Privacy Policy

1. Controller Information

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

For any questions regarding the processing of your personal data, please contact us using the information above or visit our Imprint page.

2. Data Protection Officer

We are not legally required to appoint a Data Protection Officer (DPO) pursuant to Art. 37 GDPR and § 38 BDSG (German Federal Data Protection Act), as we do not regularly process personal data on a large scale as a core activity, nor do we process special categories of data within the meaning of Art. 9 GDPR. Nonetheless, for all data protection inquiries, you may contact us directly at joshua@studioappx.com.

3. Overview of Data Processing

We process personal data only to the extent necessary for providing a functional website, our content, and the services offered. The processing of personal data occurs regularly only with the user's consent or where processing is permitted by law.

This Privacy Policy applies to all data processing activities carried out in connection with the use of our Website at mcpetools.com.

4. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

• Consent (Art. 6(1)(a) GDPR): Where you have given your consent to the processing of your personal data for one or more specific purposes. You have the right to withdraw your consent at any time (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Contract Performance (Art. 6(1)(b) GDPR): Where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, such as providing user account functionality and processing addon submissions.
• Legal Obligation (Art. 6(1)(c) GDPR): Where processing is necessary for compliance with a legal obligation to which the controller is subject, such as processing copyright claims and retaining data required by commercial or tax law.
• Legitimate Interests (Art. 6(1)(f) GDPR): Where processing is necessary for the purposes of our legitimate interests or those of a third party, such as ensuring website security, preventing abuse, improving our services, and operating our infrastructure, provided that such interests are not overridden by your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests at any time (Art. 21 GDPR).

5. Data We Collect

5.1 Server Log Files

When you access our Website, our hosting provider (Vercel Inc.) automatically collects and stores information in server log files that your browser transmits to us. This includes:

• IP address of the requesting device (anonymized where possible)
• Date and time of access
• Name and URL of the requested file
• HTTP status code
• Amount of data transferred
• Browser type and version
• Operating system
• Referring URL

This data is processed on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in ensuring the technical functionality, security, and optimization of our Website. This data is not combined with other data sources and is not used to identify individual users.

5.2 User Account Data

When you create an account on our Website, we collect and process:

• Email address
• Username (chosen by you)
• Password (stored in hashed form using industry-standard bcrypt hashing; we never have access to your plain-text password)
• Date and time of registration
• Last sign-in date and time

This data is processed on the basis of Art. 6(1)(b) GDPR for the performance of the user agreement (our Terms of Service).

5.3 Addon Submissions

When you submit an addon suggestion, we collect and store:

• Addon name, description, and category
• Download URL and screenshot URLs you provide
• Addon version and Minecraft version information
• Your user ID (linked to your account)
• Submission date, time, and review status

This data is processed on the basis of Art. 6(1)(b) GDPR as part of the service we provide to registered users.

5.4 DMCA / Copyright Claims

When you submit a copyright claim through our DMCA form, we collect:

• Your full name and email address
• Description of the copyrighted work
• URL of the allegedly infringing content on our Website
• Additional details you provide
• Your sworn statement (declaration under penalty of perjury)
• Date and time of submission

This data is processed on the basis of Art. 6(1)(c) GDPR (compliance with legal obligations under copyright law) and Art. 6(1)(f) GDPR (our legitimate interest in protecting intellectual property rights and responding to valid legal claims).

5.5 Data Not Collected

We do not use analytics or tracking tools (such as Google Analytics). We do not collect personal data for advertising purposes. We do not use social media plugins that transmit data to third parties. We do not engage in profiling or automated decision-making within the meaning of Art. 22 GDPR.

6. Cookies and Storage Technologies (§ 25 TDDDG)

Our Website uses cookies and similar storage technologies. The use of cookies is governed by § 25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutzgesetz, German Telecommunications Digital Services Data Protection Act), which implements the EU ePrivacy Directive in Germany, in conjunction with the GDPR.

6.1 Strictly Necessary Cookies (§ 25(2) No. 2 TDDDG)

These cookies are technically necessary for the Website to function properly and do not require your consent pursuant to § 25(2) No. 2 TDDDG. They include:

• Authentication Session Cookies (Supabase): When you log in, cookies are set to maintain your session and keep you signed in. These cookies contain an encrypted session token and are essential for authenticated features. They expire when you log out or after the session duration set by Supabase (default: 1 hour for access tokens, 1 week for refresh tokens).

The corresponding data processing is based on Art. 6(1)(b) GDPR (necessary for service provision) and Art. 6(1)(f) GDPR (legitimate interest in providing a functional website).

6.2 No Tracking or Analytics Cookies

We do not use any cookies for analytics, tracking, advertising, or marketing purposes. We do not set any third-party cookies beyond those strictly necessary for authentication.

You can control and delete cookies through your browser settings. Please note that disabling cookies may limit your ability to use certain features of the Website, particularly the user account and submission features.

