Privacy Policy

1. Definitions

The following terms, when used in this Privacy Policy, shall bear the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined under Article 4(1) GDPR.
• "Processing" has the meaning ascribed to it in Article 4(2) GDPR and includes any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.
• "Controller" means the natural or legal person who determines the purposes and means of the processing of Personal Data, per Article 4(7) GDPR.
• "Processor" means a natural or legal person who processes Personal Data on behalf of the Controller, per Article 4(8) GDPR.
• "Services" has the meaning ascribed to it in the Terms of Service and refers collectively to all PVEstrap applications, APIs, Discord bot, and web properties.
• "User", "you", or "your" refers to any natural person who accesses or uses the Services.
• "Third-Party Services" means external platforms not operated by PVEstrap, including Discord, which may process Personal Data in their own right.

2. Data Controller

For the purposes of applicable data protection law, including Regulation (EU) 2016/679 (GDPR) and the UK GDPR, PVEstrap acts as the Data Controller in respect of the Personal Data processed in connection with the Services.

As Controller, PVEstrap determines the purposes and means by which Personal Data is processed. Where PVEstrap engages third-party service providers (Processors) to process data on its behalf, it does so under appropriate contractual arrangements that ensure a level of protection consistent with applicable law.

For all data protection enquiries, requests to exercise data subject rights, or complaints, please contact PVEstrap via the channels described in §15.

3. Data We Collect

PVEstrap may collect and process the following categories of Personal Data, depending on which Services are accessed and how:

Category	Data Points	Source
Discord Identifiers	Discord User ID, Guild (server) ID, Channel ID, Username (as visible via Discord API)	Discord API; User interaction with the Bot
Technical & Device Data	Operating system version, application version, device architecture, error reports and crash logs	PVEstrap desktop applications (automated)
Usage & Interaction Data	Feature usage, commands invoked, timestamps, session frequency	Automated collection during Service use
Configuration Data	User-defined preferences, virtual machine configurations, system settings	Applications and API Services (User-provided)
Network & Log Data	IP address (where technically necessary), HTTP request metadata, access timestamps, API error logs	Web infrastructure and API services (automated)
Communications Data	Contents of support requests, feedback submissions, and direct correspondence	Voluntarily provided by the User

PVEstrap does not intentionally collect or solicit special categories of personal data as defined under Article 9 GDPR, including but not limited to health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs. PVEstrap similarly does not collect payment card information or government-issued identification. Users should not submit such data through any Service.

4. Legal Basis for Processing (GDPR)

Where Regulation (EU) 2016/679 (GDPR) or the UK GDPR applies, PVEstrap processes Personal Data on the following legal bases as set out in Article 6 GDPR:

• Article 6(1)(b) — Performance of a Contract: Processing is necessary for the performance of the agreement entered into when the User accepts these Terms, including providing, operating, and maintaining the Services.
• Article 6(1)(c) — Legal Obligation: Processing is necessary to comply with a legal obligation to which PVEstrap is subject, including applicable law, regulatory requirements, or court orders.
• Article 6(1)(f) — Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by PVEstrap, including the security and integrity of the Services, fraud and abuse prevention, and service improvement, except where such interests are overridden by the interests, fundamental rights, or freedoms of data subjects.
• Article 6(1)(a) — Consent: Where PVEstrap relies on consent for a specific processing activity, this will be made clear at the point of collection, and the User will be provided with the ability to withdraw consent at any time without detriment.

For Users in the European Economic Area (EEA) or United Kingdom, PVEstrap will process Personal Data only where a valid legal basis under Article 6 GDPR exists. Users may request further information regarding the specific legal basis applicable to any processing activity by contacting PVEstrap via the channels in §15.

5. Purpose of Processing

PVEstrap processes Personal Data for the following specific, explicit, and legitimate purposes, in accordance with the principle of purpose limitation under Article 5(1)(b) GDPR:

1. Service Provision: To deliver, operate, and maintain the Services, including authenticating Users, processing commands, and executing requested functionality.
2. Personalisation & Configuration: To store and apply User preferences, configurations, and settings to enable a consistent and personalised Service experience.
3. Service Improvement: To analyse aggregated and anonymised usage patterns, diagnose errors, and develop and improve Service functionality, performance, and reliability.
4. Security & Integrity: To detect, investigate, prevent, and remediate fraudulent activity, abuse, security vulnerabilities, and violations of the Terms of Service.
5. Support & Communications: To respond to User enquiries, support requests, and feedback, and to provide operational communications related to the Services.
6. Legal Compliance: To comply with applicable legal obligations, including responding to valid legal process, regulatory enquiries, and governmental orders.

Personal Data shall not be processed for purposes incompatible with those listed above without appropriate prior notification to the User and, where required, their consent.

