Privacy Policy

Last updated: 2026-05-03 · Version: 1.0

This Privacy Policy explains what personal data MineStar Network ("we", "us", "the operator") — operating from Spain — collects when you use StarChat (the "Plugin"), the website at https://starchat.minestar.me, the dashboard, the Nebula AI assistant, and any related services (collectively the "Service"). It also explains how we use that data, on what legal basis, with whom we share it, and what rights you have over it. The Service is operated from the European Union, so this policy is built around the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).

1 · Data controller

The data controller is MineStar Network. For any privacy request you can reach us at contacto@minestar.me or via our Discord server (https://discord.gg/eXNJWeTgP5).

2 · What we collect — and why

Category	Data	Purpose	Legal basis (GDPR)	Retention
Licence verification	Licence key, server IP(s) bound to it, plugin version, server software (Paper, Purpur, Folia, Spigot), Minecraft version, concurrent player count, last-seen timestamp.	To check that the running server is entitled to the Plugin and to enforce the per-licence server limit.	Contract (Art. 6(1)(b))	While the licence is active + 12 months for fraud-defence audit.
Account / dashboard	Discord user ID, username, avatar URL, whether you're a member of our support guild. Email address if Discord shares it during OAuth.	To authenticate you, to ship licence-delivery emails, and to bind purchases to your account.	Contract (Art. 6(1)(b))	Until you delete your account, plus 30 days for backups.
Purchases	BuiltByBit purchase ID and/or Stripe checkout session ID, purchase timestamp, amount, currency. We never see card numbers — those stay with the payment processor.	To mint your licence and meet our accounting obligations.	Legal obligation (Art. 6(1)(c)) — Spanish tax/accounting law (currently 6 years).	6 years, then deleted.
Nebula AI conversations	The messages you type and our model's replies, while you are chatting. We do not persist the conversation server-side; the transcript only lives in your browser's `sessionStorage`.	To answer your questions about StarChat.	Contract (Art. 6(1)(b))	Discarded immediately after each response.
Analytics	Page path, country (from your CDN edge), coarse device class (phone/tablet/desktop), referrer. No IP, no cookies, no fingerprinting.	To understand which pages are useful and where to invest.	Legitimate interest (Art. 6(1)(f)) — minimised, no PII.	24 months, aggregated.
Error / crash reports	Stack trace, browser URL at the time of the error, request digest. We scrub emails, IPs, licence keys and tokens before they leave the server (`lib/security/scrub.ts`).	To fix the bug you just hit.	Legitimate interest (Art. 6(1)(f))	90 days, then deleted.

3 · What we explicitly do NOT collect

The chat content of your players. The Plugin's chat-logging feature, when enabled, writes logs to your own server's disk. They never travel to us.
Anything from inside the game session beyond what is needed to verify a licence (IP, software version, MC version, concurrent player count).
Card details, bank data or any financial identifier. Payment processing happens on BuiltByBit and/or Stripe; we receive a confirmation that the purchase succeeded, nothing more.
Third-party trackers. No Google Analytics, no Facebook Pixel, no advertising SDKs.

4 · Cookies

We use only first-party, strictly-necessary cookies:

Name	Purpose	Lifetime	Type
`starchat_session`	Keeps you logged into the dashboard.	7 days	HttpOnly · Secure · SameSite=Lax
`starchat_admin_session`	Keeps an admin logged into the operations console.	4 hours	HttpOnly · Secure · SameSite=Strict
`starchat_locale`	Remembers your language preference.	1 year	SameSite=Lax
`starchat_csrf`	Protects against CSRF attacks on form submissions.	24 hours	SameSite=Lax

Because these are strictly necessary to provide the service you asked for, we don't show a cookie banner — Article 5(3) of the ePrivacy Directive doesn't require one for them.

5 · Where the data goes

We keep your data inside the European Economic Area as much as possible. Some processors are unavoidable for the service to work:

Discord (USA, GDPR-adequate via Standard Contractual Clauses) — when you sign in with Discord OAuth.
BuiltByBit (United Kingdom) — when you buy the Plugin via the BBB marketplace.
Stripe (Ireland, Stripe Payments Europe Ltd.) — if you choose direct card checkout (when enabled).
Resend (USA, GDPR-adequate via SCCs) — for transactional email delivery (licence keys, expiry warnings).
Cloudflare (Ireland) — CDN and DDoS shielding in front of the website.
Pterodactyl host (server provider) — for hosting the website and licence backend itself.

We never sell, rent or share your personal data with anyone for their own marketing.

6 · Your rights under GDPR

You have the right to:

Access the personal data we hold about you.
Rectify it if it's wrong.
Erase it, subject to legal retention obligations (e.g. accounting records).
Restrict or object to processing.
Port your data to another service (we'll provide JSON).
Withdraw consent at any time, where consent was the basis (it isn't, for the categories above).
Lodge a complaint with the Spanish data protection authority — Agencia Española de Protección de Datos (www.aepd.es) — or your local supervisor.

To exercise any of the above, email contacto@minestar.me with "Privacy request" in the subject line. We respond within 30 days. We may ask for proof you control the Discord ID or licence key in question.

7 · Children

The Service is not directed at children under 16. We don't knowingly collect personal data from anyone under 16. If you believe a minor has signed in, contact us and we'll erase the account.

8 · Security

Sessions are HMAC-SHA256 signed with a 32-character production secret. Admin passwords are stored as PBKDF2-SHA256 (100k rounds, 16-byte salt). Webhook signatures are verified using timing-safe comparison. All cookies are HttpOnly + Secure in production. Requests run behind Cloudflare with strict CSP, frame-ancestors deny, and rate limiting on every sensitive endpoint. Despite this, no system is unbreakable; if you ever suspect a breach affected your data, tell us at contacto@minestar.me — we'll investigate within 72 hours and notify the AEPD if required.

9 · Changes to this policy

If we update this policy in a way that materially affects your rights, we'll show an in-app notice the next time you visit the dashboard, and we'll bump the "Last updated" stamp at the top. Substantive changes are also posted in our Discord #announcements channel.

10 · Contact

Privacy questions: contacto@minestar.me. General support: https://discord.gg/eXNJWeTgP5.