1. Who we are
This Privacy Policy explains how the Age of Aincrad team (the "we", "us") processes personal data when you use the Age of Aincrad website (age-of-aincrad.com) and related services (the "Service").
For privacy questions or to exercise your rights described in section 7, use the contact form on the website.
The Polish supervisory authority is the Urząd Ochrony Danych Osobowych (UODO) — https://uodo.gov.pl. You have the right to lodge a complaint with UODO at any time.
2. What data we collect
| Category | Data | Source |
|---|---|---|
| Account | username, email, hashed password (bcrypt), email-verified flag, 2FA status | You |
| Authentication providers | Discord ID, Google ID — IF you sign in with those services | Discord, Google |
| Application form | name, email, role applied for, free-text answers | You |
| Purchase records | order ID, store item, amount, currency, payment provider transaction ID | PayPal, Xsolla |
| Operational | IP address (rate-limiting, anti-abuse, login audit), HTTP request metadata | Your browser / game client |
| In-game | character data, chat logs (subject to a separate game-server privacy notice that we will publish before any general-availability release) | Game client |
We do not knowingly collect special categories of personal data (health, biometric, political opinion, etc.) and do not ask for them.
3. Why we use it (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Run your account, deliver purchases, provide game access | Contract performance — Art. 6(1)(b) |
| Detect abuse, secure the system, audit-log logins | Legitimate interest in keeping the Service secure and operable — Art. 6(1)(f) |
| Tax and accounting record-keeping | Legal obligation — Art. 6(1)(c) (Polish accounting law requires retention of payment records) |
| Send you transactional emails (verification, password reset, order confirmation) | Contract performance — Art. 6(1)(b) |
| Optional analytics or marketing communications | Your consent — Art. 6(1)(a) (we will ask separately if/when we add this) |
4. Who we share it with
We share personal data only with the processors necessary to run the Service:
- Hosting and database — our infrastructure provider stores account data, audit logs, and payment records.
- Payment providers — PayPal and Xsolla process card payments under their own terms.
- OAuth providers — if you sign in with Discord or Google we receive a basic profile (ID, email, username); they receive your action of signing in.
- Email delivery — transactional emails (account verification, password reset, order confirmation) are dispatched through an email service provider on our behalf.
We do not sell personal data and do not share it with advertisers.
5. International transfers
Some processors (e.g. Discord, Google, PayPal) operate outside the European Economic Area. Where personal data leaves the EEA, transfers are made under the European Commission's Standard Contractual Clauses or another lawful transfer mechanism listed in the relevant processor's privacy notice.
6. Retention
| Data | Retention |
|---|---|
| Account data | Until you delete the account |
| Payment / order records | 5 years after the transaction (Polish accounting law: art. 74 ust. 2 of the Act on Accounting) |
| Game-login audit log | 90 days, then automatically purged |
| Application form submissions | While the application is open + 12 months thereafter |
| Operational logs (rate-limit counters, IPs) | 30 days max |
7. Your rights
Under the GDPR (Articles 15–22) you have the right to:
- access the personal data we hold about you (Art. 15);
- correct inaccurate or incomplete data (Art. 16);
- request deletion ("right to be forgotten") subject to our legal-retention obligations (Art. 17);
- restrict processing while we investigate a dispute (Art. 18);
- receive your data in a portable format (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time where consent is the basis (Art. 7(3)).
To exercise any of these rights, use the contact form on the website. We will respond within one month per Art. 12(3) GDPR.
You may also lodge a complaint with the supervisory authority — UODO in Poland, or the data-protection authority of your country of residence.
8. Cookies and similar technologies
We currently use only strictly necessary cookies — primarily a JWT cookie that keeps you signed in while you are logged in. These do not require consent under EU rules.
If we add analytics or third-party widgets in the future, we will ask for your consent through a banner before any non-essential cookie is set, and you will be able to change your preferences at any time.
9. Security
We use industry-standard measures: TLS in transit, bcrypt password hashing, rate-limited auth endpoints, HMAC-signed game-server requests, optional 2FA on the website. No system is perfectly secure. If we discover a breach affecting your data, we will notify you without undue delay as required by Art. 34 GDPR.
10. Children
The Service is not intended for children under 16 (or the minimum digital-consent age in your country, whichever is higher). If you become aware that a child has given us personal data without verifiable parental consent, please contact us and we will delete it.
11. Changes to this Policy
We may update this Policy when our practices or applicable law change. Material changes will be announced on the website. The version and effective date are displayed at the top.
12. Contact
Privacy questions and data-rights requests can be sent through the website contact form.