Privacy Policy
Dracobyte LLC | Dracobyte | Effective April 20, 2026
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and your rights, including rights under the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the Children's Online Privacy Protection Act (COPPA).
1. Who We Are
Dracobyte LLC is an Illinois limited liability company that operates the Dracobyte Minecraft hosting service at https://dracobyte.pro. For the purposes of GDPR and UK GDPR, we are the "controller" of personal data collected through our website, control panel, and support channels. For data you process within a game server for your own players, you are the "controller" and we act as a "processor." See our Data Processing Addendum for those details.
2. Summary
In short, we collect only what we reasonably need to provide the Service and protect it from abuse. We do not sell personal information. We do not use advertising cookies. Our only analytics component is the Cloudflare Turnstile challenge, which we use to distinguish humans from bots. We support all applicable privacy rights and respond to verified requests free of charge.
3. Information We Collect
3.1 Information You Provide
- Account data. Username, email address, password hash, approximate location derived from IP, preferred language, and optional profile details.
- Server configuration. Names, modes, plugins, world files, and settings you configure for your Minecraft servers.
- Communications. Content of support tickets, emails, and community posts you direct to us.
- Billing data. If you make a donation or purchase a paid upgrade, our payment processor collects card details; we receive only a tokenized reference and transactional metadata.
- Parental consent records. If we receive verifiable parental consent for a child under 13, we store a record of the consent method and date as required by COPPA.
3.2 Information Collected Automatically
- Technical logs. IP address, user agent, referrer, access timestamps, HTTP status codes, and request paths.
- Server telemetry. Resource usage metrics such as CPU, memory, storage, network throughput, and player-count statistics.
- Security signals. Failed login attempts, Cloudflare Turnstile results, rate-limit events, and abuse reports.
- Cookies and similar. Strictly necessary cookies for login sessions and Cloudflare Turnstile. We do not set analytics or advertising cookies. See the Cookie Policy.
3.3 Information from Third Parties
If you link a third-party identity (for example a Minecraft account), we receive basic profile data from that provider in accordance with their privacy notices and your authorization.
3.4 Information We Do Not Collect
We do not collect biometric identifiers or biometric information as those terms are defined by the Illinois Biometric Information Privacy Act, 740 ILCS 14/10. We do not collect precise geolocation (below the level of a general region). We do not collect government-issued identification numbers unless required for a specific, disclosed purpose such as verifiable parental consent.
4. How We Use Personal Information
| Purpose | Examples | GDPR Lawful Basis |
|---|---|---|
| Provide the Service | Create your account, host your servers, authenticate you | Performance of a contract (Article 6(1)(b)) |
| Security and abuse prevention | Detect brute force, rate limit, challenge bots via Turnstile, investigate abuse reports | Legitimate interests (Article 6(1)(f)); legal obligation (Article 6(1)(c)) |
| Transactional communications | Billing notices, security alerts, incident notifications, policy updates | Performance of a contract; legal obligation |
| Compliance and enforcement | Respond to lawful requests; DMCA; CSAM reports | Legal obligation |
| Product improvement | Diagnose bugs, measure performance, plan capacity | Legitimate interests |
| Donations and paid upgrades | Process payments, issue receipts, tax recordkeeping | Performance of a contract; legal obligation |
| Children under 13 | Only after verifiable parental consent; limited to what is reasonably necessary | Consent; Article 6(1)(a); COPPA |
5. Sharing Personal Information
We share personal information only as described below and only with service providers bound to appropriate confidentiality and data protection terms:
- Hosting and infrastructure. Our data center, Cloudflare (including Turnstile), and our DNS provider, acting as processors under our instructions.
- Payment processing. Our payment processor receives the minimum data needed to process your transaction. We do not store your full card number.
- Professional advisers. Legal, accounting, and auditing professionals under confidentiality obligations.
- Legal and safety. Law enforcement, regulators, or other third parties where required by law or to protect the safety of users, the public, or the Service.
- Successors in interest. If we undergo a merger, acquisition, or asset sale, personal information may transfer subject to this Privacy Policy.
