Privacy — NachoMUD

← Back to NachoMUD
# Privacy Policy

_Last updated: 2026-04-30_

NachoMUD is an open-source text MUD operated by Christopher Bush. We
keep this short and try to keep "what you give us" small. If something
here changes, we'll update the date above.

## What we collect

- **Email address** — when you sign in. We use it only to send you the
  one-time sign-in link and to identify your account on subsequent
  logins.
- **Character data** — your character name, class, race, stats,
  inventory, location, and game progress. Persisted on disk on the
  server.
- **Session cookie** — a small, signed cookie (~200 bytes) that proves
  you're signed in. Necessary for the site to work after sign-in.
- **Standard server logs** — IP address, request path, user agent,
  timestamp. Logged for operational reasons (debugging, abuse).

We do **not** collect or store passwords (there are no passwords —
sign-in is by email magic link).

## Cookies

We use one cookie: a signed session cookie set after you sign in. It
contains your account ID. It's marked `HttpOnly` and `SameSite=Lax`,
and `Secure` over HTTPS. There is no third-party tracking cookie set
by NachoMUD itself.

NachoMUD may display third-party advertising in the future. If/when
ads are enabled, the ad network may set its own cookies — those are
governed by the ad network's privacy policy, not this one. We will
update this section before any ads go live.

## AI / LLM-generated content

NachoMUD's world is generated by Large Language Models (Llama models
running on the server). Prompts (your messages to the DM, your
free-form actions, NPC interactions) are sent to the LLM along with a
window of recent game context to produce replies. We don't send your
email address or account ID to the LLM.

LLM-generated content can be unpredictable. The world contains
fictional violence, mild profanity, and themes appropriate for an
adult fantasy/RPG audience. NachoMUD is **18+**. See [`TERMS.md`](TERMS.md).

## Sharing

We don't sell your data. We don't share it with third parties, except:

- The hosting provider (AWS) sees server-log-level data as a normal
  consequence of running the site.
- Email delivery (Fastmail SMTP) sees the magic-link email content
  and your address — it has to, in order to deliver.
- Law enforcement, if compelled by a valid legal process.

## Retention

- Account + character data is kept until you ask us to delete it.
- Server logs are kept for up to 30 days, then rotated out.
- Magic-link tokens expire after 15 minutes and are deleted on use.

## Your rights

Email <howdy@nacho.bot> if you want to:

- Delete your account and all associated data
- Get a copy of your character data
- Ask any other privacy question

## Children

NachoMUD is for adults (18+). We don't knowingly collect data from
children under 18. If you believe a child has signed up, please
contact <howdy@nacho.bot> and we'll delete the account.

## Self-hosting

If you self-host NachoMUD from this repo, **you** are the data
controller for your instance. This policy describes the public
nacho.bot deployment only.

## Contact

Privacy questions: <howdy@nacho.bot>