1. Data Controller
The entity responsible for processing your personal data within the meaning of the GDPR (Art. 4 No. 7) is Jamie Penning, Enkhuizen, Netherlands.
Email for privacy matters: [email protected]
Full postal contact details are shared upon verified legal or regulatory request. Further legal details can be found in our Legal Notice.
2. Data We Collect and Why
We only collect personal data that is necessary to provide our service. The table below maps each category to its legal basis under Art. 6 GDPR and its retention period.
| Category | Data | Legal Basis | Retention |
|---|---|---|---|
| Account data | Name, email, Clerk user ID | Art. 6(1)(b), contract performance | Until account deletion |
| Server content | Game files, configs, plugins | Art. 6(1)(b), contract performance | Deleted after 30 days of inactivity |
| Technical logs | IP address, browser, usage logs | Art. 6(1)(f), legitimate interest for security | Up to 30 days |
| Error monitoring | Error reports, stack traces, page URL, browser/device information, performance diagnostics, console errors, and recent interaction breadcrumbs. | Art. 6(1)(f), legitimate interest in keeping the service secure, reliable, and debuggable | Usually up to 90 days in Sentry |
| Private support messages | Messages sent through support/private message tools, including account identifiers and timestamps | Art. 6(1)(f), legitimate interest for abuse prevention, fraud/security investigations, and support quality | Automatically deleted after 30 days |
| Minecraft account | Minecraft UUID, username, skin | Art. 6(1)(b), contract performance | Until account deletion or unlink |
| Analytics | Aggregated page views, Google Ads | Art. 6(1)(a), consent under GDPR and Dutch Telecommunicatiewet cookie rules | Until consent withdrawn; max 26 months |
| Payment data | Transaction records, Xsolla | Art. 6(1)(c), legal obligation under applicable EU/NL tax and accounting law | Up to 10 years where legally required |
| Optional Google Drive backup | Encrypted OAuth refresh token, linked Google email, Drive file identifiers, and backup archives | Art. 6(1)(b), contract performance for an optional feature | Until disconnected or account/server deletion |
Google Drive backups are optional. We do not access your broader Drive; we only create and rotate backup files you asked us to upload.
3. Recipients and Data Processors
We share personal data only with processors who are contractually bound by a Data Processing Agreement and provide sufficient guarantees under Art. 28 GDPR.
- Clerk: authentication and user management, USA.
- Supabase: database storage for application data, USA / EU via AWS.
- Google LLC: optional Drive backups and advertising analytics, USA.
- Sentry: error monitoring, performance diagnostics, and masked session replay for debugging, USA / Germany.
- Xsolla Inc.: payment processing for purchasing credits, USA.
- Hetzner Online GmbH: physical server infrastructure, Germany, EU.
4. International Data Transfers
Several processors are headquartered in the United States, outside the European Economic Area. For such transfers we rely on mechanisms under Chapter V GDPR, including Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
You may request more information about transfer safeguards at [email protected].
6. Minors
Our services are not intended for children under 16 without parental or guardian consent. If you are under 16, you must obtain permission from a parent or legal guardian before using SwiftServers.
7. Additional Information Under Article 13(2) GDPR
Providing personal data required during registration and service use is necessary to create and maintain your account and hosting services. Without this data, the service cannot be provided.
We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR.
8. Your Rights Under GDPR (Arts. 15-22)
You may exercise these rights free of charge by contacting [email protected]. We will respond within one month.
Right to Access (Art. 15)
Obtain a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your data.
Right to Restriction (Art. 18)
Restrict how we process your data in certain circumstances.
Right to Portability (Art. 20)
Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
Object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3))
Withdraw any consent at any time without penalty.
Right to Lodge a Complaint (Art. 77)
File a complaint with a supervisory authority.
9. Security Measures
We implement appropriate technical and organizational measures as required by Art. 32 GDPR, including TLS 1.2+, encryption at rest, least-privilege access controls, regular security reviews, and Docker isolation with private networking.
10. Right to Lodge a Complaint (Art. 77 GDPR)
The competent lead supervisory authority is Autoriteit Persoonsgegevens (AP), Hoog Catharijne, Catharinasingel 2, 2511 GX Den Haag. Website: autoriteitpersoonsgegevens.nl.
You may also lodge a complaint with the supervisory authority in your EU member state of residence or place of work.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via the website or by email. The "Last updated" date always reflects the most recent version.