PRIVACY NOTICE FOR CUSTOMERS
Thunderstore respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we collect, process, and share your personal data when you use our websites such as https://thunderstore.io/ or the Thunderstore Mod Manager desktop application.
SUMMARY
Thunderstore is primarily interested in collecting data which directly enables functionality of the platform (such as mod uploads or login details). We also take great care in ensuring no personal data of our users (such as the associated GitHub or Discord user details) is exposed to the public without the user explicitly requesting such information to be made public first.
Additionally to the above, we also collect some logs and usage metrics in order to ensure the quality of the service. These logs and metrics are generally anonymous but might sometimes contain information such as the IP address that was used to connect to our servers or in rare cases some more specific details (e.g. in an error report related to an action failing for a specific user).
Finally, the advertisers and technology vendors Thunderstore works with may collect data about the users of the platform. How and what exactly is being collected varies depending on the advertiser or technology vendor, but generally you can expect at least basic metadata associated with your HTTP requests to be included (for example, IP addresses and cookies applicable to the domain being browsed). It would be wrong to say Thunderstore collects or processes this data directly, but regardless we do provide the avenue for the data collection to potentially occur by allowing our ad vendors to embed ads on the platform ( NitroPay, Overwolf) or routing our traffic through them (Cloudflare, DigitalOcean, GCore, New Relic).
In a nutshell, you can expect Thunderstore to take great care handling any personal data we collect about you directly (e.g. login data) while also acknowledging the browsing activity taking place on our website and mod manager is, to a limited extent, visible to the applicable technology vendors & advertisers.
TABLE OF CONTENTS
- DATA WE COLLECT AND HOW WE COLLECT IT
- THE PURPOSES AND THE LAWFUL BASIS
- WHO IS DATA CONTROLLER?
- SHARING OF DATA COLLECTED
- TRANSFER TO THIRD COUNTRIES
- DATA RETENTION
- HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS
- CHANGES TO THIS PRIVACY NOTICE
1. DATA WE COLLECT AND HOW WE COLLECT IT
In the following, we will tell you which types of personal data we may collect about you and how we collect it. In section 3, you will find a table which explains the purposes for which we process your personal data and the lawful basis we rely on.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- (A) Identity and Contact Data includes your username, email and possible other data associated with our Authentication Providers (e.g. Discord, GitHub or Overwolf)
- (B) Technical Data includes IP addresses, your login data, browser type and version, time zone setting and location, operating system and platform and other technology on the devices you use to access this website.
- (C) Usage Data include information about how you use and interact with our website, e.g., your downloads on our website and content you create to our website.
In most situations the information is collected directly from you when you visit our website or as you interact with our website or services, we may automatically collect Technical Data and Usage Data about your equipment and browsing actions and patterns. We collect this information by using cookies and similar technologies. We will only apply cookies – other than strictly necessary technical cookies – if you have provided your consent. Please see more information on the cookies we use on our website below.
2. THE PURPOSES AND THE LAWFUL BASIS
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- (i) Where we need to perform a contract which we are about to enter into or have entered into with you cf. Article 6(1)(b) GDPR.
- (ii) Where you have provided your consent cf. Article 6(1)(a) GDPR or Article 9(2)(a) GDPR.
- (iii) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests cf. Article 6(1)(f) GDPR.
In the table below we describe all the purposes for which we will use your personal data, and the legal basis on which we process your personal data. Where appropriate, we have also identified our legitimate interests are.
| Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| To enable you to create an account, login and communicate in our services | (A) Identity and Contact | Where we need to perform a contract which we are about to enter or have entered into with you cf. Article 6(1)(b) GDPR. |
| To enable you to access and interact with our website (Thunderstore.io) | (B) Technical | Processing is necessary for our legitimate interest to provide you access to our website. |
| To access and manage the content you post on our website, including removing illegal, harmful and abusive content. | (C) Usage | Processing is necessary for our legitimate interest to provide you a safe service and to abide by our Terms of Services. |
| To administer and protect our business and website (including troubleshooting, data analysis, testing and system maintenance) | (A) Identity and Contact, (B) Technical, (C) Usage | Processing is necessary for our legitimate interests for running our business, provision of administration and IT services, network security and to prevent fraud. |
| To use data analytics to improve our website, products/services, your experience, marketing, customer relationships and experiences as well as business practises. | (B) Technical, (C) Usage | Processing is necessary for our legitimate interests to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to improve our marketing strategy. |
We will only apply cookies – other than strictly necessary technical cookies - if you have provided your consent. To the extent that we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us by email at privacy@thunderstore.io if you wish to receive more information on the balancing test.