6. Discord Bot Data

When a User interacts with the PVEstrap Discord Bot, the following data is processed as a necessary function of the Bot's operation:

• Discord User ID: A unique numerical identifier assigned by Discord, used to associate interactions with a given User account without reference to personally identifiable account content beyond what is strictly necessary.
• Guild (Server) ID: Used to scope Bot configurations and settings to the relevant Discord server environment.
• Command Metadata: Records of which commands are invoked, associated timestamps, and operational outcomes, retained for logging, abuse detection, and service improvement.
• Service Configurations: Settings and preferences configured by the User or server administrators through Bot commands for the management of PVEstrap services.

Access to Bot-derived data is strictly limited to authorised PVEstrap team members for the purposes of development, testing, security monitoring, and service operation. Such data is not disclosed to third parties except as described in §6 or as required by law.

The Discord Bot operates within and subject to the Discord platform. PVEstrap's processing of data obtained via the Discord API is additionally governed by Discord's Developer Policy and applicable Discord developer terms.

7. Sharing & Onward Transfers

PVEstrap does not sell, rent, trade, or otherwise transfer Personal Data to third parties for commercial purposes. Disclosure of Personal Data may occur only in the following limited and controlled circumstances:

• Service Providers (Processors): PVEstrap may engage trusted third-party infrastructure and service providers — including hosting, cloud storage, and monitoring services — who process Personal Data on PVEstrap's behalf under written data processing agreements that impose confidentiality obligations and data protection standards consistent with applicable law.
• Legal Process & Compliance: Where disclosure is required to comply with a legal obligation, valid court order, subpoena, regulatory directive, or other binding legal process under applicable law. PVEstrap will, where legally permissible, notify the User of such a request prior to disclosure.
• Protection of Rights: Where disclosure is reasonably necessary to protect the rights, property, or safety of PVEstrap, its Users, or the public, including for the purposes of fraud prevention, security incident response, or enforcement of the Terms of Service.
• Business Transfers: In connection with a merger, acquisition, asset sale, corporate reorganisation, or similar transaction, provided that the acquiring party is bound by data protection obligations no less protective than those set out in this Policy.

Third-party services with which Users interact in connection with the Services operate under their own independent privacy policies. Notable policies that may apply include:

• Discord Privacy Policy
• Discord Terms of Service
• Discord Developer Policy

8. Retention Periods

PVEstrap processes and retains Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, in accordance with the storage limitation principle under Article 5(1)(e) GDPR. The following indicative retention periods apply:

• Discord Identifiers and Configuration Data: Retained for as long as the User actively uses the Services, or until a deletion request is submitted and processed in accordance with §9.
• Log and Error Data: Retained for a rolling period of up to ninety (90) days for operational, security, and debugging purposes, after which they are deleted or anonymised.
• Communications Data: Retained for as long as reasonably necessary to resolve the relevant enquiry, plus such additional period as may be required by applicable record-keeping obligations.
• Aggregated and Anonymised Data: Data rendered genuinely anonymous — in such a manner that the individual cannot be identified or re-identified — is not subject to the GDPR and may be retained indefinitely for analytical and service improvement purposes.

Where retention is required beyond the periods described above in order to comply with a legal obligation, resolve disputes, or enforce PVEstrap's agreements, such retention will be limited to the minimum period strictly necessary.

9. Security Measures

PVEstrap implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR and the principle of integrity and confidentiality under Article 5(1)(f) GDPR. Such measures include, but are not limited to:

• Access controls and role-based permissions restricting Personal Data access to authorised team members on a need-to-know basis;
• Secure storage practices for any Personal Data held within PVEstrap-controlled infrastructure;
• Periodic review of security measures in light of evolving technical capabilities and the nature of the data processed.

No method of electronic transmission or data storage is entirely secure. PVEstrap cannot guarantee the absolute security of Personal Data and, accordingly, Users transmit Personal Data at their own risk. In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, PVEstrap shall comply with its notification obligations under Articles 33 and 34 GDPR, where applicable, and will make reasonable efforts to notify affected Users through available Service channels, including the PVEstrap Discord server.

10. Data Subject Rights

Subject to applicable law and the conditions prescribed therein, Users may exercise the following rights in relation to their Personal Data processed by PVEstrap. These rights are set out under Chapter III of the GDPR and equivalent provisions under applicable national and international data protection frameworks:

1. Right of Access (Art. 15 GDPR): The right to obtain confirmation as to whether Personal Data concerning the User is being processed and, if so, to receive a copy of that data together with supplementary information regarding the processing.
2. Right to Rectification (Art. 16 GDPR): The right to obtain, without undue delay, the rectification of inaccurate Personal Data and the completion of incomplete Personal Data.
3. Right to Erasure (Art. 17 GDPR): The right to obtain the erasure of Personal Data ("right to be forgotten") where one of the grounds specified in Article 17(1) applies and processing is no longer necessary or lawful.
4. Right to Restriction of Processing (Art. 18 GDPR): The right to obtain restriction of processing where one of the conditions specified in Article 18(1) applies, pending resolution of a dispute or verification of data accuracy.
5. Right to Data Portability (Art. 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, the right to receive Personal Data in a structured, commonly used, and machine-readable format.
6. Right to Object (Art. 21 GDPR): The right to object, on grounds relating to the User's particular situation, to processing of Personal Data that is based on Article 6(1)(f) (legitimate interests). PVEstrap shall cease processing unless compelling legitimate grounds exist that override the User's interests.
7. Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on consent, the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of the above rights, Users should submit a request via the contact channels set out in §15. PVEstrap will respond within the timeframe required by applicable law (ordinarily one calendar month under Article 12 GDPR, extendable by a further two months in cases of complexity or volume).

