1. Summary
We collect the minimum information needed to operate iGunZ, an account identifier, an email for account recovery, optional two-factor authentication state, optional Discord linkage, plus the audit log we keep for security and abuse response. We do not sell, rent, or share your information for advertising or marketing. We do not run third-party analytics on the public site. Read on for the specifics.
2. Information We Collect
Information you give us directly:
- Account identifier (UserID), chosen at registration. Public on your profile and in-game.
- Email address, used for verification, login, password reset, and security notifications. Not displayed publicly. You can change it from the security page.
- Password, stored only as a salted scrypt hash. We never see, log, or store the plaintext.
- Two-factor authentication secret, encrypted at rest with a server-side key. Optional. You can enroll or disable from the security page.
- Discord identity, only if you choose to link a Discord account. We store your Discord username, ID, and discriminator (for display in the Service's admin tools and for the Verified-tier role).
Information we collect automatically:
- IP address, used for rate limiting, Cloudflare Turnstile verification, and the audit log. Stored as the Cloudflare-resolved client IP, not raw.
- User agent, captured on session creation and every audit-log event so you can identify your own active sessions on the security page.
- Game data, your character names, levels, kill/death/win counts, clan membership, and other gameplay statistics from the GunZ game database. Some of this is public (rankings, profile pages); some is private to you (full inventory, login history).
3. Audit Log
The Service keeps an append-only audit log of security-sensitive actions: logins (successful and failed), password changes, email changes, two-factor authentication changes, session revocations, admin actions taken by our staff, and similar events. Each entry records the actor, target, IP address, user agent, and event-specific context. The audit log is retained indefinitely and is used for security incident response, abuse investigation, and operational analytics. It is never used for marketing or shared with third parties.
4. Cookies
The Service sets a small number of cookies, all functional:
- Session cookie (HttpOnly, Secure, SameSite=Lax) , set on sign-in. Carries an opaque session token used to look up your row in our session table. Expires after 14 days of inactivity.
- Locale cookie, set when you change the language preference on the public site. Expires after 12 months.
- Cloudflare Turnstile cookie, set by Cloudflare on the captcha challenge. See Cloudflare's cookie policy.
- Cloudflare proxy cookies, set by Cloudflare for security and performance (e.g.
__cf_bm).
We do not set ad-tracking cookies. We do not use Google Analytics, Mixpanel, or similar third-party analytics on the public site. Internal performance metrics come from server logs we control.
5. Third Parties
The Service shares limited information with these processors:
- Cloudflare (CDN + DDoS protection + Turnstile), sees every request to the public site by design. Their standard privacy practices apply.
- Vultr (server hosting), operates the infrastructure that runs the Service.
- Resend (transactional email), receives your email address and the message body when we send verification, password-reset, or notification emails.
- HaveIBeenPwned (password breach check) receives the first 5 characters of the SHA-1 hash of your proposed password during registration and password change. This is k-anonymity range hashing, your full password never leaves our server.
- Sentry (error tracking), receives stack traces and structured context for application errors. The user context attached is your account ID and locale only never your email, IP, or any other identifying field.
- Discord, only if you choose to link a Discord account. We exchange OAuth tokens with Discord; we never see your Discord password.
We do not sell, rent, or share your information for marketing. We do not use your information to train AI models.
6. Retention
Account data is retained for as long as your account exists. On account deletion (see Terms section 7), the user-facing record is removed within 30 days. Audit-log entries that reference your account are retained indefinitely for security purposes, but the account identifier is hashed so the audit trail is preserved without identifying you.
Inactive accounts, accounts that have not signed in for more than 24 months, may be marked for deletion after a 30-day email warning.
7. Security
We protect your data with reasonable, industry-standard measures: encrypted transport (HTTPS-only via Cloudflare and Caddy), salted password hashes, encrypted-at-rest storage of two-factor secrets, IP-based rate limiting, optional captcha after repeated failed logins, instant session revocation, and a regularly-reviewed audit log. We cannot guarantee absolute security; no system is immune from compromise. If a security incident affects you, we will notify you in writing within 72 hours of the discovery.
8. Your Rights
Depending on your jurisdiction, you may have rights to:
- access the personal information we hold about you;
- correct inaccurate information;
- delete your account and the personal information associated with it;
- receive a portable copy of your account data;
- object to or restrict certain processing.
Most of these are available self-service from the security page. For requests we cannot fulfil through the UI, contact [email protected]; we respond within 30 days.
9. Children
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it. If you believe we have, please contact us.
10. Changes
We may update this Privacy Policy from time to time. Material changes will be announced at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.
11. Contact
For privacy-related questions: [email protected].
For data subject requests: [email protected].
For account or technical issues: [email protected].