We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
6. International Data Transfers
The Service is operated from the United States. If you access it from outside the United States, your information will be transferred to and processed in the United States. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses as supplemented by the UK Addendum, along with technical and organizational measures, including encryption in transit and at rest. You may request a copy of the relevant transfer mechanism by emailing privacy@dracobyte.pro.
7. Retention
We retain personal information for as long as your account is active and for a reasonable period afterwards for legitimate operational, legal, or security purposes. The table below describes retention for data we hold as controller. For data you process through the Service as a controller for your own players (for example, server configuration, world data, plugin-captured player information), retention is governed by your own instructions and by Section 4 of our Data Processing Addendum, which commits to active deletion within thirty days after termination or earlier instruction, with residual copies in encrypted backups purged within ninety days through normal rotation.
| Data Category | Retention Period |
|---|---|
| Account profile | Duration of account plus 30 days |
| Server worlds and files (controller-held metadata only; processor obligations addressed in the DPA) | Duration of the server plus a 14-day grace period after termination |
| Operational snapshots of controller systems (account database, control panel) | Rolling 14 days |
| Security logs | Up to 12 months, longer if under investigation |
| Billing and tax records | 7 years, consistent with U.S. tax recordkeeping rules |
| Parental consent records (COPPA) | Until the child turns 13 plus 3 years |
| Support ticket content | 24 months |
8. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit via TLS, encryption at rest for backups where supported by the underlying storage, least-privilege access controls, multi-factor authentication for administrative access, and logging of access to sensitive systems. No system is perfectly secure; you are responsible for choosing a strong password and protecting your credentials.
9. Your Rights under GDPR and UK GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to applicable exceptions:
- Access a copy of your personal information.
- Correct inaccurate or incomplete personal information.
- Delete your personal information (the "right to be forgotten").
- Restrict or object to certain processing, including processing based on legitimate interests and direct marketing.
- Receive your personal information in a portable, machine-readable format.
- Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
- Lodge a complaint with your supervisory authority. A list is available at the European Data Protection Board and at the UK Information Commissioner's Office.
To exercise these rights, email privacy@dracobyte.pro with enough information for us to verify your identity. We will respond within one month, extendable by two further months for complex requests.
10. Your Rights under CCPA/CPRA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- Right to know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients.
- Right to delete personal information we have collected from you, subject to statutory exceptions.
- Right to correct inaccurate personal information.
- Right to limit the use of sensitive personal information to what is necessary to perform the Service.
- Right to opt out of sale or sharing of personal information. We do not sell or share personal information as those terms are defined in the CCPA/CPRA, so there is no opt-out necessary.
- Right to non-discrimination for exercising any of these rights.
To exercise a California right, email privacy@dracobyte.pro or use the privacy request form on our website. You may use an authorized agent; we will verify the agent's authority before acting.
10.1 Notice at Collection (California)
We collect the following categories of personal information, as defined by the CCPA/CPRA: identifiers (such as username, email, IP), commercial information (such as donation history), internet or other network activity information (such as server and security logs), geolocation data (general, derived from IP), and inferences drawn from the foregoing for security and product improvement purposes only. We do not collect biometric information. We collect sensitive personal information limited to login credentials. Retention is as described in Section 7.
10.2 Other U.S. State Privacy Rights
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, New Jersey, Delaware, New Hampshire, Minnesota, Maryland, Rhode Island, and Kentucky may have rights similar to those described in Section 10 under their state's comprehensive privacy laws, including rights to access, correct, delete, and port personal data, to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects, and, where available, to appeal a denial of a rights request (for example, in Colorado and Connecticut). We extend these rights to residents of those states on the same verification standards described in Section 10. To exercise a right, email privacy@dracobyte.pro. If we deny your request, you may appeal by replying to our denial within forty-five days, and we will respond to the appeal within sixty days.
10.3 Canadian Residents (PIPEDA and Substantially Similar Provincial Law)
If you reside in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, under substantially similar provincial laws such as Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), British Columbia's Personal Information Protection Act, and Alberta's Personal Information Protection Act. These rights generally include access to and correction of your personal information, withdrawal of consent, and the ability to challenge our compliance with a federal or provincial privacy commissioner. To exercise a right, email privacy@dracobyte.pro.
