Privacy Policy
1. Controller
Gonzi Tech UG (haftungsbeschränkt)
An der Mannsfaust 10
60599 Frankfurt am Main, Germany
Email: kontakt@gonzi.tech
Phone: +49 69 247422680
Managing Director: David Joswig
2. Overview
RCONductor ("Service") is a SaaS platform by Gonzi Tech UG (haftungsbeschränkt) for managing FiveM and RedM game servers via Discord. This privacy policy explains how we collect, use, and protect your personal data when you use our website (rconductor.app) and our services.
3. Data We Collect
3.1 Discord OAuth2 Data
When you log in via Discord, we receive the following data from Discord:
- Discord User ID
- Username and avatar
- Email address (for account identification)
- Guild (server) memberships and roles
Legal basis: Art. 6(1)(b) GDPR – necessary for the performance of a contract.
3.2 Payment Data
Payments are processed by Stripe, Inc. We do not store full credit card numbers. Stripe processes your payment data under their own privacy policy. We receive and store:
- Stripe Customer ID
- Subscription status and plan tier
- Invoice history
Legal basis: Art. 6(1)(b) GDPR – necessary for billing and subscription management.
3.3 Server Configuration Data
To provide the service, we store:
- RCON connection credentials (encrypted at rest with AES-256)
- Command permissions and role mappings
- Event mappings and panel configurations
- Audit logs of actions performed through the bot
Legal basis: Art. 6(1)(b) GDPR – necessary for service delivery.
3.4 Analytics Data
If analytics is enabled for your server, we collect aggregated player count data (no individual player data). This data is used solely to display server statistics within the dashboard.
Legal basis: Art. 6(1)(b) GDPR – part of the subscribed service.
4. Cookies and Sessions
We use the following cookies:
- rconductor_session – Session cookie for authentication (httpOnly, secure). Expires after 24 hours.
- rconductor_affiliate – Affiliate tracking (httpOnly, secure). Expires after 30 days.
- rconductor_deal_dismissed – Remembers deal modal dismissal (httpOnly, secure). Expires after 7 days.
We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
5. Data Storage and Security
Your data is stored on servers within the European Union. We implement the following security measures:
- Encryption in transit (TLS 1.3 via Cloudflare)
- RCON credentials encrypted at rest (AES-256-GCM)
- Session data stored in Redis with automatic expiry
- Database access restricted to internal network only
- Regular security updates and monitoring
6. Third-Party Services
| Service | Purpose | Data Transferred |
|---|---|---|
| Discord | Authentication & Bot Integration | User ID, guilds, roles |
| Stripe | Payment Processing | Email, payment method |
| Cloudflare | CDN & DDoS Protection | IP address (anonymized) |
| Hetzner | Server Hosting (EU) | All service data |
Discord, Inc., Stripe, Inc. and Cloudflare, Inc. are based in the United States. Transfers to the US are safeguarded by the EU-US Data Privacy Framework (DPF) adequacy decision of 10 July 2023 and, where applicable, by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Hetzner Online GmbH processes all data exclusively within the EU.
7. Data Retention
- Session data: 24 hours (Redis, automatic expiry).
- Account data: retained for the duration of the subscription, automatically deleted 30 days after cancellation.
- RCON credentials: encrypted at rest, automatically deleted 30 days after subscription ends.
- Audit logs: retained for 90 days, then automatically purged.
- Usage logs (detailed): retained for 90 days, then automatically purged.
- Rate limit logs: retained for 30 days.
- RCON job results: retained for 48 hours.
- Analytics data: aggregated player count statistics (no personal data) are retained indefinitely to provide long-term server insights.
- Invoices: retained for at least 8 years (legal requirement under German tax law, § 147 AO).
- Verified user status: retained for the duration of community membership plus 1 year.
- Affiliate partner data (name, e-mail address of the affiliate partner): retained for the duration of the affiliate partnership and for 3 years thereafter for accounting and legal purposes (§ 195 BGB). Upon termination of the partnership, identifying data is anonymised; only aggregated revenue figures required for tax purposes are retained.
7a. Affiliate Programme
If you access RCONductor via an affiliate referral link, the referral code is stored in a cookie on your device (rconductor_affiliate, expires after 30 days). This cookie is set only after your explicit consent (TTDSG § 25). The cookie contains solely the referral code and is not used for any other tracking purpose. The legal basis for processing is Art. 6 (1) (b) GDPR (contract performance) for the purpose of correctly attributing discount codes and affiliate commissions.
Affiliate partners' contact data (name and e-mail address) is processed on the basis of Art. 6 (1) (b) GDPR for the execution of the affiliate contract.
8. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Withdraw consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal (Art. 7(3) GDPR). This applies in particular to cookie consent granted under TTDSG § 25.
To exercise these rights, contact us at kontakt@gonzi.tech.
9. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The responsible authority is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
65189 Wiesbaden
https://datenschutz.hessen.de
10. Links to External Websites
Our website may contain links to external websites. We have no control over the content and privacy practices of those sites. This privacy policy applies only to RCONductor services and pages operated by us.
11. Changes of Business Ownership
If our business (or parts of it) is sold, merged, or otherwise transferred, personal data may be transferred to the legal successor where this is necessary for contract continuation and lawful business operations. In such cases, we will ensure that your rights remain protected under applicable data protection law.
12. Children
Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such data, we will delete it without undue delay.
13. Changes to This Policy
We may update this privacy policy from time to time. The current version is always available at /datenschutz.