Privacy Policy

1. Overview

Toba Client ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect when you use our website and mod client, how we use it, and how we keep it safe.

By creating an account or using the service you agree to the collection and use of information described in this policy.

2. Data We Collect

The following table summarises the personal data we collect and why.

Data	Why we collect it	How it's stored
Email address	Account creation, email verification, password resets	Plain text (required for sending emails)
Username	Account identification, dashboard display	Plain text
Password	Account authentication	bcrypt hash — never stored in plain text
Hardware ID (HWID)	Device binding to prevent license sharing	AES-256-GCM encrypted
Mac Address	Pair with Hardware ID to reinforce security and prevent piracy	AES-256-GCM encrypted
IP address	Security, fraud prevention, rate limiting	AES-256-GCM encrypted
Minecraft username	Alt-slot management, session tracking	Plain text
Discord ID	Optional — only if you sign in via Discord OAuth	Plain text
Payment information	Purchase processing	Not stored by us — handled entirely by Stripe
Session tokens	Keeping you logged in	SHA-256 hash only — the raw token is never stored

We do not collect any data beyond what is listed above. We do not sell or rent your personal data to any third party.

3. How We Use Your Data

We use the data we collect solely to:

Create and manage your account
Verify your email address and authenticate you on the website and mod client
Bind your license to a specific device and enforce our anti-sharing policy
Process purchases and manage license tiers
Detect and prevent fraud, abuse, and unauthorised access
Send transactional emails (verification codes, welcome messages, password resets)
Respond to support requests

We do not use your data for advertising, analytics sold to third parties, or any purpose not listed above.

4. Storage & Security

Your data is stored in a PostgreSQL database hosted on Render (render.com). All sensitive fields (HWID, IP address) are encrypted at rest using AES-256-GCM authenticated encryption before being written to the database.

All communication between your browser or mod client and our servers is encrypted with TLS (HTTPS).

Passwords are hashed with bcrypt (12 rounds) and session tokens are stored only as SHA-256 hashes, meaning even if our database were compromised, these values could not be used to access your account.

While we take reasonable steps to protect your data, no system is completely secure. We cannot guarantee the absolute security of your information.

5. Third-Party Services

We use the following third-party services that may process your data:

Stripe — payment processing. Stripe handles all payment card data. We never see or store your card details. See Stripe's Privacy Policy.
Discord — optional OAuth login. If you choose "Continue with Discord", Discord shares your Discord ID, username, and verified email with us. See Discord's Privacy Policy.
Cloudflare — DDoS protection, Turnstile bot detection, and Pages hosting. Cloudflare may process request metadata (IP address, user agent) as part of its service. See Cloudflare's Privacy Policy.
Render — backend and database hosting. Your data resides on Render's infrastructure. See Render's Privacy Policy.
GitHub — mod release delivery. Release asset downloads are proxied through our server using a private GitHub repository. GitHub may log metadata related to API requests.

6. Data Retention

We retain your account data for as long as your account is active or as needed to provide the service.

If you delete your account, we perform a soft deletion (marking the account inactive) and will permanently delete personal data within 30 days, except where we are required to retain it for legal or fraud-prevention purposes.

Payment records (Stripe session IDs and amounts) are retained for 7 years to comply with financial record-keeping requirements.

7. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

Access — request a copy of the data we hold about you
Correction — ask us to correct inaccurate data
Deletion — ask us to delete your personal data ("right to be forgotten")
Portability — receive your data in a machine-readable format
Objection — object to specific uses of your data

To exercise any of these rights, contact us via Discord. We will respond within 30 days.

8. Cookies

Our website does not use tracking or advertising cookies. We use only functional cookies and browser storage (localStorage / sessionStorage) to maintain your login session across page loads.

Cloudflare's Turnstile bot-detection widget may set its own cookies. These are strictly necessary for security and cannot be opted out of.

9. Game policy

We only use your gameplay for telemetry and usage statistics. Nothing else.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and announce the change in our Discord server.

Your continued use of the service after changes are posted constitutes your acceptance of the updated policy.

11. Contact

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us via our Discord server.

Contents