Privacy Policy

1. Introduction

CraftCorps Nicolas Palomino (NIP: 8952259152), based in Wrocław, Poland, is committed to protecting your privacy. This policy explains how data is collected, used, disclosed, and protected when using the CraftCorps platform, including the launcher application, game servers, websites (craftcorps.net, battleroyales.net, craftclient.net), and Discord services (collectively the "Service").

As a business registered in the European Union, we comply with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws.

2. Data We Collect

2.1 Account Data

• CraftCorps Account: Username, email address (optional), and password (stored as a bcrypt hash — we never store plaintext passwords).
• Microsoft/Minecraft: Via Microsoft OAuth — Xbox Gamertag, Minecraft UUID, and skin data. Microsoft account passwords are never received or stored.
• Discord: Via Discord OAuth — Discord user ID, username, and avatar. Used for account linking, contest verification, and community features.
• Google: Via Google OAuth — email and profile name. Used for social account verification.
• Facebook/Instagram: Via OAuth — account ID and profile name. Used for video contest platform verification.

2.2 Gaming Data

• Match Statistics: Kills, deaths, wins, damage dealt, survival time, distance traveled, ores mined, items crafted, placements, and other in-match activities.
• Progression Data: XP, Battle Score, rank tier, quest progress, daily logbook streaks.
• Economic Data: Eggs balance, Pearls balance, transaction history (earnings, purchases, wagers), cosmetic inventory, and equipped loadout.
• Wagering Data: Bets placed, bet amounts, outcomes, and daily profit tracking.
• Social Data: Friends list, team membership, player reports, and anti-teaming flags.

2.3 Payment Data

• Stripe: Pearl purchases are processed by Stripe. CraftCorps does not store credit card numbers, CVV, or full payment details. We receive only: transaction ID, amount paid, currency, and purchase timestamp. Stripe's privacy policy governs payment data handling.

2.4 User-Generated Content

• Video Contest: Submitted video URLs (YouTube, TikTok, Instagram, Facebook), votes, and comments.
• News Articles: Content, comments, and media uploads by staff and contributors.
• Job Applications: Real name, Discord name, Minecraft name, cover letter, and CV/resume uploads (PDF, DOC, DOCX).

2.5 Technical Data (Collected Automatically)

• IP Address: Collected for anti-cheat enforcement, VPN/proxy detection, wagering fraud prevention, and contest vote fraud prevention. IP addresses are not shared publicly.
• Website Analytics: Page visits, referral source, browser type, and general geographic region via Cloudflare analytics. No third-party tracking cookies are used.
• Launcher Telemetry: Launcher version, operating system, Java version, and crash reports (opt-in only).
• Session Data: JWT authentication tokens for maintaining login sessions.

2.6 Data We Do Not Collect

• Microsoft account passwords
• Credit card numbers or full payment details (handled by Stripe)
• Device advertising identifiers
• Biometric data

3. How We Use Your Data

We use collected data for the following purposes:

• Service Operation: Authenticate accounts, manage game sessions, track match statistics, process purchases, and deliver purchased items.
• Game Integrity: Detect cheating, prevent match fixing, enforce anti-teaming rules, prevent wagering fraud (IP-based duplicate detection), and manage player reports.
• Community Features: Enable friends lists, teams, contest voting, comments, and Discord integration.
• Communication: Send in-game notifications, daily logbook reminders, rank change alerts, and moderation actions via Discord.
• Improvement: Analyze aggregated, anonymized usage patterns to improve game balance, matchmaking, and user experience.
• Legal Compliance: Respond to legal requests and enforce our Terms of Service.

Legal basis (GDPR): We process data based on (a) contractual necessity (account and service operation), (b) legitimate interest (anti-cheat, fraud prevention, service improvement), and (c) consent (optional telemetry, marketing communications).

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

• Stripe: Payment processing for Pearl purchases. Stripe acts as an independent data controller. See Stripe's Privacy Policy.
• Cloudflare: Website hosting, DDoS protection, and privacy-focused analytics.
• Microsoft/Mojang: Authentication tokens for Minecraft license verification.
• Discord: OAuth for account linking; webhook notifications to staff channels for moderation (contest removals, player reports).
• ip-api.com: IP address lookups for geographic region detection and VPN/proxy identification. Only the IP address is shared; no personal identifiers are sent.

5. Data Retention

• Account Data: Retained as long as your account is active. Deleted upon account deletion request.
• Match Statistics: Retained indefinitely as part of the game's historical record and leaderboards.
• Currency Transactions: Retained indefinitely for audit and dispute resolution purposes.
• Wagering History: Retained indefinitely for fraud prevention and audit purposes.
• Job Applications: Retained for 6 months after the position is filled, then deleted.
• Video Contest Data: Submission URLs and votes retained for the duration of the contest edition. Comments retained until manually deleted.
• IP Addresses: Retained for up to 90 days for anti-fraud purposes, then anonymized or deleted.
• Crash Reports: Stored for 30 days for diagnostics.
• Contact Form Submissions: Stored for 90 days, then automatically deleted.
• Session Tokens: Expire after 30 days or upon logout.

6. Data Security

We implement industry-standard security measures including:

• HTTPS encryption for all communications
• Bcrypt password hashing (passwords never stored in plaintext)
• Cloudflare DDoS protection and WAF
• Server-side input validation and parameterized database queries
• Role-based access control for staff and admin functions

While we take reasonable precautions, no internet service can guarantee absolute security.

7. Cookies

The website uses minimal cookies for essential functionality. See our Cookie Policy for details.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided personal data, contact us for deletion. Users aged 13–18 require parental or legal guardian consent as outlined in our Terms of Service.

9. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Withdraw Consent: Withdraw consent for optional data collection (e.g., telemetry) at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish data protection authority (UODO — Urząd Ochrony Danych Osobowych) at uodo.gov.pl.

10. International Data Transfer

The Service is hosted on servers in Singapore and uses Cloudflare's global network. Data may be processed outside the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Cloudflare's and Stripe's compliance with EU data protection standards.

11. Third-Party Links

The Service may contain links to third-party websites (Discord, YouTube, TikTok, Instagram, Facebook, GitHub). We are not responsible for their privacy practices. We encourage you to review their privacy policies.

12. Policy Changes

This Privacy Policy may be updated periodically. Significant changes are communicated via the website and Discord server. Continued use of the Service after changes indicates acceptance of the updated policy.

13. Data Controller

The data controller responsible for your personal data is:

• Business name: CraftCorps Nicolas Palomino
• Address: ul. Bolesława Prusa 24/10, 50-319 Wrocław, Poland
• NIP: 8952259152
• REGON: 525782789

14. Contact

For privacy questions, data access requests, or complaints:

• Email: [email protected]
• Discord: discord.gg/craftcorps