Threadfall Party Sync — Privacy Policy

Last updated: 2026-05-11

Threadfall Party Sync (“the extension”) is a Chrome browser extension published by Threadfall (https://thread-fall.com) that lets a Game Master sync the party from a D&D Beyond campaign they manage into the Threadfall campaign they manage.

This policy describes what the extension reads, what it stores, what it transmits, and what it does not do.

1. What the extension reads

The extension only injects code on two URL patterns:

• https://www.dndbeyond.com/campaigns/* — used by the toolbar badge to detect when you’re on a campaign page where the extension is useful. The extension does not run a content script here; it only reads the URL via Chrome’s chrome.tabs API to set the badge.
• https://thread-fall.com/* — a small content script reads the existing Threadfall session token (tf_jwt) from your own Threadfall browser session’s localStorage and stores it locally for the extension to authenticate API calls back to your Threadfall account.

When you click the extension’s toolbar icon while on a D&D Beyond campaign page and then click Export to Threadfall, the extension makes authenticated API calls (using your existing D&D Beyond and Threadfall sessions) to fetch:

• The campaign details and party roster from D&D Beyond’s own campaign API (https://api.dndbeyond.com/campaigns/v1/{id}/...).
• The character JSON for each selected character from D&D Beyond’s own character API (https://character-service.dndbeyond.com/character/v5/character/{id}), authenticated via D&D Beyond’s documented Cobalt token handshake (https://auth-service.dndbeyond.com/v1/cobalt-token).
• The list of campaigns you manage in Threadfall, and the existing PC roster for the selected Threadfall target (used to flag which characters are first-time imports vs. refreshes).

The extension does not read any other tabs, any other websites, your browsing history, your bookmarks, your saved passwords, or any data outside the URL patterns above.

2. What the extension stores locally

The extension stores the following in chrome.storage.sync (synced across your signed-in Chrome instances by Google):

• Your Threadfall endpoint URL (defaults to https://thread-fall.com).
• The Threadfall session token captured from your Threadfall browser session.
• Your most-recently selected default target campaign (a convenience).
• The timestamp and a short summary of your most recent successful import (for the popup’s last-import display).

This data is not transmitted anywhere except to your configured Threadfall server. It is removed when you uninstall the extension.

3. What the extension transmits

When you click Export to Threadfall, the extension transmits the D&D Beyond character JSON for each selected character, wrapped with import metadata (source character ID, source campaign ID and name, target campaign ID, fuzzy-match score, ISO timestamp), to your configured Threadfall endpoint only via POST /api/v1/imports/ddb/batch.

No data is transmitted to any third party. No analytics, telemetry, advertising, or tracking services are contacted. The extension makes no network requests when you are not actively using it.

4. What the extension does NOT do

• Does not read or transmit your D&D Beyond credentials. It uses the session cookies your browser already has.
• Does not read characters or campaigns you do not have legitimate D&D Beyond access to. A 401/403 from D&D Beyond’s API is treated as “skip” — no fallback scraping.
• Does not allow imports into a Threadfall campaign you do not GM. The Threadfall backend re-verifies on every request.
• Does not accept arbitrary character URLs or another user’s credentials.
• Does not include any advertising, analytics, or third-party SDKs.
• Does not sell, share, or monetize your data in any way.
• Does not decode, store, or transmit your Threadfall session token to any third party. The token is read locally from your own Threadfall browser session and used only to call your own Threadfall account.

5. Children

The extension is not directed at children under 13. We do not knowingly collect data from children under 13. D&D Beyond’s own terms govern access to D&D Beyond accounts.

6. Data retention

Data stored locally by the extension persists until you uninstall the extension or clear your Chrome sync data. Data transmitted to your Threadfall server is governed by Threadfall’s own privacy policy (https://thread-fall.com/privacy) and is retained according to your Threadfall account settings.

7. Your choices

• Uninstall the extension at any time via chrome://extensions. This deletes all locally stored data.
• Sign out of Threadfall to invalidate the captured session token. The extension can no longer transmit on your behalf until you sign back in.
• Delete imported data by removing the corresponding PCs or campaigns inside Threadfall.

8. Changes to this policy

Material changes will be posted here with a new “Last updated” date. The current version is always available at the URL where this policy is hosted.

9. Contact

Questions about this policy: support@thread-fall.com