Privacy Policy
| Last updated: | 2026-05-01 |
|---|---|
| Effective: | 2026-05-01 |
This Privacy Policy explains how we collect, use, share, and protect personal data when you use freebuild, our website at www.freebuild.net, and related services (together, the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK Data Protection Act 2018.
1. Who we are
For privacy-related requests and questions about this policy, contact us at:
- Privacy contact: privacy@freebuild.net
- General contact: contact@freebuild.net
We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR. For all privacy-related requests, please use the privacy contact above.
2. Information we collect
2.1 Information you provide
| Category | Details |
|---|---|
| Email address | When you register an account or request a verification code. |
| Password | Never stored in plaintext. We store only a salted, hashed derivative used to verify your password on login. |
| Username |
Chosen by you (or assigned a default such as freebuilder1234 when you first sign in via Steam) and
shown publicly inside the game.
|
| Steam account identifier | Only if you choose to sign in with Steam or link your Steam account. This is provided to us by Valve after you authenticate with Steam. |
| Player reports | When you submit a report through the "Report Player" form, we receive the title, the reported player's name and ID, your message, and any attachments you upload. |
| Payment information | Billing details you provide during checkout will be collected and processed by Stripe. We do not see or store your full card number. |
2.2 Information collected automatically
| Category | Details |
|---|---|
| IP address | Automatically collected by our infrastructure. Used to prevent abuse, rate-limit registration, detect fraudulent server registrations, and respond to security incidents. |
| Device and browser information | User-agent string, referring URL, and the time of your request. Recorded in server logs. |
| Authentication state | A JSON Web Token stored in a cookie or in your browser's local storage so that we can recognise you across pages without asking you to log in again. |
| Activity timestamps | Account creation, last update, and last seen times for your account, email identity, and Steam identity. |
| Username history | When you change your username we keep a record of the previous and new username, with the date, for moderation and account-recovery purposes. |
2.3 Information you generate by using the game
| Category | Details |
|---|---|
| Game-server registrations | If you host a game server that publishes itself to the master list, we record the server's IP address, port, name, description, map, gamemode, player counts, and protocol version. |
| Game-related role and status | For example whether your account has been revoked. |
3. Why we process your data and on what legal basis
Under Article 6(1) GDPR we process your personal data on the following bases:
| Lawful basis | Purposes covered |
|---|---|
| Performance of a contract (Art. 6(1)(b)) | To create and operate your account; authenticate you; link your Steam account; deliver the game and online services; and process your purchase. |
| Legitimate interests (Art. 6(1)(f)) | To keep our Service secure and free from abuse — such as detecting bots; blocking registration spam; validating Steam ownership; retaining minimal server logs; recording username history for moderation; processing player reports; investigating policy violations; and review by a small team of staff and trusted moderators. We have carried out a balancing test and consider these interests not to override your fundamental rights, given the limited and necessary data involved. |
| Compliance with a legal obligation (Art. 6(1)(c)) | For example, retaining records when required by law or responding to lawful requests from public authorities. |
| Consent (Art. 6(1)(a)) | Whenever the law calls for consent (for example optional marketing emails, non-essential cookies or trackers, or other genuinely optional processing), we prompt you separately and clearly before we start — we do not subscribe you or enable consent-based tracking without an explicit opt-in. You may withdraw consent at any time without affecting processing that rests on contract, legal obligation, or legitimate interests. For processing covered by those bases we do not need consent, so no consent prompt applies. |
4. Cookies, local storage, and similar technologies
We use only strictly-necessary storage. We do not use advertising cookies, cross-site tracking, or third-party analytics. Because of this, we do not display a cookie consent banner.
4.1 Cookies
| Category | Purpose | Lifetime |
|---|---|---|
| Authentication cookie | A first-party cookie that stores your signed authentication token. Set when you log in and cleared when you log out. Strictly necessary. | Up to 7 days |
| Infrastructure cookies | Cookies set by our infrastructure provider (Cloudflare) for bot management, DDoS protection, and request routing. Strictly necessary. | Session / up to 30 minutes |
4.2 Browser storage
| Category | Storage | Purpose | Cleared |
|---|---|---|---|
| Authentication state | localStorage | A copy of your authentication token used to make client-side rendering decisions on logged-in pages. | On logout |
| Navigation state | sessionStorage | Short-lived flags used to prevent redirect loops between the account and login pages and to debounce token-validation requests. | When you close the tab |
You can clear cookies and browser storage at any time through your browser settings. Doing so will log you out and may interrupt your session.
