Privacy Policy

Alexander Sadomsky c/o IP-Management #42121 Ludwig-Erhard-Str. 18 20459 Hamburg, Germany Email: [email protected] If you have any questions regarding data protection, please contact us at the address above.

We take the protection of your personal data seriously. This privacy policy explains what personal data we collect when you visit the XPXO Network websites (xpxo.tv, xpxo.me, xpxo.io, xpxo.cloud, xpxo.info, xpxo.tech, xpxo.site, xpxo.online, and associated subdomains), how we process it, what it is used for, and what rights you have under the EU General Data Protection Regulation (GDPR / DSGVO) and the German Bundesdatenschutzgesetz (BDSG).

The XPXO Network is hosted on a self-managed dedicated Linux server located in Germany (Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany). When you access our websites, the web server automatically records the following data in server log files:

• IP address (pseudonymised / truncated after 7 days)
• Date and time of the request
• Requested URL and referrer URL
• HTTP status code and transferred data volume
• Browser type, version, and operating system
• Protocol (HTTP/HTTPS)

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in the security, stability, and error-free operation of the website. Log files are automatically and irreversibly deleted after 14 days. No log data is passed to third parties except where legally required.

We use NextAuth.js as our authentication framework. Users may create an account or sign in using any of the following OAuth 2.0 providers. You may link multiple providers to a single XPXO account.

On the xpxo.me/settings page, authenticated users can:

• View and change their display name and profile picture
• View the email address associated with their account
• Link additional OAuth providers to their existing account
• Disconnect linked OAuth providers (subject to keeping at least one authentication method)
• Request deletion of their account

Changes made on the settings page are processed based on Art. 6(1)(b) GDPR (contract performance / account management). When you link an additional OAuth provider, we store the same data points as described in Section 5. Disconnecting a provider removes the corresponding entry from our database.

When you create an XPXO account, the following platform-specific data is generated and stored exclusively on our own servers:

• X-Coins (virtual XPXO currency) — earned through platform activities; not redeemable for real money
• Experience Points (XP) and Level — progression tracking
• Leaderboard rankings — competitive standings
• Quest progress and achievement history

This data is NOT transmitted to any OAuth provider (Twitch, Google, Discord, GitHub) and NOT stored on their infrastructure. Legal basis: Art. 6(1)(b) GDPR (performance of the user account contract). This data is deleted upon account deletion.

We use the Cloudflare CF-IPCountry header to detect your approximate country of origin in order to display the website in your language (DE/EN). This header is derived by Cloudflare from your IP address and provided to us as a two-letter country code — we do not receive or store the underlying IP address from Cloudflare for this purpose. Your language preference is subsequently stored in a cookie ("lang") on your device. No precise geolocation takes place. Legal basis: Art. 6(1)(f) GDPR.

We use Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as our Content Delivery Network (CDN) and DDoS protection service. All traffic to our websites passes through Cloudflare's network before reaching our server. Cloudflare processes technical data (including IP addresses) to deliver content efficiently and to protect against attacks. Cloudflare is certified under the EU-U.S. Data Privacy Framework (https://www.privacyshield.gov/). An adequacy decision under Art. 45 GDPR and Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR are in place. Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/ Legal basis: Art. 6(1)(f) GDPR — legitimate interest in website security, performance, and availability.

We use a self-hosted Redis instance (on the same server as described in Section 3) to store short-lived SSO session tokens. These tokens contain a reference to your user ID and a session hash. They are:

• Never stored in plaintext on disk
• Automatically expired after 30 days
• Not accessible outside the server's internal Docker network

Legal basis: Art. 6(1)(b) GDPR (session management for account functionality).

Some of the third-party services we use are headquartered in the United States. Data transfers to the USA are covered by:

• EU-U.S. Data Privacy Framework (Cloudflare, Google)
• Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR (Discord, GitHub)
• Adequacy decision or SCC (Twitch / Amazon)

All data transfers to third countries are made only to the extent necessary to provide authentication functionality and are based on Art. 49(1)(b) GDPR where no adequacy decision exists.

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, and unauthorised access or disclosure:

• TLS 1.3 encryption (HTTPS) for all data in transit — enforced by Caddy web server with HSTS
• SSH key-based server access with firewall (UFW) — password authentication disabled
• All application containers run in isolated Docker environments on a private internal network
• PostgreSQL database accessible only within the internal Docker network
• Redis session store not exposed to the internet
• Regular automated server security updates

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Server log files: 14 days (automatic deletion)
• Cookie consent preference: Until cleared by the user
• Authentication session (SSO token): 30 days or until logout
• User account data (name, avatar, email, gamification data): Until account deletion
• OAuth provider link data (user_integrations): Until provider is disconnected or account is deleted
• Deleted account data: Immediately purged from the database upon deletion request; backups overwritten within 14 days

As a data subject under GDPR, you have the following rights, exercisable at any time by contacting us at [email protected]:

• Right of access (Art. 15 GDPR) — obtain a copy of your stored personal data
• Right to rectification (Art. 16 GDPR) — correct inaccurate or incomplete data
• Right to erasure / "right to be forgotten" (Art. 17 GDPR) — request deletion of your personal data
• Right to restriction of processing (Art. 18 GDPR) — restrict how we use your data
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent given at any time without affecting the lawfulness of prior processing
• Right not to be subject to automated decision-making (Art. 22 GDPR) — we do not use fully automated decision-making with legal effect

We will respond to your request within one month (Art. 12(3) GDPR). In complex cases this period may be extended by a further two months, of which you will be informed.

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR (Art. 77 GDPR). The competent supervisory authority for Hamburg, Germany is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany Tel.: +49 40 / 4 28 54 – 4040 https://datenschutz-hamburg.de You may also contact the supervisory authority of your place of residence within the EU.

We reserve the right to update this privacy policy to reflect changes in our data processing practices, legal requirements, or new features. In the event of material changes, we will notify registered users via email or a prominent notice on the website. The date at the top of this page indicates when this policy was last revised. We recommend reviewing this policy periodically.