# Privacy Policy

This Privacy Policy explains how personal data is processed when you use this website and related application services.

This website is currently operated as a private hobby project for a small circle of friends and invited users. It is not intended as a large-scale public commercial service at this stage.

## 1. Controller

The controller is the operator of this website.

**Important:** before broader public publication, this section should be completed with the operator's full legal name, postal address and a direct privacy contact email.

## 2. Scope

This Privacy Policy applies to:

- the website itself;
- the downloadable software and its normal operation;
- Discord-based sign-in and account linking;
- license request and activation workflows;
- automatic content update checks and application update checks performed by the software;
- update-related downloads and update metadata delivery;
- crash reporting and technical diagnostics submitted by the application;
- essential cookies and technically necessary session handling.

## 3. Categories of personal data we process

Depending on how you use the service, we may process the following categories of data:

- account and login data, including your email address, Discord user ID, Discord username/display name, role, account creation timestamp, last login timestamp and login count;
- Discord account verification and guild-status data, including whether the connected Discord account is verified and the current guild membership status linked to the account;
- session data stored for authenticated website use;
- license and activation data, including machine key, license request status, serial number, timestamps and related administrative workflow data;
- machine-key status query data, including machine key, query count, linked request status and timestamps;
- technical request metadata in reduced form, namely HTTP method, path, response status code and timestamp for API request reporting;
- technical request data generated when the software checks for content updates or application updates, including connection metadata necessarily transmitted to the contacted update service or release endpoint;
- crash and diagnostic data submitted by the application, including structured payload data, runtime arguments, runtime machine key, failure information, console output, user action trails and related application/platform metadata;
- aggregate site metrics, such as total homepage visits and release download counters.

We do **not** persist full IP addresses or User-Agent strings in the database.

## 4. Purposes and legal bases

We process personal data for the following purposes:

### Account access and authentication

We process Discord login data and the associated account data to authenticate users, create or update accounts, maintain sign-in state and provide access to account-restricted functionality.

Legal basis: Article 6(1)(b) GDPR, where processing is necessary to provide the requested service; and Article 6(1)(f) GDPR for account integrity and abuse prevention.

### License handling and product access

We process machine keys, license request information, entitlement data, approval/delivery data and related timestamps to review, grant, manage and document license-related actions.

Legal basis: Article 6(1)(b) GDPR and, where necessary for secure and orderly operation, Article 6(1)(f) GDPR.

### Software update and content delivery

The downloadable software may automatically check for content updates and application updates when it starts. This includes requests to release or update endpoints in order to determine whether updated content or a newer software version is available and, where applicable, to facilitate update-related downloads.

Legal basis: Article 6(1)(b) GDPR where update functionality is part of the requested software service, and Article 6(1)(f) GDPR for software maintenance, integrity and security.

### Security, abuse prevention and service integrity

We use technical measures to protect the service against abuse, spam and attacks. This includes temporary in-memory abuse prevention based on incoming request information, without persistent IP storage.

Legal basis: Article 6(1)(f) GDPR.

### Technical diagnostics and crash analysis

If the application sends crash or diagnostic reports, we process the submitted diagnostic data in order to investigate faults, reproduce issues, stabilize the software and improve reliability.

Legal basis: Article 6(1)(f) GDPR and, where the diagnostics are needed to support functionality requested by the user, Article 6(1)(b) GDPR.

### Essential cookies and session handling

We use strictly necessary cookies and server-side session storage to keep sign-in, account access, consent acknowledgement and core site functions working.

Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, depending on the function involved.

### Aggregate usage statistics

We keep limited aggregate counters, such as total homepage visits and release download counts, to understand basic service usage at an aggregate level. These counters are not used to build user profiles.

Legal basis: Article 6(1)(f) GDPR.

## 5. Discord integration

If you use Discord sign-in, the service requests account data from Discord, including your Discord user ID, email address and username/display name. We may also query current guild membership status for connected accounts and, where configured, use Discord features to assign roles or send license-related administrative notifications.

When you choose Discord sign-in, Discord acts as an external provider. Its own privacy and data handling rules apply in addition to this Privacy Policy.

## 6. Recipients and third parties

Personal data may be disclosed or made technically available to:

- Discord, where required for login, guild-status checks, role assignment or Discord-based notifications;
- GitHub, where the software checks GitHub release infrastructure for content update information;
- update or download infrastructure used for software update checks or release metadata delivery, including the update endpoint currently used by the software;
- hosting or infrastructure providers that operate the server environment under our control;
- administrators who need access to account, license or crash data to operate and support the service.

Public pages currently load certain frontend assets from third-party content delivery infrastructure (for example Bootstrap and related frontend libraries served via jsDelivr). When a browser loads those assets, technical connection data such as IP address and browser metadata may be processed by that third party independently of this website.

We do not sell personal data.

## 7. International transfers

Some third-party services used by this website or the downloadable software, especially Discord, GitHub and external content delivery or update infrastructure, may process data outside the EU/EEA. Where such processing occurs, it may involve international data transfers under the provider's applicable transfer mechanisms and legal framework.

## 8. Retention

Retention depends on the category of data and the operational need:

- session data is retained until expiry or logout according to the configured session lifetime;
- account, license and entitlement records are retained for as long as needed to operate the service and manage access or related administrative history;
- machine-key query logs, crash reports and related diagnostics are retained for operational troubleshooting, security or support purposes and are currently not subject to a single short automatic deletion period across all categories;
- aggregate counters remain stored until they are reset or removed.

Retention periods should be refined further if the service is opened up more broadly.

## 9. Security measures

We use technical and organisational measures intended to protect personal data, including access restriction, database-backed server-side session storage, removal of persistent IP storage, removal of persistent User-Agent storage, data minimisation in several log categories and automatic redaction of sensitive strings in crash and diagnostic text fields.

Crash and diagnostic data is not published publicly. Sensitive content such as IP addresses, email addresses, token-like values, Discord IDs and user-home-path patterns is redacted before storage or display where implemented.

## 10. Your rights

Under the GDPR, you may have the right to:

- obtain information about the processing of your personal data;
- request access to your personal data;
- request correction of inaccurate or incomplete data;
- request deletion where the legal requirements are met;
- request restriction of processing;
- receive your data in a portable format where applicable;
- object to processing based on legitimate interests, subject to the conditions of Article 21 GDPR;
- lodge a complaint with a competent supervisory authority.

To exercise your rights, contact the website operator using the controller details once these are completed in Section 1.

## 11. Automated decision-making

We do not intentionally use automated decision-making within the meaning of Article 22 GDPR that produces legal effects or similarly significant effects solely on the basis of automated processing.

## 12. Changes

This Privacy Policy may be updated from time to time as the project, hosting setup, legal information and data flows evolve.