DonutBite logoDonutBite
Sign in

Privacy Policy

Last updated: May 13, 2026

This policy explains what personal data DonutBite ("we") collects, why, how we protect it, and what rights you have. We comply with the EU GDPR and the California CCPA.

1. Data we collect

  • Discord identity: id, username, avatar, email (if you grant it) — via OAuth.
  • Order data: Discord username, Minecraft username, items purchased, totals, payment provider.
  • Payment data: handled by Stripe / CoinGate. We do not store card or wallet details.
  • Technical: hashed IP (for fraud prevention), user-agent, timestamps.
  • Analytics (consent-gated):page path visited (query strings stripped), country code derived from edge headers (2-letter ISO code only), coarse browser family (e.g. "Chrome"), device type (desktop / mobile / tablet), and a daily-rotating pseudonymous visitor hash. The hash is derived from a one-way HMAC of a random device identifier (ds_visitor_id_v1, stored in your browser's localStorage after consent) salted with the current UTC date — it resets every midnight so cross-day linkage is impossible. The device identifier and your IP address are never stored. Analytics only run if you click "Accept all" in the cookie banner.

2. Why we collect it (legal bases)

  • To provide the Service and deliver your order — performance of contract.
  • To prevent fraud and abuse — legitimate interest.
  • To comply with tax and accounting law — legal obligation.
  • Optional analytics — your consent (you can withdraw by choosing "Necessary only" in the cookie banner at any time).

3. Sharing

We share order data with our automated delivery system (operated by us) and with the payment processor you choose. We do not sell personal data.

4. Retention

Order records are retained for 6 years for tax compliance. Discord identity is retained while your account is active and removed within 30 days of deletion request.

5. International transfers

Data may be processed in the EU, UK, and US. We rely on Standard Contractual Clauses where required.

6. Your rights

  • Access, correction, deletion, portability.
  • Restriction or objection to processing.
  • Withdraw consent at any time (does not affect prior processing).
  • Lodge a complaint with your supervisory authority.

California residents have the right to know, delete, correct, and opt out of sale or sharing of personal information. We do not sell or share for cross-context behavioural advertising.

Submit requests via our Discord support channel; we respond within 30 days.

7. Security

Data is transmitted over TLS, stored in encrypted Postgres (Supabase), and access is restricted by row-level security and the principle of least privilege. Sensitive tokens are encrypted at rest with AES-GCM.

8. Children

The Service is not directed to children under 13. We do not knowingly collect data from children under 13 (or 16 in the EU).

9. Changes

We will notify you of material changes by updating this page and, where appropriate, by Discord notice.

10. Contact

Open a support ticket in our Discord server.