Privacy policy

I am the data controller for personal data processed through this site, which is operated independently by me (0x00 on Discord). This is not PGTools itself. For privacy matters you can reach me at [email protected] or by Discord DM; see the support page for the full contact channels. I am not required to appoint a DPO under Article 37 GDPR, but privacy questions are handled on the same channels.

• Your Discord account. Checkout is gated behind a Discord sign-in (via Better Auth). I receive your Discord user ID, username, and avatar hash so I can attribute the order, post the delivery receipt back to you, and let you view your order history.
• Your email address. A verified email is required at checkout. It is stored against the order, passed to Stripe as the receipt address for card payments, and used by Resend to send the purchase confirmation and waiver record. It is not used for marketing.
• Your PGTools username. Entered at checkout, used solely to credit coins.
• Payment metadata. Order ID, amount, currency, processor status, and the last four digits of the card (Stripe) or the transaction hash (NOWPayments). I never see full card numbers or bank details.
• Fraud-prevention signals. IP address, rough geolocation, device fingerprint, and risk score returned by Stripe Radar. Used by Stripe to score the charge before capture, and kept on file for chargeback defense and post-delivery pattern detection.
• Support messages. The content of any Discord message you send me about an order.
• First-party usage telemetry. Event type, path, random session ID, viewport, browser language list, resolved device locale, current site locale (document.documentElement.lang), and timezone. Used only to understand aggregate funnel and translation demand; never for advertising.
• Technical logs. Standard server logs (timestamp, path, status code, user-agent) kept short-term for abuse detection and debugging.

I do not collect account passwords, phone numbers, or real-world identity information unless you voluntarily provide them during a support request.

Each processing activity has a clear legal basis under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)): to deliver the coins you ordered.
• Legal obligation (Art. 6(1)(c)): to keep invoicing and tax records under applicable EU and national law.
• Legitimate interests (Art. 6(1)(f)): to prevent fraud, contest chargebacks, and secure this site. Your interests and rights have been balanced against mine.
• Consent (Art. 6(1)(a)): only where applicable, for example the express waiver of withdrawal at checkout.

I only share data with processors strictly required to run the service. Each is bound by a data processing agreement and operates under its own privacy policy:

• Discord. Sign-in at checkout. Discord returns your user ID, username, and avatar hash so the order can be attributed to you.
• Stripe. Card processing, Stripe Radar fraud scoring, and chargeback handling. Your email is sent as the receipt address. Data may be transferred to the United States under Stripe's Standard Contractual Clauses.
• NOWPayments. Cryptocurrency invoicing and settlement.
• Resend. Transactional email delivery (purchase confirmation and waiver record). Your email address is passed to Resend for each order.
• Cloudflare. CDN, proxy, and DDoS/edge security in front of this site. Connection metadata (IP, user-agent, TLS fingerprint) transits Cloudflare's global network and is retained short-term for abuse mitigation. Data may be transferred to the United States under Cloudflare's Standard Contractual Clauses.
• proxycheck.io. IP risk and proxy/VPN detection at checkout. Your IP address is sent for real-time classification to block abuse-prone traffic before an order is opened; no other personal data is shared.
• Hosting and infrastructure. The application and database are hosted with EU-based providers wherever feasible.
• Law enforcement or regulators. Only on a valid legal request and only to the extent strictly required.

I do not sell personal data, do not share it with advertisers, and do not build cross-site profiles.

• Order and invoicing records: up to 11 years, as required by applicable EU and national tax and accounting law (HGB §257). When you delete your account, these rows are preserved with personal fields nulled — your name, email, Discord username, and IP are removed; line items, amounts, and timestamps remain.
• Fraud-prevention signals tied to an order: for the statute of limitations on chargebacks (typically 18 months), then deleted.
• Moderation records (bans): kept under Art. 6(1)(f) GDPR (legitimate interest in preventing fraud and protecting other buyers). Account deletion does not lift an active ban.
• Support-channel messages: for as long as Discord retains them, or until the conversation is resolved and no further follow-up is expected.
• First-party analytics events: 90 days, then automatically deleted.
• Server logs: 30 days by default, longer only if an active investigation requires it.

Under the GDPR you have the right to:

• Access the personal data I hold about you (Art. 15).
• Have inaccurate data corrected (Art. 16).
• Have data erased when it is no longer needed or you withdraw consent (Art. 17).
• Restrict or object to processing based on legitimate interests (Art. 18, 21).
• Receive your data in a portable, machine-readable format where technically feasible (Art. 20).
• Lodge a complaint with your national data-protection authority. A current list of EU/EEA authorities is maintained by the EDPB at edpb.europa.eu.

To exercise any of these rights, write to [email protected] or DM me on Discord with enough detail (typically the order ID) to verify your request. I respond within one month, extendable by two where the request is complex.

The site uses no advertising cookies, no third-party tracking, and no cross-site profiles. Two cookies are set directly by this site:

• Better Auth session. A first-party session cookie issued after you sign in with Discord at checkout. Required to keep you signed in across the order flow; removed on sign-out.
• First-party analytics session (pgtools_sid). A random identifier (no personal data, no Discord ID) set as an HttpOnly cookie so the same session can be recognised across page loads for up to one year. The client mirrors the same ID in localStorage as a fallback for when the cookie is blocked. Used only for first-party, aggregated usage metrics on this site — never shared with third parties and never used for advertising.

Stripe and NOWPayments set their own cookies on their respective payment pages for fraud prevention; those cookies are governed by the providers' own policies.

All traffic runs over HTTPS. Sensitive payment data never touches the site's servers; it is handled end-to-end by Stripe and NOWPayments. I apply least-privilege access controls and review fraud-prevention logs regularly.

I update this page when a new processor is added, when retention for a category of data changes, or when the legal basis for a processing activity is adjusted. The "Last updated" date at the top always reflects the current version.

All privacy requests (access, correction, erasure, objection, portability) can be sent to [email protected] or by DM to 0x00 on Discord. See the support page for both channels and the usual response windows. Include enough detail (typically the order ID) for me to verify the request is yours.