Back to Home

Privacy Policy

Last updated: April 21, 2026

This policy describes what Torn Companion Redux ("the app") collects, where it is stored, who can see it, and how long it is kept. If you spot a discrepancy, please reach out.

1. Data We Collect

When you log in with your Torn API key, we store your account information in our PostgreSQL database (hosted on Supabase). This includes your Torn identity (user ID, name, and level), your encrypted API key and its metadata, faction membership details, and any preferences or settings you configure within the app. The specific data stored may expand as new features are added.

2. Sessions and Authentication

When you log in, we create a session that keeps you signed in for 30 days. We store a session ID, your user ID, timestamps, your IP address, and your browser's User-Agent string. Logging out ends your session immediately. A session cookie (session_id) is set in your browser — it is HTTP-only and cannot be read by JavaScript.

3. Cached Data & Audit Logs

To reduce load on the Torn API, we temporarily cache your game data. Cached data never includes your API key and is cleared immediately when your account is deleted.

We log security events (logins, logouts, admin actions) along with IP address and browser info for abuse prevention, kept for 90 days.

4. Third-Party Services

The app relies on the following infrastructure providers:

  • Supabase — hosts the PostgreSQL database where your account, encrypted API key, sessions, settings, and audit logs live.
  • Upstash — hosts the Redis cache that stores recent Torn API responses.
  • Vercel — hosts the Next.js application and runs scheduled cron jobs. All requests to the app pass through Vercel's edge and server infrastructure.
  • Torn (api.torn.com) — receives your decrypted API key on each outbound request so we can fetch your own data. We send only the key and the requested selections; we do not send any other personal data to Torn. Every outbound request includes a comment=TornCompanion query parameter so you can verify the app's usage in your Torn API key logs.

The app does not integrate with any analytics, advertising, email, or payment services.

5. Who Can Access Your Data

  • You.
  • Xero, the owner of the app.
  • Other authenticated users. Other users do not see your personal data however public data is shared to all users and is communal.
  • The App's Service Providers (Supabase, Upstash, Vercel) store data on our behalf and are subject to their own privacy terms.

6. Data Retention

  • Account and user-settings records are retained while your account is active.
  • Sessions expire after 30 days.
  • Personal data is cleared upon account deletion.
  • Audit-log entries are removed after 90 days, except critical security events which may be kept longer.

7. Account Deletion

To delete your account navigate to the settings page within the app and scroll to the bottom where you will see the "Danger Zone" clicking the Delete Account button there will remove all data pertaining to your account.

Audit logs may retain anonymized entries for the remainder of their retention period.

8. Security

  • API keys are encrypted at rest.
  • All traffic to the app, to Supabase, to Upstash, and to Torn is over HTTPS / TLS.
  • The session cookie is HTTP-only and cannot be read by JavaScript running in your browser.
  • No system is ever perfectly secure. If you believe your key may be compromised, revoke it on Torn immediately.

9. Children

The app is not directed at children under 16. If you are under 16, do not use the app or submit your API key.

10. Changes to This Policy

We may update this policy to reflect changes to the application. The "Last updated" date at the top of the page will change whenever the policy is revised.

11. Contact

For privacy questions, data-deletion requests, or security concerns, contact -Xero- [3285695] in-game.