LeaderboardAboutContactGet the Addon

Privacy Policy

Last updated: April 19, 2026

Who we are

DelveIO is a free, independent companion service for World of Warcraft's Delves content. It includes www.delveio.dev, a public leaderboard and character tracker, and an in-game addon distributed via CurseForge.

DelveIO is an independent personal project. For any question about this policy or your data, email support@delveio.dev.

What we collect

When you sign in with Battle.net we request the openid and wow.profile scopes from Blizzard. In return we receive:

  • Your Battle.net battletag (e.g. Name#1234), which we use as your identifier across the site
  • An OAuth refresh token and short-lived access token, which we use to fetch your character data on your behalf
  • The list of characters on your Battle.net account

We do not receive your Battle.net email, real name, password, or payment information. We never ask you for any of these.

When you sync a character we fetch the following from Blizzard's API and store it in our database:

  • Character name, realm, region, faction, class, spec, level, and avatar URL
  • Delve completion counts per delve and per tier, from Blizzard's achievement statistics
  • A DelveIO score we compute from the above (tier bonus, breadth bonus, volume bonus, and nemesis bonus)
  • The battletag of the account that owns the character

When your character is discovered from public data, your character may appear in our database even if you have never signed into DelveIO. This happens when your character is listed on Blizzard's public Mythic+ leaderboard or other publicly available sources Blizzard provides. For discovered characters we store the same character fields described above, except we do not hold OAuth tokens for you (because you never authorized any). Discovered characters can be hidden or deleted by signing in and claiming the character, or by emailing support@delveio.dev.

When you use the website our hosting provider (Vercel) retains edge access logs, including IP address, user agent, and request paths, for its own operational purposes. We also run Vercel Analytics and Vercel Speed Insights, which collect pageviews, referrer URLs, approximate geography, and web performance metrics. See the Cookies and analytics section below.

When you email us we receive your email address and whatever you write at our support inbox, hosted by Namecheap Private Email.

What the addon collects: nothing. The DelveIO addon has no network capability. It reads a local database file bundled inside the CurseForge release zip. That file is regenerated nightly on our backend from data synced through the website.

How we use your data

  • Compute your DelveIO score and display your character on the public leaderboard and profile pages
  • Let the addon render your score in other players' in-game tooltips
  • Refresh your characters automatically each night using your stored refresh token
  • Debug errors, monitor performance, and maintain the service
  • Respond to your emails

We do not sell your data. We do not use it for advertising. We do not run machine learning training on it. If that ever changes, this policy will change and we will tell you before the new use begins.

  • Consent for the Battle.net authorization and for analytics via the consent banner
  • Legitimate interest for the core leaderboard service, ranking computation, and addon database generation

Legitimate interest assessment for discovered characters. When we add a character to the leaderboard based on publicly available Blizzard sources (for example, the Mythic+ leaderboard), we process it under legitimate interest. Our interest is operating a comprehensive community leaderboard that compares all competitive characters, in the same way sites like Raider.IO have done for years. We process only the character fields Blizzard already publishes about that character; we do not collect any additional personal information on top. The owner of a discovered character can hide it or delete it at any time by signing in and claiming the character, or by emailing support@delveio.dev. We believe these safeguards balance our interest against the rights and freedoms of the player.

You can withdraw consent at any time by disconnecting your account, and by opening the "Privacy Settings" link in the site footer to revoke analytics consent.

Who we share data with

We use a small set of third-party service providers ("sub-processors") to run DelveIO. Each one sees only what it needs to do its job.

ProviderWhat they seeWhat they do
VercelIP, user agent, request paths, pageviews, web vitalsHosts the website; serves analytics; collects performance telemetry
RenderIP, user agent, request pathsHosts the backend API
SupabaseAll database contentsHosts our Postgres database
Blizzard / Battle.net APIOAuth authorization; ongoing requests made on your behalfIdentity provider and source of your character data
Namecheap Private EmailInbound emails sent to our support addressHosts support@delveio.dev
CurseForge (Overwolf)Addon download statistics onlyDistributes the addon; does not receive DelveIO user data
Google Search ConsolePublic URLs and sitemap onlyIndexes the site for search; does not receive user data
UptimeRobotPublic health endpoint responsesKeeps the backend warm; does not receive user data

We do not share your data with anyone beyond these providers, and we do not sell it.

How long we keep data

  • Your account row and OAuth tokens are retained indefinitely, unless you request deletion. When you disconnect your account from your settings page, your refresh and access tokens are immediately nullified, but the account row itself persists. Disconnecting prevents us from fetching further data from Blizzard on your behalf; it does not delete your account record, your characters, or your delve history. For that, request full deletion as described below.
  • Characters and delve run history are retained indefinitely. Characters you mark hidden are excluded from the leaderboard, search, and the in-game addon database. Characters that stop syncing successfully for 14 or more days are marked stale and excluded from future automatic sync, but remain in the database.
  • Support emails remain in our inbox until manually deleted.
  • Hosting logs (Vercel and Render) are retained per each provider's own retention policy, which we do not control.

Self-service deletion is on our public roadmap and is not yet available. Until it ships, you can email support@delveio.dev to request full deletion of your account and all associated character data. We will complete the deletion within 30 days.

Your rights and choices

You have the following rights regarding your personal data. To exercise any of them, email support@delveio.dev. We will respond within 30 days.

