Hellbent · Paraply Ventures

Privacy Policy

Effective 16 June 2026

Hellbent is a Magic: The Gathering Commander deck-building app published by Paraply Ventures. This policy explains what data we collect, how we use it, who we share it with, and the choices you have. Hellbent works offline by default — you only share data with us if you choose to create an account and sync.

Data we collect

Account information (only if you create an account)

Your email address, a display name you choose, and a password. Your password is stored only as a salted Argon2 hash — we never store or can read your actual password. We also record whether your email is verified and when your account was created and last updated.

Your content (only if you sign in and sync)

The decks you build and the cards in them, folders, card tags, your wishlist, and your saved “staple” cards. This content lives on your device and, while you are signed in, is synced to our servers so it’s available across your devices.

Email and security codes

Short-lived, hashed codes we send to verify your email address or reset your password.

Server logs

To keep the service reliable and secure we keep two minimal logs:

A security audit log of authentication events (e.g. sign-in, password reset, account deletion) containing the event type, a timestamp, the originating IP address, and an internal account identifier. Used only for security and abuse prevention. Deleted after 365 days.
A technical request log of API calls containing the request method, path, response status, timing, and your app version and operating-system version. It contains no IP address and no account identifier. Deleted after 30 days.

Data stored only on your device

Some data never leaves your device unless you sign in and sync: your local deck database, your sign-in tokens (held in the device’s secure storage), and your preferences (such as colour palette and currency).

How we use your data

We use your data only to: provide and sync your account and decks; send transactional emails (verification and password reset); keep the service secure and prevent abuse; and diagnose problems and improve reliability. We do not use your data for advertising or profiling.

Card data and deck import

Hellbent shows card information and images from Scryfall. When you search for or view cards, your search terms and card requests are sent to Scryfall to return results. These requests identify the app (a generic user-agent) but do not include your account information.

If you import a deck from an external site, the deck link you provide is sent to that site’s service (Archidekt, or Commander Spellbook’s proxy for Moxfield links) to fetch the deck list.

Who we share data with

We do not sell your data or share it for advertising. We use a small set of service providers to operate Hellbent, each processing data on our behalf and/or under its own privacy policy:

Railway — cloud hosting for our application and database.
Resend — sends our verification and password-reset emails (receives your email address for that purpose).
Sentry — error monitoring, configured not to collect IP addresses or other personal identifiers (used only when enabled).
Scryfall — card data and images (receives your card searches, as above).
Expo (EAS Update) — delivers over-the-air app updates.
Archidekt / Commander Spellbook — only when you import a deck (receive the deck link you provide).

What we don’t do

Hellbent contains no advertising, no analytics or tracking SDKs, no push notifications, and no payment or financial data. Card “prices” shown in the app are public market data from Scryfall, not information about you.

Data retention

We keep your account and content until you delete them (see below). Request logs are deleted after 30 days and security audit entries after 365 days. Verification and reset codes expire within minutes. When you delete your account, your data is removed from our active systems immediately; any routine operational backups are short-lived and overwritten on a rolling basis.

Your choices and rights

Access & change. Your decks and account details are visible in the app while signed in.
Delete your account and data. At any time, in the app go to Account → Delete Account, or email support@hellbent.world. Deletion is immediate and permanent and removes your profile and all synced content. See our account deletion page for details.
Depending on where you live, you may have additional rights (such as access, correction, or portability) under laws like the GDPR or CCPA. Email us to exercise them and we aim to respond within 30 days.

Security

Passwords are stored only as salted Argon2 hashes; sessions use rotating refresh tokens with reuse detection; sign-in is rate-limited; and all traffic is encrypted in transit (HTTPS).

International users

Hellbent runs on cloud infrastructure that may process and store data in the United States and/or the European Union. By using the app you understand your data may be transferred to and processed in these locations.

Children

Hellbent is not directed to children under 13, and we do not knowingly collect personal information from them.

Changes to this policy

We may update this policy from time to time. We will revise the effective date above and, for material changes, provide notice in the app or by email.

Contact

Questions about this policy or your data? Email support@hellbent.world.