10.4 Brazilian Residents (LGPD)
If you reside in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), Law No. 13,709/2018, including confirmation of processing, access, correction, anonymization or deletion of unnecessary or excessive data, portability, information about entities with whom data is shared, and revocation of consent. The legal bases in LGPD Article 7 and, where sensitive data is involved, Article 11 correspond closely to the GDPR lawful bases mapped in Section 4. To exercise a right, email privacy@dracobyte.pro.
11. Children (Ages 13 and Under)
The Service is used by children, including children under the age of 13. We collect personal information from a child under 13 only after receiving verifiable parental consent, and only to the extent reasonably necessary to provide the Service. Please see our Children's Privacy Notice for a complete description of the data we collect from children, the verifiable parental consent methods we accept, and how a parent may review, delete, or refuse further collection of their child's information.
12. Cloudflare Turnstile
We use Cloudflare Turnstile, a privacy-focused challenge system, to help distinguish humans from automated abuse. Turnstile processes limited device and environmental signals on your device and may issue a short-lived token to our servers. Turnstile does not, on our configuration, track you across sites or set persistent advertising identifiers. For more information see Cloudflare's privacy documentation.
13. Do Not Track; Global Privacy Control
Because we do not perform cross-context behavioral advertising, Do Not Track signals have no additional effect on our collection. Where technically feasible, we honor the Global Privacy Control signal as a California opt-out of sale and sharing, even though we do not currently sell or share.
13.1 Email Communications (CAN-SPAM, CASL)
We send transactional emails (security alerts, incident and breach notifications, billing notices, and legal notices) in reliance on performance of the contract and legitimate interests. Any commercial email we send (for example, product announcements or surveys) is designed to comply with the CAN-SPAM Act, 15 U.S.C. Sections 7701 to 7713, and with Canada's Anti-Spam Legislation (CASL) where the recipient is in Canada, including accurate sender identification, a clear labeling of commercial content, our physical mailing address, and a functioning one-click unsubscribe link honored within ten business days. Opting out of commercial email does not stop transactional emails that are required to operate your account.
14. Automated Decision-Making
We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. Automated tools may flag activity for human review (for example, spam or abuse detection), and a human makes the final enforcement decision.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated version at https://dracobyte.pro/legal/privacy and will update the effective date at the top of this document. Material changes will be notified through the Service or by email before they take effect, consistent with applicable law.
16. Contact, Controller, and Representatives
Controller: Dracobyte LLC, Dracobyte LLC, Illinois, USA. For service of process, contact support@dracobyte.pro to obtain the current registered mailing address..
Privacy inquiries and rights requests: privacy@dracobyte.pro.
Other support: support@dracobyte.pro. Legal notices: legal@dracobyte.pro.
16.1 GDPR Article 27 Representative (EU/EEA)
We have documented an Article 27 assessment of our processing of personal data of data subjects in the European Economic Area. Based on the current posture (occasional processing, no large-scale processing of special categories, and no large-scale, regular, and systematic monitoring of data subjects), the Article 27(2)(a) derogation applies and we are not required to designate an EU Representative at this time. We revisit this assessment at least annually and whenever we materially change our processing. If the derogation ceases to apply, we will designate a Representative in the EU/EEA and update this Section. Provisional designation (if applicable): Dracobyte LLC does not currently offer the Service to residents of the European Economic Area and has not appointed a representative under GDPR Article 27. EU residents may contact support@dracobyte.pro; this notice will be updated if EU targeting changes..
16.2 UK GDPR Article 27 Representative
The same assessment process applies to processing of personal data of data subjects in the United Kingdom under UK GDPR Article 27. Where the derogation does not apply, we will designate a Representative in the UK and update this Section. Provisional designation (if applicable): Dracobyte LLC does not currently offer the Service to residents of the United Kingdom and has not appointed a representative under the UK GDPR. UK residents may contact support@dracobyte.pro; this notice will be updated if UK targeting changes..
16.3 Data Protection Officer
We have assessed our processing activities against the criteria in Article 37 of the GDPR and have determined that appointment of a Data Protection Officer is not mandatory because our core activities do not consist of large-scale, regular, and systematic monitoring of data subjects or large-scale processing of special categories of data. Privacy questions may be directed to privacy@dracobyte.pro.