  • Access. We will send you a copy of what we hold about your account and characters.
  • Rectification. Syncing your character overwrites stale data. For anything syncing cannot fix, email us.
  • Deletion. We will permanently remove your account and characters on request. See How long we keep data.
  • Restriction. Set your profile_visibility to private from your account settings. Your characters will be hidden from the public leaderboard, profile pages, and in-game addon database. You can also mark individual characters as hidden.
  • Portability. We will provide a copy of your data in a machine-readable format on request.
  • Objection. Disconnect your account at any time and email us to request deletion.
  • Withdraw consent. Disconnect your account from your settings page, or clear analytics consent via the Privacy Settings link in the footer.

If you are in the EU, the UK, or California, you also have the right to lodge a complaint with your local data protection authority. We would appreciate the chance to resolve any concern with you directly first.

California residents (CCPA and CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). To exercise any of these, email support@delveio.dev.

Categories of personal information we collect:

  • Identifiers. Battle.net battletag, IP address, user agent, character name, and realm.
  • Internet or network activity. Pageviews, referrer URLs, approximate geography, and web performance metrics (via Vercel Analytics and Speed Insights).
  • Other information. Character class, spec, level, faction, avatar URL, delve completion statistics, and the DelveIO score we compute.

We do not collect sensitive personal information as defined by the CPRA, such as government identifiers, financial account credentials, precise geolocation, genetic or biometric data, or health data.

Sources of personal information. Directly from you when you sign in or email us; from Blizzard's Battle.net API for character and achievement data; from publicly available Blizzard sources for discovered characters; and automatically from your browser for analytics and server logs.

Business purposes. Operating the leaderboard service, authenticating you, generating the nightly addon database, debugging errors, monitoring performance, and responding to your messages.

Categories of third parties we share with. Hosting and infrastructure providers (Vercel, Render, Supabase), the identity provider (Blizzard), and our email provider (Namecheap). See the Who we share data with table for details. We do not share personal information with data brokers, advertising networks, or analytics partners for cross-context behavioral advertising.

Do Not Sell or Share. DelveIO does not sell your personal information, and does not share it for cross-context behavioral advertising. There is nothing to opt out of. If this ever changes, we will update this policy and provide an opt-out mechanism before any such practice begins.

Your CCPA and CPRA rights:

  • Right to know what personal information we have collected about you
  • Right to delete personal information we have collected
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing (not currently applicable, because we do not sell or share)
  • Right to limit use of sensitive personal information (not currently applicable, because we do not collect sensitive PI)
  • Right to non-discrimination for exercising your CCPA rights

An authorized agent may submit a request on your behalf. We will verify the request by asking the agent for proof of authorization and by contacting you to confirm.

Children's data

DelveIO is not directed at children under 13. Battle.net account creation requires meeting Blizzard's minimum age (13 in the United States, 16 in most EU member states), and we only ever receive data about users who have already signed in through Blizzard. We do not knowingly collect personal data from users below their local minimum age. If you believe we have collected data from a child under 13, email support@delveio.dev and we will delete it.

Cookies and analytics

DelveIO uses the following cookies and similar technologies:

  • Session cookie (next-auth.session-token): strictly necessary. Keeps you signed in. httpOnly, Secure in production, SameSite=Lax. No consent required under ePrivacy rules.
  • Vercel Analytics and Speed Insights: analytics. Collect pageviews, referrers, approximate geography, and web performance metrics. First-party; never shared with third parties for advertising or profiling.

You will be asked for analytics consent on your first visit and can change that decision at any time via the "Privacy Settings" link in the footer. Rejecting analytics does not affect your ability to use the service.

Security

Your data is protected in the following ways:

  • In transit. All traffic between your browser, the website, and the backend is HTTPS encrypted.
  • At rest. Our database is hosted by Supabase, which encrypts database storage at rest.
  • Access controls. Administrative backend endpoints are restricted to a specific IP allowlist and are rate-limited. Database credentials are not shared.

We also have known gaps that we are actively working on. Most notably, OAuth refresh tokens are currently stored only with the database-level encryption that Supabase provides. Adding an additional layer of application-level column encryption is on our roadmap. We would rather be transparent about this than claim protection we have not built yet.

No online service is perfectly secure. If you become aware of a security issue with DelveIO, please email support@delveio.dev. Researchers can also find our contact details at www.delveio.dev/.well-known/security.txt, maintained according to RFC 9116.

International data transfers

Our service providers (Vercel, Render, Supabase, Blizzard Entertainment, Namecheap) process personal data primarily in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the US.

For those transfers we rely on the safeguards each provider publishes, which typically include:

  • The European Commission's 2021 Standard Contractual Clauses (SCCs) for transfers from the EEA
  • The UK International Data Transfer Agreement or the UK Addendum to the SCCs for transfers from the United Kingdom
  • The EU-US Data Privacy Framework and its UK Extension and Swiss-US Framework, where a provider is certified under it

You can review each provider's current Data Processing Addendum and certification status on their own legal pages. The providers we use are named in the Who we share data with table above.

If the US processing framework is not acceptable to you, please do not use DelveIO.

Changes to this policy

We will post updated versions of this policy at www.delveio.dev/privacy. The "Last updated" date at the top always reflects the most recent change.

We review this policy at least once per year regardless of whether anything has changed, so the "Last updated" date is always a meaningful signal of how current the document is.

For material changes (new categories of collected data, new sub-processors, meaningful changes to retention or user rights), we will post a notice on the home page or in the addon release notes so you know before the new practice takes effect.

Contact

For any question about your data or about this policy, email support@delveio.dev.