven Stronghold Limited ("we", "us") is the data controller for personal data processed in connection with Shadow Walkers. This Privacy Policy explains what personal data we collect, why, how long we keep it, who we share it with and what rights you have.

This Privacy Policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679), and the Privacy and Electronic Communications Regulations (PECR).

---

1. Who we are and how to contact us

• Controller: Dwarven Stronghold Limited
• Company number: 11228461 (England and Wales)
• Registered office: 42-44 Bishopsgate, London, England, EC2N 4AH
• Privacy contact: [email protected]
• Postal contact: Data Protection, Dwarven Stronghold Limited, 42-44 Bishopsgate, London, England, EC2N 4AH, United Kingdom

We do not currently have a statutory Data Protection Officer because we are not required to appoint one under Article 37 UK GDPR, but privacy questions are handled by the privacy contact above.

2. What personal data we collect

We only collect what we need to run the Game, keep it safe and comply with our legal obligations. The table below lists every category of personal data we process.

Category	Examples	Source
Account data	Email address, chosen display name, hashed password, account creation timestamp, preferred language, country of residence	You, at registration
Authentication data	Login timestamps, device fingerprint (coarse), IP address	Automatic at login
Gameplay data	Character name, faction, level, inventory, progression, quest state, playtime, coordinates in the world	Automatic during play
Communication data	Public and private chat messages, guild messages, reports submitted against you or by you	You / reporters
Creative content	Thari Music Tool compositions, screenshots you save server-side	You
NPC AI dialogue data	The text you type to a small number of named LLM-backed NPCs (Stara Pierwsza, Bezimienny, Późny Walker) and the model's reply	You, when you talk to these NPCs
Support data	Emails you send us, bug reports, crash reports, attached logs	You
Payment data	The fact that you made a purchase, the SKU, the amount, the invoice number, the Paddle transaction ID, the last four digits of your card (displayed only)	Paddle
Cookies and similar technologies	Session cookie, preferences cookie, (with consent) analytics identifier	Your browser

We do not collect:

• Full card numbers, CVVs or bank account numbers. All payment data is handled directly by Paddle and never touches our servers.
• Biometric data, genetic data, data about your health, trade-union membership, political opinions, religious beliefs, sexual orientation or other special category data within the meaning of Article 9 UK GDPR.
• Location data more precise than the country level, which we only use to determine the correct tax and regional pricing through Paddle.

3. Why we process this data and on what legal basis

Purpose	Data used	Legal basis (Art. 6 UK GDPR)
Create and maintain your account	Account data, authentication data	Performance of contract (6(1)(b))
Operate the Game and save your progress	Gameplay data, creative content	Performance of contract
Provide in-game chat and guilds	Communication data	Performance of contract
Moderate harassment, fraud and abuse	Communication data, reports, IP address	Legitimate interests (6(1)(f)) — keeping the service safe
Generate NPC dialogue via Anthropic API	Text you type to the three named LLM NPCs	Performance of contract, with your consent at the point of entering the dialogue
Process payments and issue invoices	Payment data	Performance of contract; legal obligation (tax and accounting, 6(1)(c))
Customer support	Support data, account data	Performance of contract
Email you about essential service issues (downtime, security, material policy changes)	Email address	Legitimate interests; legal obligation where required
Send optional marketing emails (devlog digest, launch announcements, sales)	Email address	Consent (6(1)(a)) — you may withdraw at any time
Analytics and service improvement	Coarse usage statistics	Consent via cookie banner; otherwise not collected
Prevent and investigate security incidents	Authentication data, IP address, access logs	Legitimate interests
Comply with law enforcement requests	Any relevant data	Legal obligation

4. Cookies and similar technologies

The Shadow Walkers website and game client set a small number of cookies and similar storage items. A cookie consent banner is shown the first time you visit and any time our cookie inventory changes materially.

• Strictly necessary — a session cookie, a CSRF token, and a preference cookie. These are set without consent because the service cannot function without them (PECR reg. 6(4)(b)).
• Analytics — only set if you opt in. We use a privacy-respecting self-hosted analytics tool; no data is shared with advertising networks.
• Marketing / advertising cookies — we do not use any.

You can withdraw cookie consent at any time by clicking "Cookie settings" in the footer of shadow-walkers.com. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.

5. NPC AI dialogue — important disclosure

Three specific NPCs in Shadow Walkers use a large language model ("LLM") to generate dialogue:

• Stara Pierwsza — Anthropic Claude Opus
• Bezimienny — Anthropic Claude Sonnet
• Późny Walker — Anthropic Claude Sonnet

When you type a message to one of these NPCs:

1. Your message, together with an NPC-specific prompt, is sent to Anthropic PBC in the United States (transfer mechanism: UK International Data Transfer Agreement / EU Standard Contractual Clauses, supplemented by Anthropic's technical and organisational measures).
2. Anthropic generates the reply and returns it to our server.
3. We do not send your email address, login name, IP address, real identity, or any other personally identifying information to Anthropic along with the message. Your character's in-game name and faction may be included in the NPC prompt.
4. Anthropic does not use the data we send for training their models (this is contractually ensured).
5. We store the conversation logs only as long as strictly needed for safety review (up to 90 days).

