Privacy Policy

This Privacy Policy explains how ammo.lol ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our Service. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Data Controller

ammo.lol is the data controller responsible for your personal information. If you have questions about this Privacy Policy or our data practices, please contact us through our support channels.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Password (hashed and encrypted)
• Authentication tokens from Supabase
• Account creation and last login timestamps

2.2 Profile Information

When you create or update your profile, we collect:

• Handle (username)
• Display name
• Bio or description
• Avatar image
• Theme preferences (colors, templates, layout settings)
• Custom assets (background images, cursor images, favicon)
• Music files and metadata (if uploaded)
• Location (if provided)
• Custom links and associated data
• Publication status

2.3 Usage and Analytics Data

We collect anonymized and pseudonymized data about how you use our Service:

• Profile visit statistics (hashed visitor identifiers)
• Hashed IP addresses (for analytics and security)
• Browser user agent (for compatibility and analytics)
• Referrer information (where visitors came from)
• Timestamp of visits

Note: We hash IP addresses and visitor identifiers using SHA-256 to protect privacy. We do not store raw IP addresses or create detailed user profiles from this data.

2.4 Payment Information

When you make a purchase, we collect:

• Subscription plan details
• Transaction amounts and currency
• Payment status
• Transaction identifiers from payment processors
• Purchase timestamps

Important: We do not store credit card numbers or sensitive payment information. All payment processing is handled by Stripe, and payment data is subject to Stripe's privacy policy.

2.5 Cookies and Similar Technologies

We use cookies and similar technologies to:

• Maintain your authentication session
• Remember your preferences
• Provide essential Service functionality

We use session cookies that are necessary for the Service to function. These cookies are essential and cannot be disabled. We do not use tracking cookies or third-party advertising cookies without your explicit consent.

3. Legal Basis for Processing

We process your personal information based on the following legal grounds under GDPR:

• Contract Performance: To provide the Service you requested, including account management, profile hosting, and payment processing.
• Consent: For optional features and marketing communications (where applicable).
• Legitimate Interests: For security, fraud prevention, analytics, and Service improvement.
• Legal Obligations: To comply with applicable laws and regulations.

4. How We Use Your Information

We use your personal information to:

• Provide, maintain, and improve the Service
• Process transactions and manage subscriptions
• Authenticate your identity and secure your account
• Display your profile and content as configured
• Provide analytics and visit statistics
• Send essential service communications (account notices, security alerts)
• Respond to your inquiries and provide support
• Detect and prevent fraud, abuse, or security issues
• Comply with legal obligations
• Enforce our Terms of Service

5. Data Sharing and Third-Party Processors

We share your information with the following third-party service providers who act as data processors:

5.1 Supabase

We use Supabase for authentication, database hosting, and file storage. Supabase processes your account information, profile data, usage data, and uploaded files (such as avatars, backgrounds, and music files). Supabase is GDPR compliant and stores data in secure data centers. For more information, see Supabase's privacy policy: https://supabase.com/privacy

5.2 Stripe

We use Stripe for payment processing. Stripe processes payment information and transaction data. Stripe is PCI-DSS compliant and handles all sensitive payment data. For more information, see Stripe's privacy policy: https://stripe.com/privacy

5.3 Cloudflare

We use Cloudflare for content delivery, security, and performance services. Cloudflare processes technical data including IP addresses, request headers, traffic patterns, and DNS queries to provide CDN services, DDoS protection, and security features. Cloudflare is GDPR compliant and processes data in accordance with their privacy policy. For more information, see Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/

5.4 Hosting and Infrastructure

We use hosting and infrastructure services (such as Vercel) to host and deliver our Service. These services may process technical data (such as IP addresses, request logs, and error logs) necessary for the operation of the Service. For more information, see Vercel's privacy policy: https://vercel.com/legal/privacy-policy

5.5 Other Disclosures

We may disclose your information:

• If required by law or legal process
• To protect our rights, property, or safety, or that of our users
• In connection with a merger, acquisition, or sale of assets
• With your explicit consent

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure that such transfers comply with GDPR requirements through:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with our service providers
• Ensuring service providers have adequate data protection measures in place

7. Data Retention

We retain your personal information for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations
• Resolve disputes and enforce agreements
• Maintain security and prevent fraud

When you delete your account, we permanently delete your personal data and content from active systems within 30 days. Some data may be retained in backups for up to 90 days for security and compliance purposes before being permanently deleted.

Transaction records may be retained for up to 7 years to comply with tax and accounting requirements.

8. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights regarding your personal information:

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you.

8.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal information. You can update most information through your account settings.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal information. You can delete your account at any time through your account settings, which will initiate the deletion process.

8.4 Right to Restrict Processing

You have the right to request that we limit how we use your personal information in certain circumstances.

8.5 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit that data to another service.

8.6 Right to Object

You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights. In the EU, you can contact your local data protection authority.

To exercise any of these rights, please contact us through our support channels. We will respond to your request within one month.

9. Security Measures

We implement technical and organizational measures to protect your personal information:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Hashing of passwords and sensitive identifiers
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Secure data centers with physical and logical security
• Optional two-factor authentication (2FA) for accounts

While we take reasonable security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials.

10. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected information from a child under 16, we will take steps to delete that information. If you believe we have collected information from a child under 16, please contact us immediately.

11. Public Profile Information

When you publish your profile, the information you choose to make public (such as your handle, display name, bio, avatar, and links) will be visible to anyone who visits your profile URL. You can control what information is public through your profile settings. We are not responsible for how others use information you make public.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or through the Service.

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through our support channels.