Privacy Policy

Effective date: as shown above. Version: 1.0.

This Privacy Policy explains how [LLC_NAME] ("we", "us") collects, uses, shares, and protects your personal data when you use the [GAME_NAME] private server and the cabinet at [WEBSITE_URL] (the "Service"). By using the Service you confirm that you have read this Policy.

If you are an EU/UK/EEA resident, this Policy is also our notice under the GDPR / UK GDPR. If you are a California resident, see section 9 for your CCPA/CPRA rights.

1. Who is the controller?

The data controller for personal data processed by the Service is:

[LLC_NAME] [LLC_ADDRESS] Email: [LEGAL_EMAIL]

2. What data we collect

| Category | Examples | Collected when | |---|---|---| | Account | login, e-mail, hashed password, account ID, creation date | sign-up, login, password reset | | Profile / gameplay | character names, levels, balances, in-game history | gameplay | | Payment | order ID, amount, currency, payment provider, last-4 of card (provider-derived only), refund history | each purchase / refund | | Technical | IP address, user-agent, country (from IP, used for OFAC and locale), session ID, CSRF token | every page load | | Communications | support tickets, e-mail receipts, dispute correspondence | when you contact us | | Audit | login log, payment log, lookup log of admin actions on your account | continuously |

We do not collect: full card numbers, CVC codes, government-issued ID numbers, banking credentials, biometric data, precise location data (we only resolve country from IP), browsing history outside the Service, or contacts.

3. Why we use it (legal bases under GDPR)

• Performance of contract: to operate your account, deliver Virtual Goods you have paid for, run the game.
• Legal obligation: to comply with anti-money-laundering, sanctions screening (OFAC), tax record-keeping, and chargeback/dispute response.
• Legitimate interest: fraud prevention, security monitoring, debugging, product improvement, audit logging of administrative actions.
• Consent: for any communications other than transactional receipts and for cookies that are not strictly necessary (currently we use only essential cookies — see Cookie Policy).

4. Third-party processors

We share the minimum personal data needed with the following sub-processors:

| Processor | Purpose | Data shared | Where | |---|---|---|---| | Stripe, Inc. | card / wallet payment processing | order amount, billing country, last-4, e-mail | USA + global | | PayPal Holdings, Inc. | PayPal checkout & payouts | order amount, e-mail, payer ID (returned by PayPal) | USA + global | | Cloudflare, Inc. | CDN, DDoS protection, IP-country resolution for OFAC | IP, headers, request URL | global | | European Central Bank | informational EUR exchange rate (no PII sent) | nothing personal | EU | | Mail provider (SMTP) | transactional e-mails (receipts, password reset) | e-mail, message body | depends on provider |

Each of the above operates under its own privacy policy. We do not sell or rent your personal data to any third party.

5. International transfers

We are based in the United States. If you are located outside the U.S., your personal data will be transferred to and processed in the U.S. and any other countries where our sub-processors operate. Where required by GDPR/UK GDPR, we rely on the European Commission Standard Contractual Clauses (SCCs) or our processors' equivalent safeguards.

6. Retention

| Data | Retention | |---|---| | Account data | for the life of the account, plus 12 months after deletion (for fraud prevention) | | Payment data | 7 years (US tax / financial record-keeping requirement) | | Webhook audit log | 90 days | | OFAC block log | 24 months (compliance audit) | | Login log | 12 months | | Support tickets | 36 months |

After the retention period the data is deleted or fully anonymised.

7. Security

We use TLS in transit, salted password hashes (bcrypt/argon2), separation of database privileges, rate-limiting against brute force, signed webhook verification, and encrypted backups. No system is perfectly secure: in the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, where required by law.

8. Your rights (GDPR / UK GDPR)

If you are an EU/UK/EEA resident you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate personal data.
• Erase your personal data (the "right to be forgotten"), subject to legal retention obligations.
• Restrict or object to processing for legitimate-interest purposes.
• Portability — receive your data in a machine-readable format.
• Withdraw consent for any processing that relies on consent.
• Lodge a complaint with your national supervisory authority.

To exercise any of these rights, e-mail [LEGAL_EMAIL]. We will reply within 30 days.

9. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights to (i) know what personal information we collect and how we use it, (ii) delete personal information, (iii) correct inaccurate personal information, (iv) opt out of "sale" or "sharing" of personal information, and (v) limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise CCPA rights, write to [LEGAL_EMAIL].

10. Children

The Service is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact [LEGAL_EMAIL] and we will delete the account and the data within 30 days.

11. Cookies

See our separate Cookie Policy at [WEBSITE_URL]/legal/cookie.

12. Changes

We may update this Policy. Material changes will increment the version number at the top and trigger an in-cabinet notice. The historical "effective date" is preserved on each version.

13. Contact

Privacy questions: [LEGAL_EMAIL]. General support: [SUPPORT_EMAIL]. Mailing address: [LLC_NAME], [LLC_ADDRESS].