5. Who we share your data with
We do not sell, rent, or trade your personal data. We share it only with vetted service providers acting as data processors on our behalf, and only as needed to operate the Service:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Website hosting, edge compute (Workers), database (D1), key-value storage (KV), DDoS protection, and request/observability logs. | United States, with global edge presence. | Cloudflare Data Processing Addendum and Standard Contractual Clauses. |
| Zoho Corporation | Delivery of transactional emails such as account verification codes. | European Union. | Zoho Data Processing Addendum; data processed within the EU. |
| Valve Corporation | Verifying Steam authentication tickets when you choose to link or sign in with a Steam account. | United States. | EU-US Data Privacy Framework and/or Standard Contractual Clauses. |
| Stripe, Inc. | Processing payments for purchases of the game. | United States, with EU sub-processing. | Stripe Data Processing Addendum and EU-US Data Privacy Framework. |
| Telchaxy LLC | Software development, deployment, and operational support, including debugging, incident response, and access to production logs and systems. | United States. | Data Processing Agreement, EU/UK Standard Contractual Clauses, and the UK International Data Transfer Addendum. |
| Discord, Inc. | Hosting our official community Discord server and any moderation tickets, logs, or messages exchanged with our moderators on Discord. | United States. | Discord Data Processing Addendum and EU-US Data Privacy Framework. |
We may also disclose personal data when we believe in good faith that disclosure is necessary to (i) comply with a legal obligation, court order, or lawful request from a public authority; (ii) protect our rights, property, or safety, or those of our users or the public; or (iii) investigate fraud, security incidents, or violations of our Terms of Service.
6. International data transfers
Some of our service providers (notably Cloudflare, Valve and Stripe) are based in the United States. Where we transfer personal data outside the European Economic Area or the United Kingdom, we rely on one or more of the following safeguards under Articles 44–49 GDPR:
- Adequacy decisions issued by the European Commission or the UK Government, including the EU–US Data Privacy Framework (and its UK extension).
- Standard Contractual Clauses approved by the European Commission, supplemented where appropriate by additional technical and organisational measures.
- Necessity for the performance of a contract with you, when you initiate a service that requires the transfer (for example, signing in via Steam).
You can request a copy of the transfer mechanism that applies to a specific processor by contacting privacy@freebuild.net.
7. How long we keep your data
We retain personal data only for as long as necessary to fulfil the purposes set out above, and then delete or anonymise it.
| Data | Retention period |
|---|---|
| Account data | Email identity, Steam identity and player record. Kept for as long as your account exists. Deleted within 30 days of an account-deletion request, except where we are legally required to keep certain records longer (e.g. tax records relating to a purchase). |
| Email verification codes | Stored in temporary key-value storage and automatically deleted after 2 minutes. |
| IP-to-email anti-abuse mapping during registration | Automatically deleted within approximately 3 minutes of the verification window expiring. |
| Authentication tokens (JWT) | Valid for 7 days; old tokens become invalid automatically and are not stored on our servers. |
| Username change history | Retained while the account exists, for moderation and account recovery, and deleted when the account is deleted. |
| Player reports and attachments | Retained for up to 24 months after the report is closed, then deleted unless we are required to keep them as part of an ongoing safety investigation or legal proceedings. |
| Game-server registrations | Kept while the server is announced to the master list and pruned shortly after a server stops reporting. |
| Server logs (Cloudflare observability) | Retained in line with Cloudflare's standard log retention (typically up to 7 days for invocation logs and traces). Aggregated, non-personal statistics may be kept longer. |
| Payment records | Retained for the period required by applicable tax and accounting law (typically 6-10 years depending on jurisdiction). |
8. Your rights
Where the GDPR or UK GDPR applies to you, you have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | Obtain confirmation of whether we process data about you and receive a copy of that data. |
| Rectification (Art. 16) | Have inaccurate or incomplete data corrected. |
| Erasure / "right to be forgotten" (Art. 17) | Have your data deleted, subject to the exceptions in Art. 17(3) (e.g. legal retention obligations). |
| Restriction of processing (Art. 18) | Ask us to limit how we use your data while a question about it is being resolved. |
| Data portability (Art. 20) | Receive the data you provided to us in a structured, commonly used, machine-readable format. |
| Object (Art. 21) | Object to processing carried out under our legitimate interests. |
| Not subject to automated decisions (Art. 22) | We do not carry out automated decision-making with legal or similarly significant effects. |
| Withdraw consent | At any time, where the processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal. |
| Lodge a complaint with a supervisory authority | See Section 13. |
9. How to exercise your rights
Send your request to privacy@freebuild.net from the email address associated with your account, or via another method that allows us to verify your identity. We may ask for additional information to confirm who you are before acting on a request.
