01Overview#
This policy explains what personal data Zorvex holds about you, why we hold it, and what you can do about it. It covers zorvex.solutions, the customer panel, our software, and our Discord server.
Zorvex is the data controller for that data. Because we offer our services to people in the European Union, the EU General Data Protection Regulation (GDPR) applies to our processing, and we apply the same standard to every user regardless of where you live.
For anything in this policy, contact privacy@zorvex.solutions.
02What we collect#
Account
Your username, email address, and password. Passwords are hashed with bcrypt and cannot be read by us or recovered in plain text. We also store your account status and role, and, if you set one, an avatar URL.
Security state
Email verification codes, password reset tokens, and, if you enable two-factor authentication, your 2FA secret and recovery tokens. We record the time of your last login, the count of consecutive failed logins, the time of the last failed one, and any lockout expiry.
Discord
If you link Discord, we store your Discord user ID, username, and avatar hash. We request only the identify and guilds.join scopes. Your Discord access token is used once to add you to our server and is not stored. We never receive your Discord password or email through this.
Hardware and connection data
Your hardware identifier and your IP address. Both are significant enough to get their own sections below.
Purchases
Amount, currency, payment method, status, the products in your order, and the reference our payment processor gives us. For cryptocurrency payments we also store the payment address, the crypto amount, and the currency used. We store your licence keys, their durations, and your subscription history.
We never receive or store card numbers, bank details, or billing addresses. Those either never exist in our flow, or are handled entirely by the payment provider.
Support and communications
The contents of support tickets, including full message transcripts and whatever you type into a ticket form; the reason you give for a hardware reset or username change request; and, if you use the contact form without an account, the name, email address, and message you submit.
Other
Reviews you choose to leave, including your rating, message, and display name. Internal notes our staff may attach to your account when handling a dispute or support case. Records of administrative actions taken on your account.
What we do not collect: we do not fingerprint your browser, we do not store your user agent, we do not perform geolocation lookups, and we do not build advertising or behavioural profiles.
03Hardware identifiers (HWID)#
Our software sends a hardware identifier derived from the machine it runs on. The first time you authenticate, that identifier is recorded and locked to your account, and later attempts from different hardware are refused.
We do this to enforce the one-machine licence and to detect account sharing and resale. The legal basis is our legitimate interest in preventing licence abuse, which is fundamental to how the product is sold.
A HWID is a persistent identifier tied to your physical machine, so we treat it as personal data under the GDPR even though it does not contain your name. Your HWID is stored on your account record and inside the session token our software uses, and it is written to a log line on every authentication attempt.
The lock is permanent by default. It only changes if you ask us to reset it and a member of staff approves the request.
04Login and IP logs#
Every authentication attempt is logged, whether it succeeds or fails. Each record contains the username used, the hardware identifier, the IP address the attempt came from, whether it succeeded, and the reason if it did not.
We keep these to detect credential stuffing, brute force attempts, licence sharing, and payment fraud, and to investigate abuse when it is reported. The legal basis is our legitimate interest in the security of the service and our users.
Your IP address is read from the connection headers at the point of request. We do not resolve it to a location, and we do not use it for analytics.
Unlike the policies of some of our competitors, we do not claim to store only your most recent IP address. We store a log line per attempt, and those lines accumulate. See How long we keep it, which is candid about what that means today.
05Why we use it, and our legal bases#
Under the GDPR we must have a lawful basis for each purpose. Ours are:
- Performance of a contract: creating your account, authenticating you, delivering and updating builds, provisioning licences, processing payments, and answering support requests.
- Legitimate interests: hardware binding to prevent licence sharing; login and IP logging to secure the service; audit logs of staff actions for accountability; preventing fraud, abuse, and chargeback abuse. We have considered your rights against each of these and believe they do not override our interest, but you can object (see Your rights).
- Legal obligation: retaining transaction records for tax and accounting purposes.
