Legal

Privacy Policy

Last updated: April 7, 2026 · Applies to all users of PhantomAC services

Short version: We collect only what we need to provide the service. We don't sell your data. We don't share it with advertisers. You can request deletion at any time.

1. Who We Are

PhantomAC ("we", "us", "our") operates the PhantomAC website and provides the PhantomAC Minecraft client software. We are the data controller responsible for your personal data.

For privacy-related enquiries, contact us via our Discord server.

2. What Data We Collect

We collect the following categories of personal data:

Data Type	What We Collect	Why
Account Data	Username, email address, hashed password	Account creation and authentication
Payment Data	Transaction ID, Stripe customer ID, purchase plan, amount	Processing payments and managing subscriptions
License Data	License key, Hardware ID (HWID), activation date, expiry date	Software licensing and anti-piracy protection
Technical Data	IP address (at login/registration), browser type, device type	Security, fraud prevention, and service delivery
Communication Data	Emails we send you (verification, license delivery)	Account verification and purchase confirmation

We do NOT collect: Full payment card details (handled by Stripe), your Minecraft account credentials, gameplay data, screenshots, or any data from within the game client itself.

3. How We Collect Data

We collect data through:

Account registration: When you create an account on our website
Purchase: When you complete a payment via Stripe Checkout
Client activation: When you first launch the PhantomAC client (HWID collection)
Website usage: Basic technical data via server logs when you visit our website
Email verification: When you verify your email address

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

Contract performance: Processing necessary to deliver the software and manage your subscription (account data, payment data, license data)
Legitimate interests: Fraud prevention, security, and anti-piracy measures (HWID locking, IP logging)
Legal obligation: Retaining transaction records as required by applicable tax and commercial law
Consent: Sending you email communications beyond transactional emails (you may withdraw at any time)

5. How We Use Your Data

We use your data exclusively for the following purposes:

Creating and managing your account
Processing payments and managing your subscription status
Generating and delivering your license key via email
Verifying your email address
Enforcing HWID locking to prevent license sharing
Responding to your support requests
Detecting and preventing fraud or Terms of Service violations
Complying with legal obligations

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only with the following trusted third-party services, strictly to operate our service:

Service	Purpose	Data Shared
Stripe	Payment processing	Email, payment details (their servers, not ours)
Resend	Transactional email delivery	Email address, username, license key
Railway	Server and database hosting	All data stored in our database

All third-party providers are contractually bound to process your data only as instructed by us and in compliance with applicable data protection laws.

7. Hardware ID (HWID) Data

Our software collects a Hardware ID (HWID) — a unique fingerprint generated from your computer's hardware components — upon first launch. This data is used solely to bind your license to your device and prevent unauthorized sharing.

Your HWID is stored encrypted in our database
It is never shared with third parties
You can reset your HWID binding via your dashboard using reset tokens
HWID data is deleted when your account is deleted

8. Data Retention

We retain your data for the following periods:

Account data: Until you request account deletion, plus 30 days for recovery purposes
Payment records: 7 years (required by EU tax regulations)
License data: Until account deletion
Server logs (IP addresses): 30 days, then automatically deleted
Email verification codes: 15 minutes, then automatically deleted

9. Your Rights (GDPR)

If you are located in the EEA, you have the following rights regarding your personal data:

Right of access: Request a copy of all data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your account and associated data
Right to portability: Request your data in a machine-readable format
Right to restrict processing: Request we limit how we use your data
Right to object: Object to processing based on legitimate interests
Right to withdraw consent: Withdraw consent for any consent-based processing at any time

To exercise any of these rights, contact us via Discord. We will respond within 30 days. Note that some rights are subject to limitations — for example, we must retain payment records for legal reasons even if you request deletion.

10. Data Security

We take the security of your data seriously and implement the following measures:

Passwords are hashed using bcrypt with a strong work factor — we never store plaintext passwords
All data is transmitted over HTTPS/TLS encryption
Database access is restricted to our application server only
Authentication tokens (JWT) expire after 7 days
Payment card data is never processed by or stored on our servers — handled entirely by Stripe

While we implement industry-standard security measures, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. Cookies

Our website uses only essential cookies required for the service to function:

Authentication cookie: Keeps you logged into your account (expires after 7 days)
Cookie consent: Remembers your cookie preference (stored in localStorage)

We do not use tracking cookies, advertising cookies, or any third-party analytics that place cookies on your device. You can disable cookies in your browser settings, but this will prevent you from staying logged into your account.

12. Children's Privacy

PhantomAC is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us immediately and we will take steps to delete that information.

13. International Data Transfers

Our servers are hosted on Railway's infrastructure, which may be located outside the EEA. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page and notify users via email where required. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

15. Contact & Complaints

For any privacy-related questions, data requests, or complaints, please contact us via our Discord server.

If you are located in the EEA and are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).