Legal
Privacy Policy
Effective date: April 27, 2026. This Policy describes how AlbionZVZ ("we", "us") collects, uses, and shares personal data when you use our website and services (the "Service").
Who is responsible
The Service is operated by the project behind AlbionZVZ (contact via Contact us). If you need a legal entity name or postal address for data-protection requests, ask through that channel and we will provide it where required.
Data we collect
Depending on how you use the Service, we may process:
- Account data — When you sign in (for example with Discord), we receive and store identifiers and profile details allowed by that provider (such as user id, username, avatar).
- Guild and gameplay-organizing data — Information you or your guild adds: memberships, events, signups, compositions, builds, and similar operational data.
- Technical and usage data — Logs and metadata needed to run the site securely: IP address, approximate location from IP, device and browser type, timestamps, and diagnostic information when something fails. When configured, our self-hosted analytics (Rybbit) also receives cookieless page views, performance metrics (Web Vitals), and aggregated product events (for example that a signup or guild action occurred, with counts or guild slugs — not message content, emails, or Discord display names).
- Cookies and similar technologies — See Cookies and similar technologies below.
Why we use data
- To provide, secure, and improve the Service.
- To authenticate you and enforce guild and event permissions.
- To communicate about the Service (for example support responses).
- To comply with law and respond to lawful requests.
- To measure traffic, performance, and product usage via our self-hosted Rybbit instance when enabled (see processors below).
Legal bases (EEA, UK, and similar)
Where GDPR-style laws apply, we rely on:
- Performance of a contract — Providing the Service you asked for.
- Legitimate interests — Security, abuse prevention, improving the product, and cookieless analytics via our self-hosted Rybbit instance (traffic, performance, aggregated usage — see processors below), balanced against your rights.
- Consent — Where required, for optional technologies described in our cookie notice.
- Legal obligation — When the law requires retention or disclosure.
Cookies and similar technologies
Strictly necessary cookies and storage are used to run the Service (for example keeping you signed in). They do not require consent, but we list them here for transparency. When you open a page that shows third-party ads, those providers may set their own cookies for ad delivery and measurement — we show a short cookie notice on those pages the first time you visit. That notice is for advertising cookies only — it does not control our self-hosted Rybbit analytics, which are cookieless (page views, Web Vitals, and aggregated product events). You can reopen the ad notice via Cookie notice in the site footer when ads are enabled.
| Name / prefix | Purpose | Essential? | Typical duration |
|---|---|---|---|
sb-*-auth-token (and chunk suffixes) | Login session (Supabase Auth) | Yes | Session / refresh lifetime |
sb-*-auth-token-code-verifier | OAuth PKCE during Discord sign-in | Yes | Short-lived (sign-in flow) |
cookie_consent (localStorage) | Remember that you saw the advertising cookie notice | Yes (notice storage) | Until you clear site data (we suggest ~12 months) |
Adsterra / ad network cookies (e.g. on highperformanceformat.com) | Third-party ad delivery and measurement on public event pages (when configured) | No — third-party ad provider | Per Adsterra and partner documentation |
Processors and sharing
We use service providers that process data on our instructions and under contractual safeguards, including:
- Supabase — authentication and database hosting.
- Application hosting — serving the website (for example Vercel, Fly.io, or similar, depending on deployment).
- Rybbit — self-hosted, cookieless page analytics, Web Vitals, and aggregated product usage events (when configured).
- Adsterra — display advertising on public event pages when configured (not shown to guild officers).
- Discord — when you sign in with Discord; also subject to Discord's privacy policy.
We do not sell your personal data. We may share data if required by law or to protect rights, safety, and integrity of users and the Service.
Retention
We keep data as long as your account or guild needs it for the Service, and afterward only as long as necessary for legal, security, or backup purposes. Plan-based retention (for example event history) may delete older records automatically.
Your rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing. You may also lodge a complaint with a data protection authority.
How to exercise your rights: contact us via Contact us with enough detail to find your account (for example the email on your account or your Discord username). We aim to respond within about 30 days where GDPR-style laws apply. The site footer Cookie notice applies to third-party advertising only, not Rybbit. To object to or restrict Rybbit processing where your law provides that right, contact us via Contact us.
International transfers
Our providers may process data in countries other than your own. We use appropriate safeguards (such as standard contractual clauses) where required.
Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children.
Changes to this Policy
We may update this Policy and will post the new version here with an updated effective date.