Legal

Data privacy

What we collect, why, who can see it, and how to make it disappear. The short version: only what the service needs, and it is never for sale.

Last updated: July 7, 2026

Our approach

Four principles drive every data decision on Forgemage.net.

  • Only what is needed

    We collect the data the service cannot work without, and nothing else. No hidden collection, no just-in-case data.

  • Never sold, never tracked

    No ads, no analytics scripts, no cross-site trackers, no data brokers. Your data pays for nothing here.

  • You stay in control

    Read, correct and delete your data from your account settings, without asking anyone.

  • Nothing hidden

    This page lists every piece of data, every cookie and every third party. If it is not listed here, we do not do it.

Who is responsible

Forgemage.net is a fan project run by its maintainer, who acts as the data controller: the person who decides what is collected and why. For anything related to your data, reach out through the GitHub page linked in the footer.

What we collect

Your account: your email address, your display name, your password (stored hashed, unreadable to us), your profile photo, and your Discord identifier and avatar if you sign in with Discord.

What you publish: your player or smithmagus profile, your portfolio images, your maging requests, your reviews, and your messages with their attachments.

Your activity: profile and request views, search appearances and statistics, response times, and your online presence. This is what powers the stats pages and the search rankings.

Your sign-in history: IP address, device and approximate location of recent sign-ins, visible to you in your security settings.

What we use it for

To run the service: your profiles and requests exist to be found, your messages to be delivered, your reviews to inform others. This is the contract between us.

To keep accounts safe: the sign-in history exists so that you (and we) can spot an intrusion.

To email you when the service needs it: confirming your address, resetting your password, review invitations and reminders, referral invitations. There is no newsletter and no marketing email.

What we never do

We do not sell your data. We do not show ads. We run no analytics or tracking scripts. We do not profile you beyond the statistics the site itself displays. If this ever changed, this page would change first, and loudly.

Who can see what

Public, by design: smithmagus profiles, portfolios, reviews, and maging requests. That is the marketplace working.

Private: your messages are visible only to the people in the conversation. Moderators may read a conversation when one of its participants reports it.

Your email address, sign-in history and settings are visible to you alone, and technically to the maintainer who operates the database.

Third parties

Discord — only if you choose to sign in with it. Discord tells us your identifier, username and avatar; we never see your Discord password.

Google Fonts — the site's fonts load from Google's servers, so your browser sends them your IP address when a page loads.

dofusdu.de — the request wizard fetches Dofus item data from this community API, directly from your browser.

An email delivery provider carries the transactional emails described above.

That is the whole list. Real-time features (messages, online status) run on our own infrastructure.

How long we keep it

Profile and request views are deleted after one month. Account data lives as long as your account does.

When you delete your account, it is anonymized: email, password, photo and Discord identifiers are erased, your display name becomes [deleted], and your portfolio images are removed. Messages and reviews remain, detached from your identity, because other users' conversations and reputations depend on them.

Your rights

European data protection law (GDPR) gives you the right to access, correct, delete and receive your data, and to object to some uses of it. Most of it you can do yourself from your account settings; for the rest, contact us through the GitHub page linked in the footer.

If you believe we mishandle your data, you can complain to the CNIL, the French data protection authority.

Security

Passwords are stored hashed, the site runs over HTTPS everywhere, and your recent sign-ins are listed in your security settings so anything unusual has nowhere to hide. No system is unbreakable; if a breach ever affects your data, we will tell you.

Cookies

The full list is short:

Name Purpose Lifetime
PHPSESSID Your session: keeps you signed in while you browse. Until you sign out or close the browser.
csrf-token Set when you submit a form, to block cross-site request forgery. A few seconds, the time of the submission.

The site also uses your browser's local storage for two values, theme and bs-theme, which remember your light-or-dark choice. They stay on your device and are never sent anywhere.

There are no advertising, analytics or cross-site tracking cookies, which is why the site shows no cookie banner: everything above is strictly necessary.

Changes to this policy

When this policy changes in a way that matters, we announce it on the site before it takes effect. The date at the top always tells you which version you are reading.