Raven Anticheat
RavenAnticheat
DocumentationDiscord
Back to Home

Privacy Policy

Last updated: 2026-05-08. How Raven Anticheat collects, uses, and protects your data.

1. Data We Collect

We collect only the data we need to operate the Service. The categories below describe everything we hold:

1.1 Account data

  • Email address (required, used as your account identifier).
  • Display name (optional).
  • Password hash (only if you sign up with email and password). Stored as a one-way scrypt hash; we never see your password.
  • OAuth provider claims: Discord user ID and username, or Google sub and profile name, when you sign in via those providers.
  • Profile image URL (from your OAuth provider).
  • Account-creation timestamp, IP address at signup, and country code (used for fraud prevention and to support data-residency questions).
  • Consent timestamps: when you accepted the Terms of Service, the Privacy Policy, the age confirmation, and (separately) the marketing-email opt-in.

1.2 Service data

  • IP addresses and request metadata (for rate limiting, abuse detection, and security logs).
  • Discord User IDs and usernames of players whose data is processed by the Product.
  • Server data (server name, player count, configuration).
  • Hardware identifiers (HWID) related to flagged users.

1.3 Billing data

  • Stripe customer ID, subscription ID, and license-payment metadata. We do not store full card numbers - they remain with Stripe.

1.4 Cookies

We use only essential cookies required to keep you signed in (an httpOnly session cookie and CSRF protection cookies). We do not run analytics, advertising, or third-party tracking cookies on the dashboard. Essential cookies are exempt from prior-consent requirements under EU ePrivacy guidance.

2. How We Use the Data

  • Provide, maintain, and secure the Service.
  • Send you transactional emails (purchase receipts, password reset codes, subscription notices, security alerts).
  • Identify and prevent cheating or unauthorized use of the Product.
  • Improve our detection algorithms.
  • Provide customer support.
  • Send product updates and special offers only if you opted in at signup or in account settings. You can opt out at any time from /dashboard/settings.

3. Legal Bases (GDPR Article 6)

If you live in the EU, UK, or another GDPR-aligned jurisdiction, the legal bases on which we process your data are:

  • Contractual necessity (Art. 6(1)(b)) - to deliver the Service you signed up for.
  • Consent (Art. 6(1)(a)) - for marketing emails. Freely revocable from your settings.
  • Legal obligation (Art. 6(1)(c)) - to keep tax, fraud, and abuse records as required by law.
  • Legitimate interests (Art. 6(1)(f)) - for security, abuse prevention, and product improvement, balanced against your rights.

4. Sub-Processors

We share data with the following service providers to operate the Service. Each is bound by a data-processing agreement and processes your data only as instructed:

  • Stripe, Inc. (USA) - payment processing.
  • Resend (USA) - transactional and verification emails.
  • Discord, Inc. (USA) - OAuth sign-in (when you choose Discord).
  • Google LLC (USA) - OAuth sign-in (when you choose Google).
  • Vercel, Inc. (USA) - application hosting.
  • Cloudflare, Inc. (USA) - DDoS protection and Turnstile bot mitigation.
  • Our managed PostgreSQL database provider - account and license storage.

Where data is transferred outside the European Economic Area, we rely on European Commission Standard Contractual Clauses or equivalent transfer mechanisms.

5. Data Sharing

We do not sell or rent your personal information to third parties, and we have not done so in the past 12 months. We may disclose information to law enforcement or public authorities when required by law, when needed to protect our rights or the safety of users, or to comply with a valid legal process.

6. Your Rights

You have the rights described below. To exercise any of them, use the controls in your dashboard settings or email [email protected]. We respond to verified requests within the time limits set by the applicable law (typically 30 days under GDPR, 45 days under CCPA).

6.1 EU and UK (GDPR / UK DPA)

  • Access (Art. 15) - request a copy of the data we hold about you. Available as a one-click JSON export from /dashboard/settings.
  • Rectification (Art. 16) - update inaccurate data from your settings page.
  • Erasure (Art. 17, "right to be forgotten") - delete your account from your settings page. We hard-delete your data after a 30-day grace period.
  • Portability (Art. 20) - the JSON export above is machine-readable.
  • Restriction (Art. 18) and objection (Art. 21) - email support.
  • Withdraw consent for marketing emails - one click in settings, with no effect on the rest of the Service.
  • Lodge a complaint with your national data protection authority.

6.2 California (CCPA / CPRA)

  • Right to know what personal information we have collected.
  • Right to delete personal information, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing - we do not sell or share personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information.
  • Right not to be discriminated against for exercising any of the above.

6.3 Other regions

We honor equivalent rights under Canada's PIPEDA and CASL, Brazil's LGPD, and similar comprehensive privacy laws in other regions where you reside.

7. Data Retention

  • Account data - kept while your account is active. After you request deletion, we soft-delete the account immediately and hard-delete it 30 days later. The grace period lets you recover the account by emailing support if you change your mind.
  • Verification codes (OTP) - 10 minutes maximum, then automatically purged.
  • Security logs - 90 days, used to detect brute-force and account-takeover attempts.
  • Billing records - retained for the period required by tax law (typically 7 years in the US, 10 in some EU member states).
  • Email send metadata at Resend - 30 days.

8. Security

We protect your data with HTTPS in transit, encryption at rest at the database layer, scrypt password hashing, httpOnly session cookies, captcha-gated public endpoints, and rate limiting on every authentication-related route. We log security-relevant events for 90 days for breach-detection purposes. No method of transmission or storage is 100% secure, but we work to maintain industry-standard practices.

9. Marketing Emails

Marketing emails are sent only after you opt in. Every marketing email contains a one-click unsubscribe link, and you can also revoke consent from /dashboard/settings. We comply with the US CAN-SPAM Act, the Canadian CASL, and the EU ePrivacy Directive.

Transactional emails (purchase receipts, security alerts, subscription failures) are not marketing and are sent regardless of marketing preferences because they relate to the contract between us.

10. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to read their policies before sharing information with them.

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date at the top. For material changes, we will email account holders at the address on file.

12. Contact Us

Email questions, complaints, or rights requests to [email protected], or reach us via Discord at https://www.ravenac.net/discord.