Privacy Policy

Last Updated: 29 August 2025

1. Introduction

Welcome to GmodProtect ("we," "us," or "our"). We are committed to protecting the privacy and security of our users' data. This Privacy Policy explains how we collect, use, process, and disclose your information across the GmodProtect website, API, and associated services (collectively, the "Service"). Our mission is to enhance the safety of online gaming communities, and we believe that transparency about our data practices is fundamental to that mission.

2. Data Controller

GmodProtect is the data controller responsible for your information under this Privacy Policy. For any questions or concerns, you can reach us via the channels listed on our Contact page.

3. Information We Collect

We collect information to provide and improve our Service. The type of information depends on your interaction with us.

3.1. Information You Provide to Us

  • Report Submissions: When a user submits a report, we collect all provided information, which includes:
    • The SteamID64 of the alleged offender.
    • Evidence, which may contain personal data such as in-game chat logs, screenshots of user-generated content, video recordings, and usernames.
  • Partner Onboarding: When a server owner applies for partnership, we collect their contact information and SteamID64 to manage their access and communicate with them.
  • Appeals and Communication: When you contact us for support, to file an appeal, or for any other inquiry, we collect your name, contact information, SteamID64, and the contents of your messages.

3.2. Information We Collect Automatically

  • Log Data and Device Information: We automatically collect log data when you use the Service, such as your IP address, browser type, operating system, and pages visited. This is used for security, analytics, and service stability.
  • Cookies: We use essential cookies to manage user sessions and preferences (like language choice). We do not use cookies for targeted advertising.

4. How We Use Your Information

The information we collect is used for the following specific purposes:

  • To Operate the Service: To verify, process, and display case files in our public database.
  • To Ensure Security: To monitor for and prevent malicious activity, abuse, and fraudulent reports.
  • To Provide API Access: To allow partnered servers to programmatically access our database to protect their communities.
  • To Comply with Legal Obligations: To respond to lawful requests from public authorities and to comply with mandatory reporting obligations, particularly concerning Child Sexual Abuse Material (CSAM).
  • To Improve the Service: To analyze usage patterns and improve the user experience.

5. Legal Basis for Processing (EEA, UK, and Switzerland)

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, our processing of personal data is based on Legitimate Interests (Article 6(1)(f) GDPR).

  • Our Legitimate Interest: We have a legitimate interest in protecting online communities, and particularly minors, from demonstrable harm caused by individuals engaging in serious violations such as cheating, severe harassment, and child endangerment. This constitutes a public safety interest.
  • Necessity: The processing is necessary for achieving this interest. A centralized, evidence-based database is the only effective means to share this critical safety information across the fragmented landscape of game servers.
  • Balancing Test: We have carefully balanced our legitimate interests against the interests and fundamental rights of the data subjects. We conclude that our interests are not overridden for the following reasons:

1. The data processed (e.g., SteamID, in-game behavior) is related to actions taken in a public or semi-public online environment.

2. Processing is strictly limited to cases of serious, evidence-backed violations.

3. A rigorous human review process is in place to prevent false positives and ensure accuracy.

4. An appeals process exists to provide a path for correction and recourse.

5. The impact on the individual is proportionate to the harm they have caused to the community.

6. Data Sharing and Disclosure

  • Public Database: The core of our Service is a public database. An approved case file, which includes the offender's SteamID64 and the supporting evidence, is publicly accessible.
  • Partnered Servers: Partnered servers access this public data via our API.
  • Legal and Law Enforcement: We will disclose information to law enforcement or in response to a valid legal process if we are required to do so. We have a zero-tolerance policy for CSAM and will report such content to the appropriate national reporting authority (e.g., the National Center for Missing & Exploited Children (NCMEC) in the U.S., Dyżurnet.pl in Poland).
  • Service Providers: We may use third-party companies for hosting and infrastructure. These providers are bound by strict data processing agreements.

7. Your Data Protection Rights

You have rights concerning your personal data, which may vary based on your location.

7.1. For Residents of the EEA, UK, and Switzerland (GDPR)

You have the following rights:

  • The right to access: You can request copies of your personal data.
  • The right to rectification: You can request that we correct any information you believe is inaccurate.
  • The right to erasure: You can request that we erase your personal data, subject to our assessment of overriding legitimate interests.
  • The right to object to processing: You have the right to object to our processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms.
  • The right to restrict processing: You can request that we restrict the processing of your data under certain conditions.

To exercise these rights, please use the official channels on our Contact page.

7.2. For Residents of California (CCPA/CPRA)

  • Right to Know, Access, and Delete.
  • Right to Correct: You may request that we correct inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If that changes, we will provide a "Do Not Sell or Share" mechanism and honor opt-out preference signals where required.

7.3. For Residents of Canada (PIPEDA)

We adhere to PIPEDA’s principles. You may request access and correction, and lodge a complaint with the Office of the Privacy Commissioner of Canada.

8. Data Security and Retention

We implement robust technical and administrative security measures to protect your data.

8.1. Retention Schedule

  • Public case files: Retained as long as necessary to protect communities. Reviewed at least every 24 months. If a case is overturned or becomes no longer necessary, we will archive/anonymize evidence or remove direct identifiers.
  • Appeals and support communications: Retained for 24 months after the matter is closed.
  • Web access logs (security): Retained for up to 90 days unless needed for an investigation.
  • API access logs: Retained for up to 180 days for abuse monitoring and diagnostics.
  • Partner records (contact, keys): Retained for the duration of the partnership plus 12 months.
  • Backups: Subject to rolling backup cycles (typically 30 days).

You may request a review of retention for your data via our Contact page. We will minimize and anonymize where feasible.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date.

10. International Data Transfers

We may store and process data in the EEA and in other countries. Where we transfer personal data from the EEA/UK/Switzerland to a country without an adequacy decision:

  • We rely on EU Standard Contractual Clauses (SCCs) and, where applicable, the UK IDTA/UK Addendum.
  • We conduct transfer risk assessments and apply supplementary measures (e.g., encryption in transit and at rest).

11. Jurisdiction-Specific Information

  • United Kingdom: Your rights mirror GDPR. Where the Service is likely to be accessed by children, we endeavor to align with the Age-Appropriate Design Code.
  • Switzerland (FADP): We use terms consistent with FADP. You may contact the FDPIC or your cantonal authority.
  • Brazil (LGPD): You have rights to access, correction, deletion, portability, anonymization/blocking, and to review automated decisions. We do not use automated decision-making for public case determinations; all cases are human-reviewed.
  • Colorado/Virginia/Connecticut/Utah (U.S. State Laws): Subject to applicability thresholds, you may have rights to access, delete, correct, and opt out of targeted advertising or profiling. Contact us to exercise these rights.
  • Other Regions (APPI, PIPA, PDPA, Australia Privacy Act/APPs, NZ Privacy Act 2020, DPDP Act 2023, PIPL, KVKK, LFPDPPP): We will honor region-specific rights to the extent required by law. Contact us for requests.

12. Children’s Data and Safety

We do not direct the Service to children, but we may process information about minors when necessary to document and address violations. We do not use such information for marketing or profiling. We maintain a zero-tolerance policy for CSAM and will report to appropriate national reporting authorities (e.g., NCMEC in the U.S., Dyżurnet.pl in Poland).

13. Contact and Supervisory Authorities

Contact: contact@gmodprotect.org.

EEA/UK/CH residents may also lodge a complaint with their local data protection authority. In Poland, you may contact the President of the Personal Data Protection Office (UODO).