Privacy Policy

For data about server owners (your account, billing, support history), FiveDesk is the controller under LGPD and GDPR.

For data about players that flows through the Service while you use it (their in-game position, inventory, chat, tickets, screenshots, etc.), the server owner is the controller and FiveDesk is the processor acting on the owner's instructions. If you are a player and have a request about your data, please contact the server you play on first; we can only act on instructions from the owner.

(a) Owner account data — email address, display name, optional profile picture, authentication provider identifier (when signing in with Discord or similar), and password hash (if using email sign-in). We never see your plaintext password.

(b) Billing data — handled by Tebex. We store a Tebex transaction identifier, invoice history, and the plan you are on. Card numbers and other payment details are held by Tebex (and their underlying payment gateways), not by us.

(c) Server configuration — the server ID, a hashed API key for authenticating the resource, webhook URLs you configure, feature toggles, allowed RCON commands, and team invitations.

(d) Player data processed on the owner's behalf — depending on which features the owner enables: citizen ID, player name, position on the map, vehicle, health/armor, job/gang, cash/bank balances, metadata (hunger, thirst, stress), inventory contents, chat and ticket conversations, screenshots, video clips, punishment history, and admin action logs.

(e) Database backups — if the owner enables encrypted backups, the backup payload is encrypted in the browser with a passphrase before upload. We store only the ciphertext; the passphrase never reaches us and we cannot read the contents.

(f) Technical data — IP addresses, user-agent strings, timestamps, and request paths, used for security, abuse detection, and debugging.

• To operate and improve the Service — render dashboards, stream live updates, deliver webhook notifications, maintain uptime.
• To process billing, renewals, and refunds via Tebex.
• To authenticate and authorise team members per their role.
• To detect and prevent abuse (rate limiting, suspicious patterns, brute-force attempts).
• To send transactional emails (account verification, billing, critical announcements). Marketing emails are opt-in.
• To comply with legal obligations and respond to lawful requests.

We process each category of personal data under one or more of the lawful bases listed in LGPD art. 7 and GDPR art. 6. The mapping is:

• Owner account data (email, password hash, name, OAuth identifier) — execution of contract (LGPD art. 7, V / GDPR art. 6(1)(b)). We cannot deliver the panel without it.
• Billing records (Tebex transaction IDs, plan tier, invoice history) — execution of contract and legal obligation (LGPD art. 7, II / GDPR art. 6(1)(c)) for tax retention.
• Technical logs and IP addresses — legitimate interest (LGPD art. 7, IX / GDPR art. 6(1)(f)) in service security, abuse detection, and debugging.
• Transactional email (password reset, account verification, billing notifications) — execution of contract.
• Marketing and product updates (if and when offered) — consent (LGPD art. 7, I / GDPR art. 6(1)(a)), revocable at any time.
• Cookies — strictly necessary (session, CSRF, captcha) — legitimate interest in operating the Service; no consent banner required under ePrivacy.
• Player data processed on the owner's behalf — controller's documented instructions. The owner is the controller and must have their own lawful basis (typically legitimate interest in moderation and security, or consent obtained from the player at server join).
• Audit logs of admin actions — legitimate interest in accountability, plus legal obligation where applicable (e.g. cooperation with authorities).

We rely on a small number of third parties to run the Service. A complete, up-to-date list (including purpose, data categories, and jurisdiction for each) is maintained at /legal/sub-processors. Notable processors today:

• Hetzner Online GmbH (Germany) — application hosting, database, Redis.
• Cloudflare, Inc. (United States / global anycast) — DNS, DDoS protection, TURN relay for live view streams.
• Tebex Ltd. (United Kingdom) — payment processing and subscription billing.
• Discord, Inc. (United States) — optional OAuth sign-in. Used only when the owner chooses Discord at sign-in.
• Functional Software, Inc. (Sentry) (United States) — error tracking with personally-identifying information disabled.
• Hostinger International Ltd. (Lithuania, EU) — transactional email delivery via SMTP.
• Anthropic, PBC (United States) — planned; AI-assisted features.
• OpenAI, LLC (United States) — planned; AI-assisted features.

We notify owners before adding a new sub-processor that receives player data, with at least 14 days' notice via email and the panel.

Primary application data is stored on servers located in the European Union (Hetzner, Germany). Some processors — notably Cloudflare (global anycast) and Tebex (United Kingdom) — operate outside the EU; data may transit or be stored outside the EU / Brazil. Where applicable we rely on Standard Contractual Clauses and equivalent safeguards recognised under LGPD and GDPR.

Retention varies by data category and plan tier. In general:

• Owner account data — kept while the account exists, and up to 90 days after deletion for legal / anti-fraud purposes.
• Billing records — kept as long as required by applicable tax and accounting law (typically 5 years).
• Live player data — positional telemetry is kept only as long as the player is connected, plus short windows for recent-activity views.
• Analytics snapshots — 24 hours (Free) to 90 days (Business).
• Tickets, chat, screenshots, clips, audit logs — retained per your plan, then automatically rotated out.
• Backups (encrypted) — retained per your plan. We do not hold the decryption key.

We apply technical and organisational measures appropriate to the sensitivity of the data: TLS in transit, encryption at rest on managed databases, hashed passwords and API keys, role-based access control, rate limiting, and regular dependency updates. Zero- knowledge encryption is used for database backups.

No system is perfectly secure. If we become aware of a breach that affects your personal data, we will notify affected owners without undue delay, in accordance with LGPD art. 48 and GDPR art. 33.

Under LGPD (art. 18) and GDPR you have the right to:

• Confirm that we process your data and obtain a copy;
• Correct inaccurate or outdated data;
• Request anonymisation, blocking or deletion of unnecessary or excessive data;
• Obtain portability of your data in a structured, machine-readable format;
• Withdraw consent where processing was based on consent;
• Object to processing based on legitimate interest;
• Lodge a complaint with the Brazilian authority (ANPD) or the relevant EU supervisory authority.

To exercise any of these rights against FiveDesk as controller (i.e., for your owner account), email [email protected]. For player data where FiveDesk is a processor, please contact the server owner; we will support the owner in responding.

The Service is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has created an account, email [email protected] and we will delete it.

We may update this Policy. Material changes will be announced by email to the account address and/or within the panel at least 14 days before they take effect, unless the law requires a shorter period.

Under LGPD art. 41, FiveDesk has designated a Data Protection Officer (in Portuguese, Encarregado pelo Tratamento de Dados Pessoais) to serve as the contact point for data subject requests and communications with the Brazilian data protection authority (ANPD).

DPO: Erick Duarte · [email protected]

Use this address for any of the rights enumerated in section 09 (access, correction, deletion, portability, withdrawal of consent, or complaints). We respond to verified requests within 15 business days, or sooner where the law requires.

For non-privacy questions (support, billing, partnerships): [email protected].