Privacy Policy

Account information. Email address, username, and bcrypt-hashed password when you register. Optionally, a display name and avatar if you update your profile.

Minecraft identity. When you complete the claim flow, your Minecraft UUID and username are stored and linked to your account.

Battle & ranking data. Battle records (participants, outcomes, timestamps, server, game mode) submitted by verified servers form the core dataset of the platform. This data is public.

User-generated content. Forum posts, replies, dispute comments, and server application messages are stored and associated with your account.

Technical & usage data. IP addresses, HTTP user-agent strings, request timestamps, and error logs collected for security, abuse prevention, and debugging. API rate-limit counters are stored in Redis with a rolling window. Logs are retained for up to 90 days.

Authentication tokens. Sanctum Bearer tokens are issued on login and stored hashed in the database. The plaintext token is stored in your browser's local storage. We do not use session cookies for authentication.

Two-factor authentication data. If you enable 2FA, we store your encrypted TOTP secret and a set of one-time recovery codes (hashed) in your account record.

Analytics data. We use Google Analytics 4 (GA4) and Google Tag Manager (GTM) to collect anonymised usage statistics, including page views, navigation paths, session duration, and general geographic region (country-level). IP addresses are anonymised before being sent to Google. We do not enable Google Signals or cross-site advertising features. Data collected via GA4 and GTM is processed by Google in accordance with Google's privacy policy at policies.google.com/privacy.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Contract performance: processing your account data, battle records, and rankings to deliver the Service you signed up for.
• Legitimate interests: logging technical data and enforcing anti-abuse rules to keep the platform safe and fair. Our interests do not override your fundamental rights.
• Legal obligation: retaining data where required by applicable law.
• Consent: sending non-transactional communications, if you opt in. You may withdraw consent at any time.

We use the data we collect to:

• Provide, operate, and improve the Service and its core features (leaderboards, battle history, player profiles).
• Authenticate your identity and protect your account.
• Calculate, display, and archive ELO rankings and season standings.
• Detect and prevent fraud, rank manipulation, ban evasion, and other abuse.
• Resolve disputes and support moderation decisions.
• Send transactional emails (e.g. password reset, security alerts). We do not send marketing emails without your explicit consent.
• Analyse aggregate usage patterns to improve performance and feature decisions. This analysis uses anonymised or aggregated data only.

We do not sell, rent, or trade your personal data. We share data only as described below.

Public profile & ranking data. Your username, Minecraft UUID, ELO rankings, battle history, and season standings are publicly visible. This is a core feature of the Service. If you delete your account, your username may be replaced with an anonymised identifier in historical records.

Server operators. Operators can access battle records they submitted, including the usernames and game-mode rankings of participants. They cannot access your email address, IP address, password, or any other private account details.

Infrastructure providers. We use third-party hosting and database services to operate the platform. These providers process data on our behalf under data processing agreements and are prohibited from using your data for any other purpose.

Legal & safety disclosures. We may disclose data if we believe in good faith that disclosure is necessary to comply with applicable law, respond to valid legal process, protect the rights or safety of Gyvex or others, or detect and prevent fraud.

Business transfers. If Gyvex is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a materially different privacy policy.

We retain data for as long as necessary to provide the Service and meet our legal obligations.

• Account data (email, password hash): retained while your account is active; deleted within 30 days of account deletion.
• Battle & ranking records: retained indefinitely as part of the platform's historical ledger. Your username within those records may be anonymised on account deletion.
• User-generated content: retained while your account is active or until you request deletion of specific content.
• Technical logs: rolling 90-day window; automatically purged.
• Audit logs: retained for up to 2 years for platform integrity and moderation accountability.

Gyvex operates infrastructure within the European Economic Area (EEA). If you access the Service from outside the EEA, your data is processed in EEA data centres.

If we engage infrastructure providers located outside the EEA, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) or an adequacy decision, before transferring your personal data.

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your account and associated personal data, subject to retention obligations and the battle-record integrity note above.
• Portability: receive your personal data in a structured, machine-readable format (JSON or CSV).
• Restriction: request that we restrict processing of your data in certain circumstances.
• Objection: object to processing based on legitimate interests, including profiling.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any right, email support@pvpindex.com. We will respond within 30 days. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with your local supervisory authority (in the Netherlands: the Autoriteit Persoonsgegevens).

We implement technical and organisational measures to protect your data, including:

• TLS encryption for all data in transit.
• bcrypt password hashing with a cost factor of ≥12.
• HMAC-SHA256 signing of battle payloads to detect tampering in transit.
• Rate limiting on authentication, registration, and API endpoints.
• Role-based access control limiting internal access to personal data.
• Automated anti-cheat scanning to detect anomalous data patterns.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay and, where required, notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

Notifications will be sent to the email address on your account and posted as a notice on the platform if the breach affects a large number of users.

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe we have collected data from a child under 13 without your consent, contact us at support@pvpindex.com and we will delete it promptly.

The Service may contain links to third-party websites (e.g. GitHub, Discord, server operator pages). We are not responsible for the privacy practices of those sites. This policy applies only to data collected by Gyvex.

Ad slots on hub.pvpindex.com are served by Gyvex's own first-party ad system. We do not use third-party ad networks or cross-site tracking for advertising. Advertisers receive only aggregate impression and click statistics, never individual user identities.

Analytics tools. We use Google Analytics 4 and Google Tag Manager to understand aggregate usage patterns on the Service. These tools may set cookies or use similar technologies on your device. If you wish to opt out of Google Analytics measurement, you can install the Google Analytics opt-out browser add-on.

We may update this Privacy Policy from time to time. For material changes we will provide at least 14 days' notice by posting a notice on the Service or sending an email to your account address. The "Last updated" date at the top of this page always reflects the most recent revision.

For privacy-related questions, rights requests, or concerns, contact our data protection point of contact:

General support enquiries: support@pvpindex.com.