3. WHO IS DATA CONTROLLER?
The data controller for the processing described in this notice is: Riskidev Oy
If you have questions regarding this Privacy Notice, please contact us by email at privacy@thunderstore.io.
If you visit our pages or communicate or otherwise interact with us on social media such as Discord or other platforms, please make sure to consult the specific privacy notices presented on such social media platforms. You should be aware that sometimes we may have a joint controllership with the publisher of the social media platform in question.
4. OTHERS THAT PROCESS YOUR DATA
We may disclose personal data to the following third parties:
- To our Authentication Providers when you sign up to our website using your account in their services.
- Sentry.io (https://sentry.io/privacy/) provides us an error logging system.
- To any person or entity that acquires all or substantially all our business, stock or assets, or with whom we merge.
- When we in good faith believe that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Advertising providers NitroPay and Overwolf also use our website or desktop application to collect information on you through cookies. We do not directly provide this information to them, but we allow them to access the data on our website for ad setting purposes. To collect your data for analytics and targeting purposes through consent. You can read more of their personal data processing action front their privacy notices: https://nitropay.com/privacy (Nitropay) and https://www.overwolf.com/legal/privacy/ (Overwolf).
Additionally, we use the services of content delivery network (“CDN”) providers Cloudfare and GCore, who can similarly collect and retain your personal data, for example to retain access logs. We do not directly provide this information to them, but we allow them to access and collect the data. You can read more about the privacy practises of our CDN providers here: https://www.cloudflare.com/privacypolicy/ (Cloudfare) and https://gcore.com/legal (Gcore).
We use DigitalOcean to host our servers. Please read their privacy policy here: https://www.digitalocean.com/legal/privacy-policy.
5. TRANSFERS TO THIRD COUNTRIES
We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with Chapter V of the GDPR.
Some of our third-party service providers or providers that have access to your data are established outside the EEA, so their processing of your personal data will involve transferring data outside the EEA. However, to ensure that your personal data receive an adequate level of protection, we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data, or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in the EEA.
We use the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914). The clauses can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
If you require further information about our data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us by sending your request to us by email at privacy@thunderstore.io.
6. DATA RETENTION
We retain the personal data we collect where we have an ongoing legitimate need or obligation to do so. When we have no ongoing legitimate need to process your personal data, we will either delete or anonymise them.
Identity and Contact Data is saved to demonstrate the agreement we have/have had. Information is deleted when you delete your account from our services.
Technical and Usage Data will be retained for up to thirty (30) days from the collection of data.
Data may be retained for longer period if we are legally obliged to do so or if retention is necessary to establish, exercise or defend legal claims.
7. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS
You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.
Under certain circumstances, you have the following rights:
- Right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are processing data lawfully.
- Right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. Please note that the law may prohibit that we delete entries in certain cases, for example medical records.
- Right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it.
- Right to object to processing of your personal data where we are relying on our legitimate interest (or that of a third party) as a legal basis for processing and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish accuracy of the data or the reason for processing the data.
- Right to request that we transmit your personal data to another party (also known as data portability).
- Where our processing is solely based on your specific consent, the right to with-draw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
If you wish to exercise any of the data protection rights that are available to you, please send your request to us by email at privacy@thunderstore.io and we will action your request in accordance with applicable data protection laws. You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. In Finland you can lodge a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.
8. CHANGES TO THIS PRIVACY POLICY
This Privacy Policy may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices. If there are any material changes to this privacy notice, and you are a registered customer with a verified email address, you will be notified by email prior to the change becoming effective.