Last updated: 4 April 2026
StoatBoard("we", "us", "the Service") is a personal project operated from France. This Privacy Policy explains what personal data we collect, why we collect it, the legal basis under the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), and your rights regarding that data.
By using StoatBoard, you acknowledge that you have read and understood this Policy.
The data controller for StoatBoard is the operator of this personal project, based in France. We do not operate under a registered legal entity. For any data-related request, contact us at:
We will respond to all requests within 30 days in accordance with Article 12 GDPR.
We only collect what is strictly necessary to operate the Service. For each category of data, we indicate the applicable legal basis under Article 6 GDPR.
| Data | Purpose | Legal Basis |
|---|---|---|
| Username, email address, hashed password | Account creation and authentication | Art. 6(1)(b) — performance of contract |
| Server listing data (name, description, invite link, tags, category, icon) | Display and management of server listings | Art. 6(1)(b) — performance of contract |
| IP address | Rate limiting and abuse prevention (stored temporarily in Redis cache, TTL ≤ 24 hours) | Art. 6(1)(f) — legitimate interest (preventing abuse) |
| Bump timestamps | Enforcing the bump cooldown system | Art. 6(1)(b) — performance of contract |
| Session cookie | Maintaining your authenticated session | Art. 6(1)(b) — performance of contract (essential) |
| Product analytics data (events, page views, session replay metadata, technical context) | Understanding usage, debugging issues, and improving product UX. For signed-in users, analytics may be linked to account identifiers (user ID, username, email) for product diagnostics and support context. | Art. 6(1)(f) — legitimate interest (security and product improvement) |
| Email address (transactional) | Sending account and service emails (verification, security resets, moderation notices, listing/boost operational reminders) | Art. 6(1)(b) and Art. 6(1)(f) — contract performance and legitimate interest |
| Payment and credit events (Ko-fi transaction ID, amount, currency, payer name/email when provided) | Crediting Pulse balance, fraud prevention, accounting traceability, and support handling for virtual currency operations. | Art. 6(1)(b) and Art. 6(1)(f) |
| AI processing inputs (server name, descriptions, category, tags) | Generating optional suggested SEO descriptions for listings and admin queue workflows. | Art. 6(1)(b) and Art. 6(1)(f) |
We do not use your data for automated legal or similarly significant decision-making.
We use the following sub-processors. Some of these services may process personal data outside the EU/EEA. Where applicable, such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR).
We do not sell, rent, or share your personal data with any third party for commercial or marketing purposes.
Payment metadata may also be processed to prevent fraud, resolve payment disputes, and enforce no-refund and anti-chargeback policies in accordance with our Terms.
We use strictly necessary cookies and limited first-party analytics storage (including PostHog cookie/localStorage). For full details, see our Cookie Policy.
We implement appropriate technical and organisational measures to protect your data:
As a data subject under the GDPR, you have the following rights:
To exercise any of these rights, email [email protected]. We may ask you to verify your identity before processing your request.
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with the French data protection authority:
CNIL(Commission Nationale de l'Informatique et des Libertés)
www.cnil.fr/en/complaints
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
Notification to affected users will be made by email to the address registered on their account, and/or via a prominent notice on the Service.
If you suspect a security incident involving your personal data on StoatBoard, please notify us immediately at [email protected].
The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact [email protected].
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, notify registered users by email. Continued use of the Service after changes constitutes acceptance of the revised Policy.
For any privacy-related question or request, contact us at:
Related legal documents: Terms of Service · Cookie Policy · Content Policy · DMCA / Takedown · Legal Notice.