7. Third-Party Service Providers (Data Processors)

We engage the following third-party service providers who process personal data on our behalf. Where applicable, we have concluded Data Processing Agreements (Auftragsverarbeitungsverträge, AVV) in accordance with Art. 28 GDPR.

7.1 Supabase (Authentication and Database)

We use Supabase, Inc. (San Francisco, CA, USA) as our authentication and database provider. Supabase processes user account data (email, username, hashed password) and addon submission data on our behalf. Supabase acts as a data processor within the meaning of Art. 28 GDPR.

Supabase stores data on servers which may be located outside the European Economic Area (EEA), including in the United States. Such transfers are safeguarded by the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission of 10 July 2023, pursuant to Art. 45 GDPR) and Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

For more information, see Supabase's Privacy Policy.

7.2 Vercel (Hosting)

Our Website is hosted by Vercel Inc. (San Francisco, CA, USA). Vercel processes server log data as described in Section 5.1 on our behalf and provides the infrastructure for serving the Website. Vercel acts as a data processor within the meaning of Art. 28 GDPR.

Data may be processed in the United States. Such transfers are safeguarded by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.

For more information, see Vercel's Privacy Policy.

7.3 Discord (DMCA Claims Processing)

DMCA copyright claim data is forwarded to a private Discord channel via webhook for internal review purposes only. The data transmitted includes the claimant's name, email, and claim details as submitted through the DMCA form.

Discord, Inc. (San Francisco, CA, USA) acts as a separate controller for any data processed on its platform. Data transfers to the United States are safeguarded by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs).

For more information, see Discord's Privacy Policy.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:

• Server log files: Retained by Vercel for up to 30 days, then automatically deleted. We do not store server log files separately.
• User account data: Retained for the duration of your account. Upon account deletion request, your data will be deleted within 30 days, unless retention is required by applicable law (e.g., commercial or tax law retention periods pursuant to § 257 HGB or § 147 AO, which may require retention for up to 6 or 10 years respectively).
• Addon submissions: Retained for the duration of your account or until you request deletion. Published submissions may be retained in anonymized form after account deletion.
• DMCA claims: Retained for as long as necessary for legal compliance and dispute resolution, typically for 3 years in accordance with the general statute of limitations (§ 195 BGB).
• Authentication cookies: Access tokens expire after 1 hour; refresh tokens expire after 1 week or upon logout.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data. These rights apply regardless of whether you have a user account:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to access that data, receive a copy, and obtain information about the purposes, categories, recipients, retention periods, and your rights.
• Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data and the completion of incomplete data without undue delay.
• Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where the data is no longer necessary, you withdraw consent, you object to processing, or the data was unlawfully processed. This right is subject to legal retention obligations.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request restriction of processing where you contest accuracy, the processing is unlawful, we no longer need the data, or you have objected to processing pending verification.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.
• Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests (Art. 6(1)(f) GDPR) at any time for reasons arising from your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for our registered office is:

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU/EEA.

To exercise any of these rights, please contact us at joshua@studioappx.com. We will respond to your request without undue delay and in any event within one month of receipt, as required by Art. 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

10. International Data Transfers

Some of our service providers (Supabase, Vercel, Discord) are based in the United States and may process data outside the European Economic Area (EEA). We ensure that appropriate safeguards are in place to protect your data in accordance with Chapter V of the GDPR:

• EU-U.S. Data Privacy Framework (Art. 45 GDPR): Where our service providers are certified under the EU-U.S. Data Privacy Framework, an adequacy decision by the European Commission (adopted 10 July 2023) applies.
• Standard Contractual Clauses (Art. 46(2)(c) GDPR): Where applicable, we rely on Standard Contractual Clauses adopted by the European Commission as an additional safeguard.

We regularly review the data protection practices of our service providers to ensure ongoing compliance.

11. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 GDPR. These measures include:

• SSL/TLS encryption (HTTPS) for all data transmission
• Secure storage of passwords using industry-standard bcrypt hashing
• Row Level Security (RLS) policies on the database to ensure users can only access their own data
• JWT-based authentication with short-lived access tokens
• Access controls and least-privilege principles for administrative access
• Regular security updates to all software dependencies

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach, we will comply with the notification obligations under Art. 33 and Art. 34 GDPR.

12. Children's Privacy

In accordance with Art. 8 GDPR as implemented in Germany (§ 25 BDSG, in conjunction with the German implementation), our Website and user account services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If we become aware that we have collected personal data from a child under 16 without proper consent, we will take steps to delete that data without undue delay. If you believe we have collected information from a child under 16, please contact us immediately at joshua@studioappx.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or our service providers. Changes will be posted on this page with an updated revision date. Where required by law or where changes are material, we will notify registered users via the email address associated with their account. Your continued use of the Website after any changes constitutes your acknowledgment of the updated Privacy Policy. We recommend reviewing this page periodically.

14. Contact

For any questions or concerns regarding this Privacy Policy, the processing of your personal data, or to exercise your data protection rights, please contact us: