KARAbuddy
Sign in

Privacy

Last updated: May 26, 2026. KaraBuddy is a fan project for karabast.net replay capture and review. This page covers what data the webapp and Chrome extension collect, where it goes, and how to get rid of it.

What data we collect

Install token. The KaraBuddy chrome extension generates an opaque random identifier (format: kbx_<uuid>) the first time it runs and stores it in chrome.storage.local. Every replay the extension uploads carries this token. It's how we attribute uploads when you haven't signed in.

Replay payloads. When the extension finalizes a karabast.net match it uploads a JSON blob to karabuddy.app. The payload contains: the gameState frame history (deck contents for both players, card play sequence, in-game chat, player usernames, game timer state), and any tags you added mid-match. Payloads are stored in Vercel Blob; metadata (gameId, players, duration, action count, upload time) lives in a Postgres row that points at the blob. The extension also caches the most recent 50 replays in your browser's IndexedDB.

Tags. Short text notes anchored to specific frames. Each tag stores the comment text, the frame index, the author's display name (your karabuddy account name or an anon-XXXX handle generated once per browser), and the author's install token (so tag editing can be gated). Created via the extension mid-match or directly in the replay viewer at /r/<slug>.

Account info (only if you sign in). Sign-in is optional. If you use it, Auth.js receives your Discord or Google profile via OAuth and stores: the provider name (discord or google), the provider's user ID, your email address (if the provider sends it), and your display name. Sessions are signed JWTs in an HTTP-only cookie.

Stats. Your uploaded replays power the /stats page — leader matchups, card stats, and resourcing trends. These are scoped to you and to teams you've shared replays with only; there is no public or community-wide aggregate. Team stats are visible to that team's members (the same people the replay is already shared with).

What we do NOT collect

  • Marketing or advertising cookies.
  • Third-party analytics scripts (no Google Analytics, no Plausible, no tracking pixels).
  • IP addresses, except in Vercel's standard request logs (retained per Vercel's terms — typically ~30 days).
  • Anything you do on karabast.net beyond the WebSocket frames of matches the extension records — no DOM scraping, no input logging, no card-list snooping outside live matches.

Breakage detection

karabast.net is an independent project that can change its data format without notice, which can quietly break recording. To catch that fast, the extension checks each match's gamestate against the structure it expects and, only when it detects a mismatch, sends a tiny diagnostic ping to karabuddy.

This is a content-free error report, not analytics. By design it can contain only a fixed set of predefined structural-check codes (e.g. missing_players) plus the extension version — the server rejects anything else. It never includes your matches, deck, username, card data, or browsing. It stays silent unless something is actually broken. You can turn it off anytime via the toggle in the extension's launcher panel.

Where it goes

  • Vercel — hosts the webapp, serves Vercel Blob (replay payload storage), and runs Vercel Edge Functions. Operates per their privacy policy.
  • Neon — managed Postgres for metadata (replays table, tags table, users table, extension-token mappings). Operates per their privacy policy.
  • Discord and Google — OAuth providers, only if you sign in with one. We never see your password. If you sign in with Discord, the KaraBuddy bot can DM you (or @-ping you in your team's channel) when you're mentioned on a replay — controllable per-team and via a master switch in Settings, and only to the extent you share a Discord server with the bot.

Replay visibility

Replays are link-accessible: reachable only via the direct /r/<slug> URL (the slug is short but unguessable). There is no public browse list. You can also share a replay with a teamyou're in, which surfaces it in that team's replay grid for its members.

Anyone with the link can view a replay's full content (deck contents, chat, frame-by-frame state). Treat the link like a shareable Google Doc link — if you don't want others seeing it, don't share the URL.

Retention

  • Replays + tags: kept indefinitely until you delete them or your account.
  • Account: kept until you delete it (contact us — there's no self-serve account-delete UI yet).
  • Local IndexedDB cache: capped at the 50 most recent replays per browser; oldest evicted automatically.
  • Vercel + Neon backups: per those providers' standard retention windows.

Your controls

  • Delete a replay: trash icon on the replay card at /replays?tab=mine.
  • Delete a tag: ✕ button on the tag in the replay viewer.
  • Stop the extension from capturing: disable or uninstall it from chrome://extensions. Any not-yet-uploaded recordings are lost.
  • Sign out: menu in the top-right of the webapp.
  • Anonymous mode: simply don't sign in. Uploads attribute to the install token only and aren't linked to a profile.
  • Delete your account + everything attributed to it: email us — see contact below.

Contact

Privacy questions, deletion requests, or anything else: swutrade@gmail.com.

Affiliation

KaraBuddy is a fan project. It is not affiliated with, endorsed by, or sponsored by Fantasy Flight Games, Asmodee, or Lucasfilm. Star Wars: Unlimited and all associated marks belong to their respective owners.

← Back home