Thunderstore Privacy Policy

PRIVACY NOTICE FOR CUSTOMERS

Thunderstore respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we collect, process, and share your personal data when you use our websites such as https://thunderstore.io/ or the Thunderstore Mod Manager desktop application.

SUMMARY

Thunderstore is primarily interested in collecting data which directly enables functionality of the platform (such as mod uploads or login details). We also take great care in ensuring no personal data of our users (such as the associated GitHub or Discord user details) is exposed to the public without the user explicitly requesting such information to be made public first.

Additionally to the above, we also collect some logs and usage metrics in order to ensure the quality of the service. These logs and metrics are generally anonymous but might sometimes contain information such as the IP address that was used to connect to our servers or in rare cases some more specific details (e.g. in an error report related to an action failing for a specific user).

Finally, the advertisers and technology vendors Thunderstore works with may collect data about the users of the platform. How and what exactly is being collected varies depending on the advertiser or technology vendor, but generally you can expect at least basic metadata associated with your HTTP requests to be included (for example, IP addresses and cookies applicable to the domain being browsed). It would be wrong to say Thunderstore collects or processes this data directly, but regardless we do provide the avenue for the data collection to potentially occur by allowing our ad vendors to embed ads on the platform ( NitroPay, Overwolf) or routing our traffic through them (Cloudflare, DigitalOcean, GCore, New Relic).

In a nutshell, you can expect Thunderstore to take great care handling any personal data we collect about you directly (e.g. login data) while also acknowledging the browsing activity taking place on our website and mod manager is, to a limited extent, visible to the applicable technology vendors & advertisers.

TABLE OF CONTENTS

  1. DATA WE COLLECT AND HOW WE COLLECT IT
  2. THE PURPOSES AND THE LAWFUL BASIS
  3. WHO IS DATA CONTROLLER?
  4. SHARING OF DATA COLLECTED
  5. TRANSFER TO THIRD COUNTRIES
  6. DATA RETENTION
  7. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS
  8. CHANGES TO THIS PRIVACY NOTICE

1. DATA WE COLLECT AND HOW WE COLLECT IT

In the following, we will tell you which types of personal data we may collect about you and how we collect it. In section 3, you will find a table which explains the purposes for which we process your personal data and the lawful basis we rely on.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

In most situations the information is collected directly from you when you visit our website or as you interact with our website or services, we may automatically collect Technical Data and Usage Data about your equipment and browsing actions and patterns. We collect this information by using cookies and similar technologies. We will only apply cookies – other than strictly necessary technical cookies – if you have provided your consent. Please see more information on the cookies we use on our website below.

2. THE PURPOSES AND THE LAWFUL BASIS

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

In the table below we describe all the purposes for which we will use your personal data, and the legal basis on which we process your personal data. Where appropriate, we have also identified our legitimate interests are.

Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interest
To enable you to create an account, login and communicate in our services(A) Identity and ContactWhere we need to perform a contract which we are about to enter or have entered into with you cf. Article 6(1)(b) GDPR.
To enable you to access and interact with our website (Thunderstore.io)(B) TechnicalProcessing is necessary for our legitimate interest to provide you access to our website.
To access and manage the content you post on our website, including removing illegal, harmful and abusive content.(C) UsageProcessing is necessary for our legitimate interest to provide you a safe service and to abide by our Terms of Services.
To administer and protect our business and website (including troubleshooting, data analysis, testing and system maintenance)(A) Identity and Contact, (B) Technical, (C) UsageProcessing is necessary for our legitimate interests for running our business, provision of administration and IT services, network security and to prevent fraud.
To use data analytics to improve our website, products/services, your experience, marketing, customer relationships and experiences as well as business practises.(B) Technical, (C) UsageProcessing is necessary for our legitimate interests to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to improve our marketing strategy.

We will only apply cookies – other than strictly necessary technical cookies - if you have provided your consent. To the extent that we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us by email at privacy@thunderstore.io if you wish to receive more information on the balancing test.

3. WHO IS DATA CONTROLLER?

The data controller for the processing described in this notice is: Riskidev Oy

If you have questions regarding this Privacy Notice, please contact us by email at privacy@thunderstore.io.

If you visit our pages or communicate or otherwise interact with us on social media such as Discord or other platforms, please make sure to consult the specific privacy notices presented on such social media platforms. You should be aware that sometimes we may have a joint controllership with the publisher of the social media platform in question.

4. OTHERS THAT PROCESS YOUR DATA

We may disclose personal data to the following third parties:

Advertising providers NitroPay and Overwolf also use our website or desktop application to collect information on you through cookies. We do not directly provide this information to them, but we allow them to access the data on our website for ad setting purposes. To collect your data for analytics and targeting purposes through consent. You can read more of their personal data processing action front their privacy notices: https://nitropay.com/privacy (Nitropay) and https://www.overwolf.com/legal/privacy/ (Overwolf).

Additionally, we use the services of content delivery network (“CDN”) providers Cloudfare and GCore, who can similarly collect and retain your personal data, for example to retain access logs. We do not directly provide this information to them, but we allow them to access and collect the data. You can read more about the privacy practises of our CDN providers here: https://www.cloudflare.com/privacypolicy/ (Cloudfare) and https://gcore.com/legal (Gcore).

We use DigitalOcean to host our servers. Please read their privacy policy here: https://www.digitalocean.com/legal/privacy-policy.

5. TRANSFERS TO THIRD COUNTRIES

We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with Chapter V of the GDPR.

Some of our third-party service providers or providers that have access to your data are established outside the EEA, so their processing of your personal data will involve transferring data outside the EEA. However, to ensure that your personal data receive an adequate level of protection, we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data, or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in the EEA.

We use the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914). The clauses can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

If you require further information about our data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us by sending your request to us by email at privacy@thunderstore.io.

6. DATA RETENTION

We retain the personal data we collect where we have an ongoing legitimate need or obligation to do so. When we have no ongoing legitimate need to process your personal data, we will either delete or anonymise them.

Identity and Contact Data is saved to demonstrate the agreement we have/have had. Information is deleted when you delete your account from our services.

Technical and Usage Data will be retained for up to thirty (30) days from the collection of data.

Data may be retained for longer period if we are legally obliged to do so or if retention is necessary to establish, exercise or defend legal claims.

7. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS

You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.

Under certain circumstances, you have the following rights:

If you wish to exercise any of the data protection rights that are available to you, please send your request to us by email at privacy@thunderstore.io and we will action your request in accordance with applicable data protection laws. You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. In Finland you can lodge a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.

8. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices. If there are any material changes to this privacy notice, and you are a registered customer with a verified email address, you will be notified by email prior to the change becoming effective.