Privacy Policy

1. What We Collect

We do not collect: payment card numbers (handled by Stripe), location data, browsing history, or any data beyond what is listed above.

2. How We Use Your Data

• Account management — authentication, profile, and GamerTag
• Purchase fulfillment — delivering license keys and verifying purchases
• Security — detecting suspicious logins, rate limiting, and preventing abuse
• Communications — transactional emails only (verification, password reset, purchase receipt)
• Support — responding to support requests you initiate

We do not use your data for advertising, profiling, or selling to third parties. Ever.

3. Data Storage & Security

All data is stored on servers protected by:

• Passwords hashed with Argon2id (industry-leading, not MD5/bcrypt)
• HTTPS/TLS 1.3 for all connections
• HttpOnly, Secure, SameSite=Strict session cookies
• Cloudflare DDoS and bot protection
• Encrypted database backups
• Access limited to authorized personnel only

We store refresh token hashes (not plaintext), rotate tokens on every use, and invalidate all sessions on password change.

4. Third-Party Services

We use the following third-party services, each with their own privacy policies:

• Stripe — payment processing. Stripe handles all card data. We never see your full card number.
• Cloudflare — CDN, DDoS protection, and DNS. Cloudflare may log IP addresses.
• SendGrid / Mailgun — transactional email delivery (verification, password reset, receipts).

We do not use Google Analytics, Facebook Pixel, or any behavioral advertising trackers.

5. Cookies & Tracking

We use strictly necessary cookies only:

• dc_session — HttpOnly authentication session cookie
• dc_csrf — CSRF protection token (session storage)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

6. Your Rights

Regardless of your location, you have the following rights:

• Access — request a copy of all data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and all associated data
• Portability — receive your data in a machine-readable format
• Objection — object to specific types of processing
• Withdrawal — withdraw consent at any time (where consent is the legal basis)

To exercise any of these rights, email privacy@darkcredits.org. We will respond within 30 days.

7. Data Retention

• Account data is retained as long as your account is active
• Upon account deletion, all personal data is deleted within 30 days
• Purchase records are retained for 7 years for legal/tax purposes (anonymized where possible)
• Security logs (IP, login events) are retained for 90 days then deleted
• Password reset tokens expire after 15 minutes and are single-use

8. Children's Privacy

Dark Credits is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact & Requests