Deep Hollow

Privacy Policy

Last updated: March 18, 2026

1. Who We Are

Deep Hollow is operated by Mr. Phil Games. This policy explains what data we collect, how we use it, and your rights.

2. Data We Collect

Account Information

When you create an account, we collect your email address and name (if provided). If you sign in with Google or GitHub, we receive your name, email, and profile image from those services.

Payment Information

Subscription billing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers, bank details, or other payment credentials — Stripe handles that directly.

Game Data

We store your campaign state, fortress resources, buildings, event history, and expedition data. This data is associated with your account.

API Keys

When you create API keys for AI assistants, we store a one-way hash of each key. The plaintext key is shown once at creation and is not stored.

Email Signup

If you sign up for updates on the landing page, your email is sent to Resend for email delivery. You can unsubscribe at any time.

3. How We Use Your Data

  • Authenticate you and manage your account
  • Run the game — your campaigns, fortress state, and progress
  • Process subscription payments through Stripe
  • Send product updates if you opted in (email signup)
  • Diagnose technical issues and improve the service

We do not sell your data. We do not use your data for advertising.

4. Third-Party Services

We share data with the following services, only as needed:

  • Neon — Database hosting and authentication
  • Stripe — Payment processing
  • Resend — Email delivery (opt-in only)
  • Vercel — Application hosting

Each service has its own privacy policy. We do not share your data with any other third parties.

5. AI Assistants

Deep Hollow is played through third-party AI assistants (Claude, ChatGPT, etc.). When you share an API key with an AI assistant, that assistant can access your campaign data through our API. We do not control what AI assistants do with the data they retrieve. Share API keys only with services you trust, and revoke keys you no longer use.

6. Data Retention

Account data is retained as long as your account is active. If you delete your account, your data will be removed within 30 days. Revoked API keys are retained (in hashed form) for audit purposes but cannot be used.

7. Your Rights

You can:

  • Access your data through your account dashboard and the API
  • Delete your campaigns from the dashboard
  • Revoke API keys at any time
  • Unsubscribe from emails at any time
  • Request full account deletion by contacting us

8. Security

We use encryption in transit (HTTPS/TLS), hashed API keys, and secure authentication. No system is perfectly secure — if you discover a vulnerability, please report it to mrphil@mrphilgames.com.

9. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated via email or a notice on the website.

10. Contact

Privacy questions? Contact us at mrphil@mrphilgames.com.