Effective Date: 2026-05-31
What this page covers
This page explains what Lurk's Dungeon stores in your browser, why, and how to remove it. It supplements the Privacy Policy; where the two cover the same topic, the Privacy Policy is the authoritative source for why we process data and the Cookie Policy is the authoritative source for what storage mechanisms we use to do it.
Are these "cookies"?
Mostly no. Lurk's Dungeon is a browser-based Godot 4 web export wrapped in a small PWA shell. It does not set HTTP cookies on the lurksdungeon.com domain in the traditional sense. The storage we do use lives in newer browser-local mechanisms that aren't technically HTTP cookies but are governed by the same consent rules under GDPR / UK GDPR / PECR / the ePrivacy Directive, which is why this page exists.
The mechanisms we use are:
| Mechanism | What it holds | Strictly necessary? |
|---|---|---|
| IndexedDB | Your authentication session token after login (so subsequent requests can be authenticated); your account identifier | Yes — the game cannot function without it once you've signed in |
| Cache Storage API (via service worker) | Cached copies of the web client's static assets (HTML, JS, WASM, images, audio) so the game can load quickly and continue to work briefly when offline | Functional — the game loads without it, just more slowly each visit |
| Godot web-export filesystem (IDBFS, persisted via IndexedDB) | Your locally-saved preferences (audio levels, key rebinds, HUD toggles) AND a random per-browser identifier that anchors your guest account across page reloads (added 2026-05-31) | Functional — the game works without it; you'd just lose your preferences and your guest account would not be reachable across reloads (a new guest account would be created each visit) |
| HTTP cookies | (none) | n/a |
All of the above is first-party. We do not embed third-party analytics SDKs, third-party iframes, third-party fonts, or third-party advertising. The error-reporting SDK (Sentry) is served from our own origin (the bundle is vendored into our build with an SRI hash) — only the resulting event POSTs travel to a third-party endpoint, described under "Third-party storage" below.
Third-party storage
Error reporting (Sentry). When you Accept in the consent banner, the game shell loads the Sentry browser SDK from our own origin (lurksdungeon.com/vendor/sentry/bundle.min.js) — the bundle is vendored into our build with a SHA-384 Subresource Integrity hash so a tampered or stale copy fails the browser's SRI check before it runs. The SDK may use sessionStorage on the lurksdungeon.com domain to buffer breadcrumbs (recent in-page events) for the lifetime of the tab; that buffer is discarded when the tab closes. When an unhandled exception occurs, the SDK POSTs an event payload (error message, stack trace, URL, browser version) to sentry.io — that POST is the third-party leg of the flow. If you Reject, the SDK is not loaded and no error events are sent; if you later flip from Reject to Accept, the SDK is loaded then. If you flip from Accept to Reject, all subsequent error events and breadcrumbs are gated and dropped client-side before they leave your browser (we also disable Sentry's default session-tracking integration so release-health envelopes can't bypass this gate); already-emitted events that the SDK has already sent in earlier acceptance state are out of scope of this control — they remain in Sentry until the 30-day retention window expires. We've configured the SDK with sendDefaultPii: false (so IP addresses are not attached to events) and with no Session Replay integration (so no screen recording or session-token capture occurs). Sentry processes the data on our behalf under its Data Processing Addendum and retains events for 30 days. See the Privacy Policy for the full data-flow description.
SSO providers. When you sign in with an SSO provider (Kick / Twitch / Google / Epic / Steam) you're briefly sent to that provider's own domain to complete the OAuth handshake; the provider may set their own cookies on their domain as part of that flow. Those cookies are governed by the provider's own privacy and cookie policies and are not under our control.
When the cosmetic shop launches we will use a third-party payment processor (e.g. Stripe) to handle payments; that processor's checkout page may set its own cookies on its domain. The shop is not yet active as of the Effective Date — see Terms of Service Section 7 for the payment-model framing.
Your choices
There are three controls today; per-category consent is on the roadmap (see "Per-category consent" below).
- Clear Cache button (in the game shell banner). Deletes the service-worker Cache Storage entries and reloads the page. This is a narrow control: it does not clear your session token (IndexedDB) or your saved preferences (Godot's in-browser settings file).
- Browser site-data clear. Every modern browser exposes a "Clear data for this site" / "Remove cookies and site data" control. Use it on
lurksdungeon.comto remove everything we've stored — session token, cached assets, saved preferences. - Sign out + don't return. If you sign out and don't visit again, the session token expires server-side on its normal expiry schedule; client-side IndexedDB data stays in your browser until cleared via option (2) or removed by your browser's storage-eviction policy.
If you block service workers or disable IndexedDB at the browser level, the game will load (slower, no offline support) but you won't be able to maintain a logged-in session — re-authentication would be required on every page load. We treat that as a user-chosen accessibility configuration, not a bug.
Consent banner
On your first visit the game shows a small consent banner over the loading screen with two choices:
- Accept all — we may write to the Cache Storage API (the service-worker static + game-asset caches) and to the Godot settings file (your audio levels, key rebinds, HUD toggles), and we may load the Sentry error-reporting SDK from our own origin (which uses ephemeral
sessionStoragebreadcrumbs and POSTs error events tosentry.io— see "Third-party storage" above). - Reject non-essential — neither the service-worker cache nor the settings file is written and the Sentry SDK is not loaded. You can still play; the page just re-downloads on every visit, your preferences reset on reload, and we won't capture client-side crashes for triage. The per-browser guest-account identifier described in the table above is also not written, so a guest session will get a fresh anonymous account each page reload rather than reconnecting to the previous one.
The strictly-necessary IndexedDB session token (the bearer that keeps you signed in after explicit login) is always allowed under the GDPR/PECR strictly-necessary exemption and is NOT part of the banner choice.
The banner can't be dismissed without an explicit choice — Esc and click-outside both refuse to close it. Your choice is stored locally as dc_consent and we re-prompt automatically after 6 months on Accept or 30 days on Reject so dormant decisions eventually expire. If we ever materially change what we store (e.g. add a new category), we bump the consent schema version and re-prompt on the next visit regardless of cadence.
You can change your mind by clearing site data for lurksdungeon.com in your browser's settings (re-prompts on next load) or — once we ship the in-game "Manage cookies" link — by re-opening the banner directly.
Children
We do not knowingly maintain accounts for users under 16 (see the Privacy Policy's Children's data section). The same storage mechanisms apply for any signed-in account; we do not target children with profiling cookies or behavioural advertising — we have none.
Changes to this Cookie Policy
When we make material changes — e.g. introduce a new storage mechanism, add an analytics SDK, or change the strictly-necessary classification of an existing item — we update the Effective Date above and surface a notice in the game shell (the same "Update available" banner used for new client builds). For minor edits (typos, clarifications that don't change what we store) we may update silently; the full revision history is in our public repository.
Contact
- Cookie / storage questions:
privacy@lurksdungeon.com - Operated by: LURK24 (individual creator, not a registered business entity)
- Related policies: Privacy Policy · Terms of Service