- Consent: only where you volunteer something, such as leaving a review or linking your Discord account. You can withdraw it at any time.
We do not sell your personal data, we do not share it for advertising, and we do not use it for automated decision-making that produces legal effects for you.
07Who processes your data#
We do not sell or rent your data. We do rely on a small number of providers who process it on our behalf, under contract and on our instructions:
| Processor | What it does | Region |
|---|---|---|
| Neon | Database hosting. Holds account, licence, payment and log records. | United States |
| Vercel | Website and API hosting. Processes requests in transit. | United States |
| Amazon Web Services (S3) | Storage and delivery of software builds and media. | France (eu-west-3) |
| Discord | Account linking, support tickets, role assignment and announcements. | United States |
| NOWPayments | Cryptocurrency payment processing. Receives an internal reference for your order. | Netherlands |
| Resend | Transactional email only (verification, password reset, 2FA recovery). | United States |
| Ably | Realtime message delivery for the radar feature, if you use it. Not used elsewhere on the site. | United Kingdom |
We also call an exchange-rate service to convert prices, and a public games API to track patch notes. Neither receives any personal data.
Beyond these, we disclose data only where we are legally required to, or where it is necessary to establish, exercise, or defend a legal claim.
08International transfers#
Some of our providers process data outside the European Economic Area, principally in the United States. That includes our database host and our website host, which means most of your account data is stored in the United States.
Those transfers rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the provider is certified under it, and on Standard Contractual Clauses otherwise.
09How long we keep it#
We would rather be accurate here than flattering, so this section describes what actually happens today rather than an aspiration.
- Account data is kept for as long as your account exists.
- Login and IP logs are retained for the life of the account and are not currently on an automatic deletion schedule. In practice this means they accumulate. We are aware this is longer than we need them, and it is on our roadmap to bound it.
- Payment and transaction records are kept for as long as accounting and tax law requires, which is generally several years, and this applies even after you close your account.
- Support tickets and transcripts are kept while the account exists and for a reasonable period afterward, so we can handle any dispute that follows.
- Reviews stay published until you ask us to remove them.
If you ask us to erase your data, we act on it manually rather than through an automated flow. See Your rights for how, and for the limits on it.
10Your rights#
Under the GDPR you have the right to access a copy of your data; to correct it if it is wrong; to have it erased; to restrict or object to how we process it, including our legitimate-interest processing; to receive it in a portable format; and to withdraw any consent you have given.
To exercise any of these, email privacy@zorvex.solutions from the address on your account. We will respond within one month. We may ask you to confirm your identity first, which protects you as much as us. These requests are free.
Honest limits on erasure. We handle deletion manually, so it is not instant. We cannot erase transaction records we are legally required to keep, and we may retain the minimum needed to enforce a ban or prevent a banned user from simply re-registering. Where we cannot erase, we will tell you why rather than quietly not doing it.
If you think we have handled your data badly, please raise it with us first. You also have the right to complain to the data protection authority in the country where you live or work, without going through us at all.
11Security#
Passwords are hashed with bcrypt. Two-factor authentication is available and we recommend it. Accounts lock temporarily after repeated failed logins. Traffic is encrypted in transit. Administrative actions on accounts are logged. Access to production data is limited to people who need it.
No system is perfectly secure, and we will not pretend otherwise. If a breach occurs that is likely to result in a risk to your rights, we will notify the supervisory authority within 72 hours as required, and we will tell you directly where the risk to you is high.
12Children#
Zorvex is not for anyone under 18. We do not knowingly collect data from children. If you believe a minor has given us personal data, tell us and we will delete the account and its data.
13Changes to this policy#
We may update this policy. The date at the top of the page always shows when it last changed. If a change materially affects how we handle your data, we will give notice through the site or Discord before it takes effect.
14Contact#
Privacy and data protection requests: privacy@zorvex.solutions.
Anything else: support@zorvex.solutions or our Discord server.