Privacy Policy

Last Updated: March 17, 2026

1. Introduction

Summoned ("we," "us," or "our") operates the website at summoned.io (the "Service"). This Privacy Policy describes how we collect, use, store, and share your information when you use our Service.

Summoned is a confidence-based player scoring and reverse group finder for World of Warcraft Mythic+ and Raid content. We aggregate publicly available game data from third-party APIs, compute proprietary performance scores, and help players find groups that match their profile.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Account Data (Battle.net OAuth)

When you authenticate with Battle.net, we receive and store:

  • Your BattleTag (display name and numeric identifier)
  • Your Battle.net account ID
  • Your linked character information: character name, realm, class, specialization, faction, and level

We do not receive or store your Battle.net password. Authentication is handled entirely by Blizzard via OAuth.

2.2 Game Data from Third-Party APIs

We collect publicly available game performance data from:

  • Raider.IO: Mythic+ scores, raid progression, run history, best runs per dungeon, and season statistics
  • Warcraft Logs: Combat log parses, performance percentiles by boss and encounter, spec performance metrics, and kill data
  • Blizzard Developer APIs: Character profiles, equipment, Mythic Keystone profile data, and raid progression

This data is publicly available and is collected regardless of whether you have an account with Summoned. Creating an account allows us to associate this data with your profile for personalized features.

2.3 Payment Data

If you subscribe to Summoned Pro, payment processing is handled entirely by Stripe, Inc. Summoned never receives, stores, processes, or has access to your credit card number, debit card number, or full payment account details.

We store only:

  • Your Stripe customer ID (an opaque identifier)
  • Subscription status (active or inactive)
  • Subscription plan tier
  • Billing cycle dates

2.4 Authentication and Session Data

We use a secure authentication and session management system. This includes:

  • Email address (if provided during account creation)
  • Hashed authentication tokens
  • Session identifiers and expiration data

2.5 User-Generated Content

When you use the Service, you may create:

  • LFG (Looking for Group) listings
  • Group listings
  • Player preferences (roles, content type, schedule availability)
  • Notification preferences

2.6 Derived and Proprietary Scoring Data

Summoned computes proprietary data derived from the third-party API data described above. This includes confidence scores, performance grades, tier placements, badges (such as Rising Star), and match compatibility scores. This derived data is Summoned's proprietary intellectual property.

2.7 Usage and Analytics Data

We collect basic analytics data including page views, feature usage patterns, and performance metrics. We do not use third-party advertising trackers, tracking pixels, ad network cookies, or any form of cross-site advertising tracking.

2.8 Future Data Collection

We may in the future collect additional data through:

  • WoW addon telemetry: Combat log events, group composition data, online status, and other in-game data transmitted by an optional Summoned addon
  • Discord bot interactions: Messages and commands sent to the Summoned Discord bot, server membership information relevant to bot functionality

This Privacy Policy will be updated before any new data collection categories are introduced, and users will be notified of material changes.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service: Display character profiles, compute scores, run the group finder, and deliver match notifications
  • Compute proprietary scores and matching: Our scoring algorithms process game data to generate confidence-based performance assessments and match players to compatible groups
  • Process payments: Manage Summoned Pro subscriptions through Stripe
  • Send notifications: Deliver match alerts, group invitations, and system updates
  • Improve the Service: Analyze usage patterns to enhance features, fix issues, and develop new functionality
  • Prevent abuse: Detect and prevent fraud, automated access, scraping, rate limit circumvention, and violations of our Terms of Service
  • Comply with legal obligations: Respond to legal requests and enforce our Terms

What We Do NOT Do With Your Data

  • We do not sell, rent, or license your personal data to any third party
  • We do not share your data with data brokers or ad networks
  • We do not use your data for targeted advertising
  • We do not display ads on the Service
  • We do not use tracking pixels from ad networks (no Google Ads, Facebook Pixel, or similar)

4. Data Retention

4.1 Blizzard API Data

In compliance with Blizzard's Developer API Terms of Use, data obtained from Blizzard APIs is refreshed or deleted within a 30-day cycle. Stale Blizzard data is not retained beyond this period.

4.2 Third-Party API Data (Raider.IO, Warcraft Logs)

Game performance data from Raider.IO and Warcraft Logs is cached with defined time-to-live periods (ranging from 1 to 24 hours depending on the data source) and refreshed regularly. Historical data may be retained for trend analysis as long as your account is active.

4.3 Account Data

Your account information, preferences, and associated data are retained for as long as your account is active. If you delete your account, your personal data will be removed within 30 days, subject to the exceptions described below.

4.4 Scoring and Derived Data

Proprietary scoring data is retained while your account is active and is deleted when your account is deleted, except for anonymized aggregate data that cannot be used to identify individual users.

