Privacy Policy

Version v2026.03 Last updated: March 8, 2026

On this page

Data collection Cookies Use of data Security GDPR rights Contact

This Privacy Policy explains how Ironkeep ("we", "us", "the Service") collects, uses, and protects your personal data when you use the Ironkeep web application and Discord bot at ironkeep.gg.

Ironkeep is operated from the Netherlands and processes data in compliance with the EU General Data Protection Regulation (GDPR). Data collection practices described here may evolve as features are added or changed.

1. Data We Collect

1.1 Discord Account Data

When you sign in with Discord OAuth2, we receive and store:

  • Discord User ID — your unique identifier (used as your account key)
  • Display name — your Discord nickname or username
  • Guild membership — which Discord servers you share with Ironkeep (stored in your session cookie, not in the database)
  • Role IDs — your Discord roles in registered guilds (stored in your session cookie for permission checks)

We do not collect your email address, password, Discord messages, avatar image files, or any data from Discord servers that are not registered on Ironkeep.

1.2 Data You Provide

Through normal use of the Service, you may provide:

  • Game role preferences (primary/secondary role)
  • Preferred builds for quick signup
  • Timezone preference
  • DM notification preference (on/off)
  • CTA and event signup data (role selections, notes)
  • Role/build swap requests with optional reason

1.3 Data Created by Guild Callers & Officers

Guild callers and officers may create data that references your Discord User ID:

  • Roster assignments (assigned role and build for a CTA)
  • Attendance records (present, late, or absent)
  • Payout ledger entries (silver credits/debits)
  • Private player notes (visible only to callers in your guild)

1.4 Voice Channel & Check-in Data

When a CTA has voice tracking enabled, the Ironkeep Discord bot periodically checks which members are present in voice or stage channels in your guild's Discord server. We record:

  • Voice channel name and ID — which channel you are in
  • First and last seen timestamps — when you joined and were last detected
  • Total minutes — how long you were in voice during the CTA

This data is only collected during active CTAs that have voice tracking enabled by a caller and is used solely for attendance tracking. We do not record audio, listen to conversations, or access any voice channel content.

When you use the check-in feature (via web or the /checkin Discord command), we store your check-in timestamp and the optional zone name you provide.

1.5 Data We Do Not Collect

  • Email addresses
  • Real names or physical addresses
  • Payment or banking information (no billing system is active)
  • IP addresses (not stored; Cloudflare may process them transiently for CDN/security)
  • Device fingerprints or tracking identifiers

2. Cookies

Ironkeep uses four functional cookies. We do not use any analytics, advertising, or tracking cookies.

Cookie Purpose Duration
session Authentication — stores your signed-in state (signed, HttpOnly) 24 hours
csrf_token Security — protects against cross-site request forgery (HttpOnly) 24 hours
lang Preference — stores your language choice (EN / NL) 1 year
flash UI — temporary notification messages (HttpOnly) 5 seconds

3. How We Use Your Data

We use your data exclusively to provide and operate the Service:

  • Authenticate you via Discord and manage your session
  • Display your name and roles in CTAs, events, and rosters
  • Send Discord DM notifications you have opted into (reminders, roster assignments, stale check-in reminders)
  • Calculate attendance statistics and payout balances for your guild
  • Track voice channel presence and check-ins during active CTAs for scout/non-combat attendance
  • Enforce role-based access through the permission matrix (including owner-level access)

We do not sell, rent, or share your data with third parties for marketing or advertising. We do not use analytics or tracking services.

We process your personal data under the following legal bases:

  • Legitimate interest (Art. 6(1)(f) GDPR) — providing the Service you signed up for, security, and fraud prevention.
  • Consent (Art. 6(1)(a) GDPR) — when you sign in with Discord and choose to use the Service; when you opt into DM notifications.

5. Third-Party Services

The Service relies on the following third-party providers:

  • Discord (discord.com) — authentication, guild/member data, and DM notifications. Discord Privacy Policy.
  • Cloudflare (cloudflare.com) — DNS, CDN, DDoS protection, and SSL/TLS. Cloudflare processes HTTP requests transiently. Cloudflare Privacy Policy.
  • Hetzner (hetzner.com) — server hosting in the EU. Hetzner Privacy Policy.
  • Google Fonts (fonts.googleapis.com) — the Inter typeface is loaded from Google's CDN. Google Privacy Policy.
  • Albion Online Render API (render.albiononline.com) — game item icons. No personal data is sent to this service.

6. Data Storage & Security

Your data is stored in an encrypted SQLite database on a Hetzner VPS in the EU. The server is protected by Cloudflare's CDN and DDoS protection, with full TLS encryption in transit.

Security measures include:

  • HTTPS/TLS encryption for all traffic
  • Signed, HttpOnly session cookies
  • CSRF protection on all state-changing requests
  • Content Security Policy with per-request nonces
  • Rate limiting on authentication and sensitive endpoints
  • Guild-scoped data isolation (guilds cannot see each other's data)

7. Data Retention

  • Account data — retained as long as your guild is active on Ironkeep.
  • CTA/event signups — retained for historical statistics and audit trail.
  • Voice attendance & check-ins — retained alongside CTA data for attendance history.
  • Payout records — retained for the guild's bookkeeping until the guild is deleted.
  • Session cookies — expire after 24 hours.
  • Error logs — the last 200 entries are kept; older entries are automatically deleted. Error logs do not contain personal data.

When a guild is deleted from Ironkeep (by platform admin or owner request), all guild-scoped data is permanently deleted, including signups, assignments, payouts, builds, and player notes.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — request that we limit processing of your data.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — withdraw consent at any time by stopping use of the Service.

To exercise any of these rights, contact us via Discord. We will respond within 30 days.

9. Children

Ironkeep does not knowingly collect data from children under 13 (or under 16 in some EU member states). Discord enforces its own age requirements. If you believe a child has provided data to Ironkeep, please contact us so we can delete it.

10. Discord Developer Policy

Ironkeep complies with the Discord Developer Policy. We only request the minimum OAuth2 scopes needed to operate: identify, guilds, and guilds.members.read. We do not store Discord messages, read message content, or access any data beyond what is described in this policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your GDPR rights, reach out on our Discord server.