← Back to Connect

Privacy Policy

Alliance HQ at frontline.gay is a community tool for Last War alliance officers. This page explains what we store and how we protect it.

We do not sell your data

Alliance HQ exists to help your alliance use ashed.online more easily. We will never sell, rent, or trade your personal information or alliance data to third parties. We do not use your data for advertising, and we do not build marketing profiles from your activity.

We only use the information needed to run the service you asked for — for example, keeping you signed in and calling Ashed on your behalf when you use Alliance HQ features.

What we store

  • A random session identifier in an httpOnly cookie in your browser (not your Ashed login token).
  • Your Ashed connection key (JWT), encrypted on our server — see below.
  • Basic connection metadata, such as when your token expires and your reminder preferences.
  • An optional display label (for example, your Ashed account name) so we can show who is connected.

Alliance reports, member lists, and other alliance content stay on Ashed's systems. Alliance HQ does not copy that data into a separate database for resale or unrelated purposes.

How your Ashed connection key is protected

When you connect Alliance HQ to ashed.online, you paste a network request that contains a login token (JWT). That token is the key that lets Alliance HQ talk to Ashed as you. We treat it like a password.

  1. Encrypted before storage. As soon as we receive your token, we encrypt it with AES-256-GCM (industry-standard authenticated encryption) before writing anything to our database.
  2. Separate encryption key. The key used to encrypt your token lives only in our server environment — it is never stored in the database alongside your encrypted token, and it is never sent to your browser.
  3. Unique ciphertext each time. Each encryption uses a fresh random value (IV), so even identical tokens would not produce identical stored data.
  4. Server-side only. Your browser receives a short-lived session cookie. The Ashed JWT itself stays on our server and is decrypted only when Alliance HQ needs to call Ashed for you.
  5. You can disconnect. Settings → Disconnect removes your stored connection key from our server.

Where data lives

Alliance HQ runs on managed cloud hosting (Vercel for the app, Neon Postgres for encrypted credentials and session data). Data is transmitted over HTTPS.

Questions

This policy may be updated as Alliance HQ grows. If you have questions about your data, open an issue on our GitHub repository.