4.5 Payment Records

Subscription metadata (Stripe customer ID, subscription status, billing dates) is retained as required by applicable tax and financial reporting laws, even after account deletion. Stripe retains its own records in accordance with Stripe's privacy policy.

4.6 Data After Account Deletion

When you delete your account, we will remove your personal data within 30 days. Certain data may be retained beyond this period only where required by law (e.g., financial records), necessary for fraud prevention, or in anonymized aggregate form that cannot be linked back to you.

5. Data Sharing

We share your information only in the following limited circumstances:

5.1 Service Providers

  • Stripe: Payment processing. Stripe receives the data necessary to process your subscription. See Stripe's Privacy Policy.
  • Blizzard Entertainment: OAuth authentication. Blizzard processes authentication data per their privacy policy.
  • Database and authentication provider: Hosts our database and authentication infrastructure.
  • Hosting provider: Provides hosting and content delivery.
  • Caching provider: Provides our caching layer.

5.2 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect our rights or safety, or investigate potential violations of our Terms of Service.

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. We will notify users of any such transfer and any changes to applicable privacy practices.

5.4 Aggregate Data

We may use and share aggregate, anonymized, or de-identified data that cannot reasonably be used to identify you. This may include aggregate scoring statistics, usage trends, and service performance metrics.

5.5 What We Do NOT Share

  • We do not sell your personal data to any third party
  • We do not share your data with advertising networks
  • We do not share your data with data brokers
  • We do not share your data with any third party for their marketing purposes

6. Your Rights and Choices

6.1 Access Your Data

You may access your personal data through your account dashboard and settings. You may also request a copy of your data by contacting us at legal@summoned.io.

6.2 Delete Your Account

You may delete your account at any time through your account settings. Account deletion will remove your personal data within 30 days, subject to the retention exceptions described in Section 4.

6.3 Disconnect Battle.net

You may revoke Summoned's access to your Battle.net account at any time through your Battle.net account settings at Blizzard's website.

6.4 Communication Preferences

You may opt out of non-essential communications (such as promotional emails or non-critical notifications) through your notification settings. Essential service communications (such as security alerts or billing confirmations) cannot be opted out of while your account is active.

6.5 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose about you
  • Delete your personal information, subject to certain exceptions
  • Opt out of the sale of personal information โ€” Summoned does not sell personal information, so there is no sale to opt out of
  • Non-discrimination โ€” We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, contact us at legal@summoned.io. We will verify your identity before processing your request.

6.6 EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have the right to:

  • Access: Obtain a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Data portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Object: Object to processing of your personal data for certain purposes
  • Restrict processing: Request restriction of processing of your personal data
  • Withdraw consent: Where processing is based on consent, withdraw your consent at any time

Our legal basis for processing personal data includes: performance of a contract (providing the Service), legitimate interests (improving and securing the Service), and consent (where applicable). To exercise your GDPR rights, contact us at legal@summoned.io.

7. Cookies and Tracking

7.1 Essential Cookies

We use essential cookies for authentication, session management, and security. These cookies are strictly necessary for the Service to function and cannot be disabled.

7.2 Analytics

We use basic, privacy-respecting analytics to understand how the Service is used. This includes page view counts and feature usage metrics. We do not use analytics for advertising purposes.

7.3 What We Do NOT Use

  • No third-party advertising cookies
  • No tracking pixels (no Google Ads, Facebook Pixel, or similar)
  • No ad network cookies or identifiers
  • No cross-site tracking mechanisms
  • No fingerprinting or device identification for advertising purposes

8. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act (COPPA) and Blizzard's minimum age requirement for Battle.net accounts.

If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe that a child under 13 has provided us with personal information, please contact us at legal@summoned.io.

9. Data Security

We implement industry-standard security measures to protect your data, including:

  • All data is transmitted over encrypted HTTPS connections
  • Database access is protected by Row Level Security (RLS) policies
  • Authentication tokens are hashed and securely stored
  • API endpoints are rate-limited to prevent abuse
  • Administrative access is restricted and audited
  • Payment data is handled entirely by Stripe's PCI-DSS compliant infrastructure

While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining reasonable security measures.

10. Third-Party Services

The Service integrates with third-party services that have their own privacy policies. We encourage you to review the privacy policies of these services:

Summoned is not responsible for the privacy practices of these third-party services. Their collection and use of your information is governed by their respective privacy policies.

11. International Data Transfers

Summoned is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it, consistent with the requirements of applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the latest revision at the top of this page. Material changes will be communicated through a prominent notice on the Service or via email to registered users.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy. We encourage you to review this page periodically for the latest information on our privacy practices.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

legal@summoned.io

For data protection inquiries from EU/EEA residents, or CCPA requests from California residents, please include "Privacy Rights Request" in your email subject line.