We will respond within one month of receiving the request, as required by Article 12(3) GDPR. If your request is complex or you have submitted several requests, we may extend that period by a further two months and will tell you why within the first month.
Exercising your rights is free of charge. We may charge a reasonable fee or refuse to act only where requests are manifestly unfounded or excessive (Article 12(5) GDPR).
9.1 Effect on your account
Some of the data we hold about you — your email identity, password hash, player record, and any linked Steam account — is required for us to provide the Service to you. If you ask us to erase that data, withdraw consent for processing that depends on it, restrict our processing of it, or object to processing under our legitimate interests, we will no longer be able to operate your account.
The practical effect is that your account will be revoked: you will lose access to logged-in features on the website and to multiplayer game services that authenticate against our systems. This is not a penalty for exercising your rights — it is the unavoidable consequence of removing the data we use to identify you.
Where appropriate, and where you ask us to, we may offer to disable or anonymise your account as an alternative to full deletion, so that you can return later if you change your mind. We will explain which option applies to your request, and what data (if any) we are legally required to keep, in our response.
10. Security
We implement appropriate technical and organisational measures to protect your personal data, in line with Article 32 GDPR. These include:
- HTTPS/TLS for all traffic to and from the Service.
- Passwords stored using a salted, slow key-derivation function, never in plaintext.
- Authentication via signed JSON Web Tokens with a limited lifetime.
- Edge-level protections provided by Cloudflare, including DDoS mitigation and bot management.
- Strict access controls to production systems and databases.
- Defence-in-depth: rate limiting, input validation, and minimal data retention.
No system is completely secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay where required by Articles 33 and 34 GDPR.
11. Children's privacy
The Service is not intended for children. You must be at least 16 years old to create an account, or the minimum age of digital consent in your country if your country has set a lower age (between 13 and 16) under Article 8 GDPR. If you are below this age, please do not register.
If we become aware that we have collected personal data from a child below the applicable age without proper authorization, we will delete that data. Parents and guardians who believe their child has provided us with personal data should contact privacy@freebuild.net.
12. Automated decision-making and profiling
We do not make decisions about you that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. Automated systems we operate (such as rate limits, abuse detection, and anti-cheat heuristics) are reviewed by humans before any account-level enforcement action is taken.
13. Right to lodge a complaint
If you believe our processing of your personal data infringes the GDPR or UK GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU or UK Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).
We would, however, appreciate the chance to address your concerns directly first — please reach out to privacy@freebuild.net.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. How we tell you about a change depends on whether it is material:
- Minor changes — for example, clarifications, typo fixes, or formatting updates that do not change the substance — will be reflected by updating the "Last updated" date at the top of this page.
- Material changes — for example, changes to what personal data we collect, how we use it, who we share it with, how long we keep it, or your rights — will be communicated through the Service before the changes take effect, such as by displaying a notice on this website or showing a prompt the next time you sign in.
We encourage you to review this page periodically. By continuing to use the Service after a change takes effect, you acknowledge the updated Privacy Policy.
15. Third-party platforms
Some of our community lives on platforms operated by other companies, including Discord, X, YouTube, and Reddit. When you interact with us or with other users on those platforms, those interactions are governed primarily by the platform's own privacy policy, not by ours. We use those platforms only to communicate with our community. Activity that happens there — including chat messages, posts, reactions, and direct messages — is not automatically collected or stored by our website or game services.
If you contact us through one of those platforms (for example, by sending a moderation ticket or message to our team on Discord), we may retain a copy of that conversation for as long as needed to handle your query, and then delete it.
16. Contact us
For privacy-related questions or requests, contact:
- Email: privacy@freebuild.net
For all other enquiries, please use contact@freebuild.net.