Privacy Policy
Last updated: 26 May 2026
1. Who we are (Data Controller)
Scope ApS is the data controller for all personal data processed through the Scope platform ("Service"). You can reach our privacy team at privacy@scopemc.net.
We are subject to the EU General Data Protection Regulation (GDPR) 2016/679, the Danish Data Protection Act (Databeskyttelsesloven), and are supervised by Datatilsynet (datatilsynet.dk).
2. What data we collect and why
| Category | Data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account | Email address, full name, hashed password (scrypt), organisation name | Art. 6(1)(b) – contract performance |
| Server metrics | TPS, memory, entity counts, lag-spike events, plugin performance profiles (Spark) | Art. 6(1)(b) – contract performance |
| Player activity | Minecraft player UUIDs, display names, session start/end times, purchase amounts, country (if provided by store plugin) | Art. 6(1)(f) – legitimate interests of the server operator (analytics) |
| Billing | Stripe Customer ID, subscription status, price tier. Card details are processed exclusively by Stripe and never reach our servers. | Art. 6(1)(b) – contract, Art. 6(1)(c) – legal obligation (VAT) |
| Preferences | Accent colour preference stored in browser localStorage (never transmitted to our servers) | Art. 6(1)(a) – consent |
| Security / logs | Failed login attempts, IP addresses in API request logs (server-side only) | Art. 6(1)(f) – legitimate interests (fraud prevention) |
We do not sell personal data. We do not use data for advertising or profiling beyond what is described above.
3. How we protect your data
- Passwords are stored using scrypt (N=16 384, r=8, p=1) — industry-standard memory-hard hashing. We never store plaintext passwords.
- All data in transit is encrypted with TLS 1.2+ (HTTPS). HTTP traffic is redirected automatically in production.
- Authentication uses short-lived JWT access tokens (15 min) and HttpOnly, Secure, SameSite=Strict refresh cookies (7 days).
- API endpoints enforce rate limiting and per-organisation quotas to prevent abuse.
- Database access uses parameterised queries (Drizzle ORM) — SQL injection is structurally prevented.
- Outbound HTTP calls are restricted to an explicit allowlist (Stripe, Groq, Anthropic, Spark).
- Security headers: HSTS, CSP, X-Frame-Options: DENY, X-Content-Type-Options, Referrer-Policy are applied on every response.
4. Data retention
| Data type | Retention period |
|---|---|
| Time-series server metrics (TPS, memory, entities) | 90 days (automatic TimescaleDB policy) |
| Player sessions & aggregates | Retained while your account is active; deleted 30 days after account deletion |
| Account data (email, name) | Until account deletion request is fulfilled |
| Financial / billing records (invoices, transaction IDs) | 5 years (Danish bookkeeping law — Bogføringsloven) |
| API access logs (IP, endpoint) | 30 days |
| AI analysis cache (Redis) | 1–24 hours (plan-dependent TTL) |
5. Third-party processors
We share data with the following sub-processors, each bound by a Data Processing Agreement (DPA):
- Stripe, Inc. — payment processing. Card data is processed on Stripe's PCI-DSS-certified infrastructure. Stripe acts as an independent data controller for its own compliance obligations. Stripe Privacy Policy
- Groq, Inc. (optional, if AI_PROVIDER=groq) — AI inference. Server performance metrics (no personal player data) are sent to Groq's API to generate recommendations. Groq processes data in the US under SCCs.
- Anthropic, PBC (optional, if AI_PROVIDER=anthropic) — AI inference. Same scope as Groq above.
- Infrastructure provider — hosting (database, Redis, API server). We use providers with EU data-centre options and standard contractual clauses where data is processed outside the EEA.
6. International transfers
When data is transferred outside the European Economic Area (e.g., to Groq or Anthropic in the US), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR) and, where applicable, the UK International Data Transfer Agreement.
7. Your rights under GDPR
You have the following rights regarding your personal data (Art. 15–22 GDPR):
- Right of access (Art. 15) — request a copy of your data.
- Right to rectification (Art. 16) — correct inaccurate data.
- Right to erasure (Art. 17) — "right to be forgotten" (subject to legal retention obligations).
- Right to restrict processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — withdraw any consent at any time without affecting prior processing.
To exercise any of these rights, email privacy@scopemc.net. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with Datatilsynet (Danish Data Protection Authority).
8. Cookies and local storage
We use a session cookie for authentication and browser localStorage for preferences. See our full Cookie Policy for details. You can manage or withdraw consent at any time using the cookie settings button in the footer.
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@scopemc.net and we will delete it immediately.
10. Changes to this policy
We will notify you of material changes by email and by updating the "Last updated" date above. Continued use of the Service after the effective date constitutes acceptance of the revised policy. Historical versions are available on request.
Scope ApS · CVR: [to be completed upon company registration]
Privacy enquiries: privacy@scopemc.net
Supervisory authority: Datatilsynet