The first time you enter a conversation with one of these NPCs, you will see an in-game notice explaining this and asking you to confirm. If you decline, the NPC will switch to a scripted fallback dialogue and no data will be sent to Anthropic. All other NPCs in the Game (9+) run on locally hosted models and do not transfer data outside our own infrastructure.

6. Who we share personal data with

We share personal data only with processors who help us run the Game under a written data-processing agreement. We do not sell personal data and we do not share it with advertisers.

Recipient	Role	Location	What they receive
Paddle.com Market Limited	Payment processor, Merchant of Record	United Kingdom	Name, email, billing country, card data (Paddle only), purchase details
Hetzner Online GmbH	Server hosting	Germany (EU)	All data stored on our servers (at rest and in memory)
Anthropic PBC	LLM API for three named NPCs	United States	Your dialogue messages to those NPCs only (see Section 5)
Nume (nume.pl) — email hosting	Outbound transactional email (account, billing, support) and opt-in marketing email, via a Stalwart JMAP server	Poland (European Union)	Your email address and the content of messages we send you

If we ever need to add a processor, we will update this list before doing so.

We may also disclose personal data:

• to comply with a valid court order, statutory request or regulator demand;
• to cooperate with law enforcement on serious safety investigations;
• to protect the rights, property or safety of us, our players, or any other person;
• in connection with a merger, acquisition, or sale of assets, in which case the acquiring entity becomes bound by this Privacy Policy or an equivalent.

7. International transfers

Personal data is stored in the European Union (Germany) and, for the specific purposes described above, transferred to the United Kingdom (Paddle) and the United States (Anthropic). All transfers outside the UK and EEA are covered by the UK International Data Transfer Addendum or the EU Standard Contractual Clauses as supplementary measures, and we review the transfer-impact assessment every 12 months.

You can request a copy of the safeguards that apply to any specific transfer by writing to [email protected].

8. How long we keep personal data

Category	Retention	Reason
Account data	For the life of your account, plus 30 days after closure	Recovery window in case you asked to close the account by mistake
Gameplay data (character, inventory, progression)	For the life of your account, plus 30 days after closure	Same
Chat messages — public / party / guild	90 days	Moderation and safety review
Chat messages — direct / whisper	30 days	Moderation and safety review
Reports of harassment and their evidence	2 years from closure of the report	Protection of other players
NPC AI dialogue logs	90 days	Safety review
Payment records and invoices	7 years	UK HMRC tax and accounting obligation
Security and access logs	12 months	Incident investigation
Support tickets	2 years from resolution	Customer service history
Marketing email list	Until you unsubscribe	Consent

When a retention period ends, data is either deleted, anonymised beyond recovery, or archived in encrypted cold storage that is deleted on schedule.

9. Your rights

Under the UK GDPR and the EU GDPR you have the right to:

• Access — get a copy of the personal data we hold about you, together with the information in this Privacy Policy.
• Rectification — have inaccurate or incomplete data corrected.
• Erasure ("right to be forgotten") — have your data deleted where the legal basis allows, in particular after closing your account.
• Restriction — ask us to temporarily stop processing some of your data.
• Portability — receive certain data you gave us in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, including profiling. For direct marketing, objection is absolute.
• Withdraw consent — for processing based on consent, without affecting the lawfulness of processing before the withdrawal.
• Not be subject to purely automated decisions — we do not make legally-significant decisions about you based solely on automated processing.
• Lodge a complaint — with the Information Commissioner's Office in the UK (ico.org.uk), or with your local supervisory authority in the EEA. We would ask you to try contacting us first so that we can resolve the issue directly.

To exercise any of these rights, write to [email protected]. We will verify your identity and respond within 30 days, extendable by a further 60 days for complex requests (we will tell you if we extend).

10. How we keep your data safe

• Passwords are hashed using a modern password-hashing function (argon2id); we never store plaintext passwords.
• TLS 1.3 for every connection between client, website and server; the THARI Protocol also runs inside TLS on the Rust gateway.
• Encrypted backups, rotated keys, principle of least privilege on infrastructure access.
• Regular patching of operating system and dependencies.
• Internal access to personal data is limited to a small number of administrators and is logged.
• Incident response plan with a commitment to notify affected users and the supervisory authority within 72 hours of becoming aware of a personal data breach, where required by Articles 33-34 UK GDPR.

No system is perfectly secure. If you believe you have found a security vulnerability in Shadow Walkers, please contact [email protected] before disclosing it publicly; we follow a good-faith disclosure policy and will not take legal action against responsible researchers.

11. Children

Shadow Walkers is not directed at children under 13 and we do not knowingly collect personal data from them. In certain countries (for example, several EU member states) the minimum age for consent to online services is 16, and we apply that higher age for users in those countries.

If you believe a child has created an account, contact [email protected] and we will investigate and delete the account and associated personal data as appropriate.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make a material change — for example, adding a new processor, changing retention periods, or adding a new processing purpose — we will:

• update the "Last updated" date at the top,
• notify you by email and by an in-game notice at least 14 days before the change takes effect, where reasonably possible,
• ask for renewed consent where the legal basis for the change is consent.

Historical versions of this Privacy Policy are kept in our public changelog on shadow-walkers.com/legal/changelog.

13. Supervisory authority

If you are not satisfied with how we handle your personal data, you can complain to the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom Website: https://ico.org.uk — Helpline: +44 (0)303 123 1113

EEA residents may also complain to their national data protection authority.