// LEGAL · PRIVACY POLICY

Privacy Policy

// LAST UPDATED 2026-05-10DRAFT

We collect the minimum data needed to run the Service and resolve abuse — nothing about your gameplay leaves your machine, and we don't sell or trade data with third parties. This policy explains what we collect, why, and what you can do about it.

The data controller for this site and the Service is <OPERATOR>. Contact: contact@lordsassist.com.

01What we collect

  • Account data — email address, username, and any OAuth provider IDs you choose to link (currently Discord only, used for role sync).
  • Machine fingerprint hashes — derived from CPU + motherboard + disk + system UUID; one-way (you can never reconstruct the original). Used solely to enforce the per-PC license binding.
  • Telemetry — feature-use counts, error events, session heartbeats. Aggregated or pseudonymous wherever practical.
  • Network data — IP address and inferred country, derived from request headers your browser or app sends. We do not collect GPS or precise location.
  • Support correspondence — emails you send us, kept while the case is active and archived per the retention rules below.

02What we do not collect

  • Game data, gameplay events, in-game chat, or any IGG account credentials.
  • Your IGG account ID or your in-game name.
  • Keystrokes outside of the hotkey listener you configure.
  • Files outside our installation directory.
  • Discord OAuth: we request only the identify + email scopes — enough to know who you are, nothing more. We do not read your Discord messages or your server membership beyond what role-sync requires.

03Legal basis for processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) — account creation, key redemption, license enforcement, delivery of the Service.
  • Legitimate interest (Art. 6(1)(f)) — telemetry to detect abuse and improve the product; machine-fingerprint binding to prevent key sharing.
  • Consent (Art. 6(1)(a)) — optional communications (newsletters, product updates) where you opt in. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)) — financial and tax records we are required to retain.

04Data retention

We keep different categories of data for different periods, balancing operational need against the principle of data minimisation.

  • Auth events (logins, password resets, OAuth links): 730 days, for fraud and abuse investigation.
  • Session activity heartbeats: 90 days.
  • Error events: 30 days.
  • Feature-use events: long-term, in pseudonymous form, for product analytics.
  • Account data: until you delete your account. Deletion has a 30-day grace period before permanent removal.
  • Financial records: 10 years where required by German tax law (HGB / AO).

05Third parties (processors)

We use the following processors, each under a Data Processing Agreement compliant with Art. 28 GDPR:

  • Cloudflare (DNS, CDN, email routing, DDoS protection) — operates in the EU and US under SCCs.
  • Cloudflare R2 (binary and bundle storage) — same.
  • Resend (transactional email delivery, e.g. password reset, key redemption confirmation) — US with SCCs.
  • Discord (OAuth provider, role-sync) — US with SCCs.
  • Hosting provider: Contabo GmbH, Munich, Germany (current). Migration to a Hetzner / AWS region within the EU is planned; this section will be updated before any change takes effect.

We do not use third-party analytics, advertising trackers, or social-media pixels on this website.

06International transfers

Some processors above (Cloudflare, Resend, Discord) operate in the United States. Where data is transferred outside the EU/EEA, we rely on the EU Standard Contractual Clauses (SCCs) and additional safeguards as required by the GDPR and the Schrems II ruling.

07Cookies and local storage

We use a small number of strictly necessary cookies and local-storage entries:

  • Auth session cookie — keeps you signed in. HTTP-only, SameSite=Lax, expires when your session expires.
  • OAuth state token — short-lived, session-storage only, used to prevent CSRF during the Discord-link flow. Deleted automatically after the flow completes.
  • UI preferences — local-storage only, stays on your device, not sent to us.

We do not set advertising or analytics cookies, so we don't need a cookie-consent banner under ePrivacy / TTDSG.

08Your rights (GDPR Chapter III)

You can at any time exercise the following rights:

  • Access — request a copy of your data (Settings → Data & Privacy → Export).
  • Rectification — fix inaccurate data.
  • Erasure ("right to be forgotten") — delete your account from the dashboard.
  • Restriction of processing.
  • Portability — receive your data in a machine-readable format (JSON export).
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for any consent-based processing.

To exercise any of these rights, email contact@lordsassist.com. We respond within 30 days as required by Art. 12(3) GDPR.

You also have the right to lodge a complaint with a supervisory authority — for residents of Germany, this is your local state data-protection authority. A list is available at bfdi.bund.de.

09California residents (CCPA / CPRA)

If you reside in California, you have additional rights under the CCPA / CPRA: the right to know what personal information we collect about you, the right to delete it, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioural advertising. To exercise CCPA rights, email contact@lordsassist.com.

10Children's privacy

The Service is not directed at users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has created an account, contact us and we will delete the account and any associated data.

11Security

We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive fields, and one-way hashing for authentication credentials and machine fingerprints. No system is impenetrable; if a breach affecting your data occurs, we will notify you and the relevant supervisory authority as required by Art. 33 + 34 GDPR.

12Changes to this policy

For material changes (categories of data collected, new processors handling personal data) we'll notify registered users by email at least 14 days before the change takes effect. The current version always lives at this URL with a "Last updated" date at the top.

13Contact

Privacy questions or rights requests: contact@lordsassist.com

Operator and data controller details are listed in our Impressum.