PVEstrap reserves the right to verify the identity of any person submitting a data subject request prior to actioning it, in order to prevent unauthorised disclosure or modification of Personal Data.

11. Children's Privacy

The Services are not directed at, and are not intended for use by, children under the age of 13 (or such higher age as may be required under applicable law, including 16 years in certain EU Member States under Article 8 GDPR for information society services offered directly to children).

PVEstrap does not knowingly collect or process Personal Data from children below the applicable minimum age threshold. If PVEstrap becomes aware or has reason to believe that Personal Data has been collected from a child below the applicable age without appropriate parental or guardian consent, PVEstrap will take prompt steps to delete such data from its systems.

If a parent or legal guardian believes their child has provided Personal Data to PVEstrap without appropriate consent, they are requested to contact PVEstrap immediately via the channels specified in §15 so that the matter can be investigated and appropriate action taken.

12. International Data Transfers

PVEstrap operates on an international basis. Where Personal Data is transferred to, stored in, or accessed from a country or territory outside the European Economic Area (EEA) or United Kingdom that is not recognised as providing an adequate level of data protection under Article 45 GDPR or equivalent applicable law, PVEstrap shall ensure that such transfers are subject to appropriate safeguards pursuant to Article 46 GDPR, including, where applicable:

• Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR;
• Binding Corporate Rules (where applicable) pursuant to Article 46(2)(b) and Article 47 GDPR;
• Other approved transfer mechanisms as may be recognised under applicable data protection law.

Users may request further information regarding the specific safeguards in place for any international transfer of their Personal Data by contacting PVEstrap via the channels in §15.

13. Third-Party Services

The Services may contain links to, or be accessed through, third-party websites, platforms, or applications — most notably the Discord platform. PVEstrap is not responsible for the content, privacy practices, data processing activities, or terms of any third-party service. Each third-party service operates as an independent data controller in respect of the Personal Data it collects.

Users are encouraged to review the privacy policies of all third-party services they access in connection with PVEstrap Services. PVEstrap's Privacy Policy applies solely to Personal Data processed by PVEstrap and does not extend to any third-party processing.

14. Cookies & Similar Technologies

PVEstrap web properties may employ cookies, pixel tags, local storage, or other similar tracking technologies to support the functionality and performance of those properties. Where such technologies involve the processing of Personal Data or the accessing of information stored on a User's device, PVEstrap will implement them in accordance with applicable law, including, where required, the ePrivacy Directive (2002/58/EC) as amended and transposed into national law.

Strictly necessary technologies required for the operation of the web property may be deployed without prior consent. Where PVEstrap deploys non-essential technologies — including those relating to analytics or performance monitoring — appropriate consent mechanisms will be employed where legally required.

Users may control or disable cookies through their browser settings. Disabling certain technologies may affect the functionality or performance of PVEstrap web properties.

15. Amendments

PVEstrap reserves the right to amend, revise, or replace this Privacy Policy at any time, at its sole discretion and with or without prior notice, in order to reflect changes in data processing practices, applicable law, or the Services. Any revised version will be published at pvestrap.com/legal/privacy and shall take effect immediately upon publication unless otherwise indicated.

The User's continued use of any Service following the publication of an amended Privacy Policy constitutes acceptance of the amended terms. Where a material change is made to the processing of Personal Data in a manner that requires prior notification under applicable law — in particular Article 13 or 14 GDPR — PVEstrap will make reasonable efforts to notify affected Users through available Service channels.

PVEstrap similarly reserves the right to amend the Terms of Service at any time and without prior notice.

16. Contact & Complaints

All enquiries relating to this Privacy Policy, requests to exercise data subject rights, notifications of a suspected data breach, or other data protection matters should be directed to PVEstrap via the following channels:

• Website: pvestrap.com
• Discord Community: [Currently Unavailable]

When submitting a data subject request, please include your Discord User ID (if applicable), a description of the data or processing activity in question, and the specific right or concern being raised. This will enable PVEstrap to process the request efficiently and within the prescribed timeframe.

Where a User has grounds to believe that PVEstrap's processing of their Personal Data infringes applicable data protection law, the User has the right to lodge a complaint with the competent supervisory authority in their country of residence or establishment. A directory of EU data protection supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

This Privacy Policy is drafted and provided in English only. English is the sole governing language for all legal and interpretive purposes.